FilterLoad error 0x800700A1

OSR_Community_User · October 6, 2010, 11:38am

I am developing a minifilter driver and a user-mode test program on my Vista machine. The minifilter driver is not complete yet but I wanted to be sure I could load it before writing too much more code. The minifilter driver does have a DriverEntry() function, a FilterUnloadCallback function, an InstanceSetupCallback function and an InstanceQueryTeardownCallback function. As far as I can tell, my DriverEntry function is not getting called.

My user-mode test program is attempting to load the minifilter via the FilterLoad API and is getting an error return value of 0x800700A1 (ERROR_BAD_PATHNAME?). I have used AdjustTokenPrivileges to set the SeLoadDriverPrivilege on. When I use fltmc.exe from the command prompt (I selected Run As Administrator) to load the minifilter, it gets the same error.

I have put my Vista machine into TestMode via BCDEdit. I have created a test certificate store and a test certificate. I have signed (SignTool.exe) the minifilter driver itself (not a .cab file) with the test certificate and installed it with an INF file (right-click install) that I wrote. I have compared my registry entries to those of an OEM minifilter and they appear to be the same. The ImagePath key value is indeed ?system32\DRIVERS\SPIMiniFilter.sys? and my minifilter driver is indeed in C:\Windows\System32\drivers. (Does the case matter in the path?).

Here?s my INF File:

;;==============================================================================
;;
;; SPIMiniFilter.inf - Installation File.
;;
;; Copyright (c) 2010, Software Pursuits, Inc. All Rights Reserved.
;;
;;==============================================================================

[Version] ;Specify driver type by class and GUID.
Signature = “$WINDOWS NT$”
Class = ActivityMonitor ;Hopefully this is the right class for our mini filter driver.
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
Provider = %SPI%
DriverVer = 07/13/2010,7.0.1.0
;DriverPackageType = FileSystemMinifilter ;For DIFx (ChkInf complained about this, so I commented it out)
CatalogFile = SPIMFltr.cat ;Allegedly we should leave this blank, but ChkINF complains.

;;
;; The SourceDisksNames section specifies the distribution media to be used.
;;

[SourceDisksNames]
1 = %DistMedia%

;;
;; The SourceDisksFiles section names the source files that are used during installation,
;; identifies the installation disks that contain those files, and provides the directory
;; paths, if any, on the distribution disks that contain individual files.
;;

[SourceDisksFiles.x86]
SPIMiniFilter.sys = 1 ;1 = disk ID from SourceDiskNames section.

[SourceDisksFiles.amd64]
SPIMiniFilter.sys = 1 ;1 = disk ID from SourceDiskNames section.

;;
;; Define the target destination directory using dirids (Directory IDs).
;;

[DestinationDirs] ;Specify the destination directories.
DefaultDestDir = 12 ;12=%SystemRoot%\system32\drivers
FileListSection = 12

;;
;; The DefaultInstall section is accessed if a user selects the “Install” menu item
;; after right-clicking on the INF file name.
;;

[DefaultInstall]
OptionDesc = %Description%
CopyFiles = FileListSection ;Copies file to the default destination directory.

;;
;; The DefaultInstall.Services section is used in conjunction with the DefaultInstall
;; section to define how and when the driver is loaded.
;;

[DefaultInstall.Services]
AddService = SPIMiniFilter,SPIMFInstall,SPIMFEvtLog,System,SPIMiniFilter

;;
;; Install section referenced by DefaultInstall.Services section.
;;

[SPIMFInstall]
DisplayName = %FriendlyName%
Description = %Description%
ServiceType = 0x00000002 ;SERVICE_FILE_SYSTEM_DRIVER
StartType = 0x3 ;(SERVICE_DEMAND_START)
ErrorControl = 0x1 ;(SERVICE_ERROR_NORMAL)
ServiceBinary = %12%\SPIMiniFilter.sys ;path = %windir%\system32\drivers
StartName = SPIMiniFilter ;driver object name.
LoadOrderGroup = “FSFilter Activity Monitor”
Dependencies = FltMgr
AddReg = SPIMFRegistry ;Registry section

;;
;; Registry Section
;;

[SPIMFRegistry]
HKR,“Instances”,“DefaultInstance”,0x00000000,%DefaultInstance%
HKR,"Instances"%Instance1.Name%,“Altitude”,0x00000000,%Instance1.Altitude%
HKR,"Instances"%Instance1.Name%,“Flags”,0x00010001,%Instance1.Flags%

;;
;; Event log section referenced by DefaultInstall.Services section.
;;

[SPIMFEvtLog]
AddReg = SPIMFEvtLogReg ;reference the SPIMFEvtLogReg section.

;;
;; Event log registry section referenced by SPIMFEvtLog section.
;; HKR = HKLM\System\CurrentControlSet\Services\EventLog\
;;

[SPIMFEvtLogReg]
HKR,EventMessageFile,0x00020000,“%%SystemRoot%%\System32\IoLogMsg.dll;%%SystemRoot%%\System32\drivers\SPIMiniFilter.sys”
HKR,TypesSupported,0x00010001,7

;;
;; The DefaultUninstall section contains information for removing files and
;; registry entries when the minifilter driver is uninstalled.
;;

[DefaultUninstall]
DelFiles = FileListSection

[FileListSection]
SPIMiniFilter.sys,0x00010000 ;(DELFLG_IN_USE1)

;;
;; The DefaultUninstall.Services section specifies driver services to be
;; removed when the driver is uninstalled.
;;

[DefaultUninstall.Services]
DelService = SPIMiniFilter,0x00000200 ;(SPSVCINST_STOPSERVICE)

;;
;; The Strings section defines strings that are referenced elsewhere in this
;; INF file by their symbolic names (eg %SPI%).
;;

[Strings]
FriendlyName = “SPI Minifilter Driver”
Description = “Software Pursuits minifilter driver”
SPI = “Software Pursuits, Inc.”
;DistMedia = “Software Pursuits Web Site”
DistMedia = “C:\SourceSafe\SPIShared\SPIMiniFilter\Install”

DefaultInstance = “SPIMiniFilter - Default Instance”
Instance1.Name = “SPIMiniFilter - Instance1”
Instance1.Altitude = “363300” ; This is our official Altitude as assigned by Microsoft!
Instance1.Flags = 0x1 ; Suppress automatic attachments

; End of file SPIMiniFilter.inf

I hope I have included all the relevant information. Can anybody please tell me what I am doing wrong? Thanks in advance for your help.

Alex_Carp · October 6, 2010, 11:57am

What I normally do in such cases is copy the INF from a WDK sample and start
incrementally filling it with data from my INF (one line or so at a time)
and see where something breaks.

Also, could you please paste the registry key for your driver ?

You might want to check the system event log, sometimes the information in
there has slightly more information about why something fails…

Thanks,
Alex.

OSR_Community_User · October 6, 2010, 11:57am

You may want to check if driver is installed correctly. You can just load
the driver using fltmc load command from your dos box.
Please check if it gets loaded.

On Wed, Oct 6, 2010 at 8:36 AM, wrote:

> I am developing a minifilter driver and a user-mode test program on my
> Vista machine. The minifilter driver is not complete yet but I wanted to be
> sure I could load it before writing too much more code. The minifilter
> driver does have a DriverEntry() function, a FilterUnloadCallback function,
> an InstanceSetupCallback function and an InstanceQueryTeardownCallback
> function. As far as I can tell, my DriverEntry function is not getting
> called.
>
> My user-mode test program is attempting to load the minifilter via the
> FilterLoad API and is getting an error return value of 0x800700A1
> (ERROR_BAD_PATHNAME?). I have used AdjustTokenPrivileges to set the
> SeLoadDriverPrivilege on. When I use fltmc.exe from the command prompt (I
> selected Run As Administrator) to load the minifilter, it gets the same
> error.
>
> I have put my Vista machine into TestMode via BCDEdit. I have created a
> test certificate store and a test certificate. I have signed (SignTool.exe)
> the minifilter driver itself (not a .cab file) with the test certificate and
> installed it with an INF file (right-click install) that I wrote. I have
> compared my registry entries to those of an OEM minifilter and they appear
> to be the same. The ImagePath key value is indeed
> ?system32\DRIVERS\SPIMiniFilter.sys? and my minifilter driver is indeed in
> C:\Windows\System32\drivers. (Does the case matter in the path?).
>
> Here?s my INF File:
>
>
> ;;==============================================================================
> ;;
> ;; SPIMiniFilter.inf - Installation File.
> ;;
> ;; Copyright (c) 2010, Software Pursuits, Inc. All Rights Reserved.
> ;;
>
> ;;==============================================================================
>
> [Version]
> ;Specify driver type by class and GUID.
> Signature = “$WINDOWS NT$”
> Class = ActivityMonitor ;Hopefully this is
> the right class for our mini filter driver.
> ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
> Provider = %SPI%
> DriverVer = 07/13/2010,7.0.1.0
> ;DriverPackageType = FileSystemMinifilter ;For DIFx (ChkInf
> complained about this, so I commented it out)
> CatalogFile = SPIMFltr.cat ;Allegedly we
> should leave this blank, but ChkINF complains.
>
> ;;
> ;; The SourceDisksNames section specifies the distribution media to be
> used.
> ;;
>
> [SourceDisksNames]
> 1 = %DistMedia%
>
> ;;
> ;; The SourceDisksFiles section names the source files that are used during
> installation,
> ;; identifies the installation disks that contain those files, and provides
> the directory
> ;; paths, if any, on the distribution disks that contain individual files.
> ;;
>
> [SourceDisksFiles.x86]
> SPIMiniFilter.sys = 1 ;1 = disk ID
> from SourceDiskNames section.
>
> [SourceDisksFiles.amd64]
> SPIMiniFilter.sys = 1 ;1 = disk ID
> from SourceDiskNames section.
>
> ;;
> ;; Define the target destination directory using dirids (Directory IDs).
> ;;
>
> [DestinationDirs] ;Specify the
> destination directories.
> DefaultDestDir = 12
> ;12=%SystemRoot%\system32\drivers
> FileListSection = 12
>
> ;;
> ;; The DefaultInstall section is accessed if a user selects the “Install”
> menu item
> ;; after right-clicking on the INF file name.
> ;;
>
> [DefaultInstall]
> OptionDesc = %Description%
> CopyFiles = FileListSection ;Copies file to the
> default destination directory.
>
> ;;
> ;; The DefaultInstall.Services section is used in conjunction with the
> DefaultInstall
> ;; section to define how and when the driver is loaded.
> ;;
>
> [DefaultInstall.Services]
> AddService =
> SPIMiniFilter,SPIMFInstall,SPIMFEvtLog,System,SPIMiniFilter
>
> ;;
> ;; Install section referenced by DefaultInstall.Services section.
> ;;
>
> [SPIMFInstall]
> DisplayName = %FriendlyName%
> Description = %Description%
> ServiceType = 0x00000002
> ;SERVICE_FILE_SYSTEM_DRIVER
> StartType = 0x3
> ;(SERVICE_DEMAND_START)
> ErrorControl = 0x1
> ;(SERVICE_ERROR_NORMAL)
> ServiceBinary = %12%\SPIMiniFilter.sys ;path =
> %windir%\system32\drivers
> StartName = SPIMiniFilter ;driver
> object name.
> LoadOrderGroup = “FSFilter Activity Monitor”
> Dependencies = FltMgr
> AddReg = SPIMFRegistry
> ;Registry section
>
> ;;
> ;; Registry Section
> ;;
>
> [SPIMFRegistry]
> HKR,“Instances”,“DefaultInstance”,0x00000000,%DefaultInstance%
> HKR,“Instances"%Instance1.Name%,“Altitude”,0x00000000,%Instance1.Altitude%
> HKR,“Instances"%Instance1.Name%,“Flags”,0x00010001,%Instance1.Flags%
>
> ;;
> ;; Event log section referenced by DefaultInstall.Services section.
> ;;
>
> [SPIMFEvtLog]
> AddReg = SPIMFEvtLogReg ;reference the
> SPIMFEvtLogReg section.
>
> ;;
> ;; Event log registry section referenced by SPIMFEvtLog section.
> ;; HKR = HKLM\System\CurrentControlSet\Services\EventLog<br>> ;;
>
> [SPIMFEvtLogReg]
>
> HKR,EventMessageFile,0x00020000,”%%SystemRoot%%\System32\IoLogMsg.dll;%%SystemRoot%%\System32\drivers\SPIMiniFilter.sys”
> HKR,TypesSupported,0x00010001,7
>
> ;;
> ;; The DefaultUninstall section contains information for removing files and
> ;; registry entries when the minifilter driver is uninstalled.
> ;;
>
> [DefaultUninstall]
> DelFiles = FileListSection
>
> [FileListSection]
> SPIMiniFilter.sys,0x00010000
> ;(DELFLG_IN_USE1)
>
> ;;
> ;; The DefaultUninstall.Services section specifies driver services to be
> ;; removed when the driver is uninstalled.
> ;;
>
> [DefaultUninstall.Services]
> DelService = SPIMiniFilter,0x00000200
> ;(SPSVCINST_STOPSERVICE)
>
> ;;
> ;; The Strings section defines strings that are referenced elsewhere in
> this
> ;; INF file by their symbolic names (eg %SPI%).
> ;;
>
> [Strings]
> FriendlyName = “SPI Minifilter Driver”
> Description = “Software Pursuits minifilter driver”
> SPI = “Software Pursuits, Inc.”
> ;DistMedia = “Software Pursuits Web Site”
> DistMedia =
> “C:\SourceSafe\SPIShared\SPIMiniFilter\Install”
>
> DefaultInstance = “SPIMiniFilter - Default Instance”
> Instance1.Name = “SPIMiniFilter - Instance1”
> Instance1.Altitude = “363300” ; This is our
> official Altitude as assigned by Microsoft!
> Instance1.Flags = 0x1 ; Suppress automatic
> attachments
>
> ; End of file SPIMiniFilter.inf
>
>
> I hope I have included all the relevant information. Can anybody please
> tell me what I am doing wrong? Thanks in advance for your help.
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

OSR_Community_User · October 7, 2010, 8:13pm

I have just tried fltmc.exe and I got the same error: 0x800700A1. At least it’s consistent!

Here?s what my registry looks like:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPIMiniFilter
(Default) REG_SZ (value not set)
DependOnService REG_MULTI_SZ FltMgr
Description REG_SZ Software Pursuits Minifilter Driver
DisplayName REG_SZ Software Pursuits Minifilter Driver
ErrorControl REG_DWORD 0x00000001 (1)
Group REG_SZ FSFilter Activity Monitor
ImagePath REG_EXPAND_SZ system32\DRIVER\SPIMiniFilter.sys
ObjectName REG_SZ SPIMiniFilter
Start REG_DWORD 0x00000003 (3)
Tag REG_DWORD 0x0000000a (10)
Type REG_DWORD 0x00000002 (2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPIMiniFilter\Enum
(Default) REG_SZ (value not set)
Count REG_DWORD 0x00000000 (0)
INITSTARTFAILED REG_DWORD 0x00000001 (1)
NextInstance REG_DWORD 0x00000000 (0)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPIMiniFilter\Instances
(Default) REG_SZ (value not set)
DefaultInstance REG_SZ FileLocking

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPIMiniFilter\Instances\FileLocking
(Default) REG_SZ (value not set)
Altitude REG_SZ 363300
Flags REG_DWORD 0x00000001 (1)

Sorry about the formatting. I would have cut and pasted screen shots if I could. I am still working on Alex’s suggestion (Thanks Alex!) to start out with a WDK sample INF file and go from there.

Thanks again to everyone!

Alex_Carp · October 8, 2010, 1:11pm

I’m sorry, at a high level I don’t see anything wrong.

I can offer another suggestion though, which is to use procmon to see which
files and registry keys the SCM is looking for (and at) while trying to
start your driver…

Thanks,
Alex.

john_bloe · October 8, 2010, 8:41pm

Perhaps because you are missing an ‘s’ at the end of ‘Driver’ in ImagePath ?

Satya
http://www.winprogger.com

OSR_Community_User · October 11, 2010, 6:18pm

Satya, I checked my registry and there is an ‘s’ at the end of DRIVER in the ImagePath subkey. The listing above was copied by hand and I undoubtedly made a typo. But I appreciate your good eyes! Thanks for the help! -Ed

OSR_Community_User · November 2, 2010, 5:18pm

I think we may have an answer for this one. I have had to enlist Microsoft and they were very helpful. It turns out that my driver was getting loaded and then unloaded right away.

There were two problems:

The port name that I was supplying to the FltCreateCommunicationPort API did not start with a backslash (eg. L"\PortName"). The port name is supplied in the OBJECT_ATTRIBUTES structure and the OBJECT_ATTRIBUTES structure is supplied to FltCreateCommunicationPort.
My INF file contained the StartName directive in the Install section referenced by the AddService directive in the [DefaultInstall.Services] section. I commented out StartName and the problem went away.

Thanks to all who helped point me in the right direction and to Microsoft’s excellent Tech Support person whose privacy I will protect by not naming him.