FltEnlistInTransaction doesn't return in minifilter driver

Hi,

i have written a minifilter driver that does registry filtering. In my registry callback routine, for the post create key operation, i have called FltEnlistInTransaction() enlist this minifilter driver for this createkey operation.

This is because, my RegCreateKeyEx operation is associated with a transaction and i want to get notified for the commit/rollback operations. But the problem is, FltEnlistInTransaction() doesn’t return?

Hi!

i have written a minifilter driver that does registry filtering. In my
registry callback routine, for the post create key operation, i have called
FltEnlistInTransaction() enlist this minifilter driver for this createkey
operation.

I am not sure what you will achieve by this. I always thought Fltxxx
functions are file system related. Maybe I am wrong since I never tried
using it for registry, but I doubt that it works for registry. BTW, how do u
get the “instance” parameter in your registry callback routine?

Regards,
Ayush

Hi Ayush, thnks for the response. I’m doing registry filtering. What i want to acheive is to generate a log of all registry operations that are part of a transaction and whenever commit operation occurs, i want to get notified so that i dont log the other registry operations which are filtered by my driver as part of this transaction. I used FltEnumerateInstances() API to get the instances.

Am not sure why this FltEnlistInTransaction() doesn’t return???

Where does your FLT_INSTANCE come from? I tried this once attaching to the
system volume (C: if you will) - just as an experiment nothing more - and it
seemed to work at the time. I dont use that code in production.

wrote in message news:xxxxx@ntfsd…
> Hi Ayush, thnks for the response. I’m doing registry filtering. What i
> want to acheive is to generate a log of all registry operations that are
> part of a transaction and whenever commit operation occurs, i want to get
> notified so that i dont log the other registry operations which are
> filtered by my driver as part of this transaction. I used
> FltEnumerateInstances() API to get the instances.
>
> Am not sure why this FltEnlistInTransaction() doesn’t return???
>

Hi Lyndon!

Where does your FLT_INSTANCE come from? I tried this once attaching to the
system volume (C: if you will) - just as an experiment nothing more - and
it
seemed to work at the time. I dont use that code in production.

If I am correct, use of instance, that we get in the instance setup
callback, is possible outside the context of minifilter ( I mean pre and
post callbacks).
But I never actually did it for registry. Have you tried it for registry
also? Of course, the files that back up the registry hives are stored on
system volume. But does using the instance for system volume do the trick?

Regards,
Ayush Gupta

Like I wrote, I tried this for an experiment, using fltmgr transactions and
vista registry callbacks, and it seemed to work at the time. It was just an
experiment, and not code that I use in a product, and I’ve no reason to have
an opinion on whether or not that is sometihng which it might or might not
be safe to do in code which might “escape the lab”. The fltmgr docs for
FltEnlistInTransaction say that PFLT_INSTANCE Instance must not be NULL …
I guess there is a reason for that stipulation.

“Ayush Gupta” wrote in message news:xxxxx@ntfsd…
> Hi Lyndon!
>
>>Where does your FLT_INSTANCE come from? I tried this once attaching to the
>>system volume (C: if you will) - just as an experiment nothing more - and
> it
>>seemed to work at the time. I dont use that code in production.
>
> If I am correct, use of instance, that we get in the instance setup
> callback, is possible outside the context of minifilter ( I mean pre and
> post callbacks).
> But I never actually did it for registry. Have you tried it for registry
> also? Of course, the files that back up the registry hives are stored on
> system volume. But does using the instance for system volume do the trick?
>
> Regards,
> Ayush Gupta
>
>