I have a FS minifilter that is supposed to be loaded at boot (Start = 0,
Type = 2 in the CurrentControlSet\Services entry). However someone could
install the driver and manually load it using “fltmc load” rather than
restarting the machine.
Is there a way to differentiate from user-mode between the two modes of
loading above ? The ErrorControl mentions 1(Normal) in both cases.
What do you mean by “Is there a way to differentiate from user-mode between
the two modes of loading” ? I don’t get the bit about “from user mode”
…Do you have another component (like a user mode service) and would like
that to know whether the driver has been loaded at boot or interactively ?
Thanks,
Alex.
On Mon, Apr 20, 2015 at 11:40 AM, Arun M. Krishnakumar wrote:
> Hi, > > I have a FS minifilter that is supposed to be loaded at boot (Start = 0, > Type = 2 in the CurrentControlSet\Services entry). However someone could > install the driver and manually load it using “fltmc load” rather than > restarting the machine. > > Is there a way to differentiate from user-mode between the two modes of > loading above ? The ErrorControl mentions 1(Normal) in both cases. > > Thanks > — NTFSD is sponsored by OSR OSR is hiring!! Info at > http://www.osr.com/careers For our schedule of debugging and file system > seminars visit: http://www.osr.com/seminars To unsubscribe, visit the > List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer
Check the boot time in comparison to your driver load time? It should be around the same time the system process starts.
Do you stop the user from being able to unload the driver? Otherwise they could also restart it after boot.
You could check for this by creating a volatile object on first load, that way if it already exists, you know the driver has been restarted.
Ged.
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Arun M. Krishnakumar
Sent: 20 April 2015 19:41
To: Windows File Systems Devs Interest List
Subject: [ntfsd] how to know when a driver was loaded
Hi,
I have a FS minifilter that is supposed to be loaded at boot (Start = 0, Type = 2 in the CurrentControlSet\Services entry). However someone could install the driver and manually load it using “fltmc load” rather than restarting the machine.
Is there a way to differentiate from user-mode between the two modes of loading above ? The ErrorControl mentions 1(Normal) in both cases.
Do a ZwQuerySystemInformation with SystemProcessesAndThreadsInformation. In your driver you can set a global, when it is loaded call the API, If only system process is running your driver was loaded during boot.
Apologies: I looked at the question for a while but stopped looking since I
recently moved out the company. But I would still like to know the answer.
Basically I would like to know if the minifilter was loaded interactively
by a user-mode program (fltmc) / service or at boot. The problem is that
the minifilter processes IRP_MJ_CREATE calls. So some files that were
opened before the interactive load (such as catdb files, WMI repository
etc) will not be processed. I would like to know if we could achieve this
somehow in a clean fashion.
There are some heuristic ways (filter checking if the files above are
already open etc), but want to know if there is a nice deterministic way
about this.
Thanks,
On Tue, Apr 21, 2015 at 8:51 AM, Alex Carp wrote:
> What do you mean by “Is there a way to differentiate from user-mode > between the two modes of loading” ? I don’t get the bit about “from user > mode” …Do you have another component (like a user mode service) and would > like that to know whether the driver has been loaded at boot or > interactively ? > > Thanks, > Alex. > > On Mon, Apr 20, 2015 at 11:40 AM, Arun M. Krishnakumar > wrote: > >> Hi, >> >> I have a FS minifilter that is supposed to be loaded at boot (Start = 0, >> Type = 2 in the CurrentControlSet\Services entry). However someone could >> install the driver and manually load it using “fltmc load” rather than >> restarting the machine. >> >> Is there a way to differentiate from user-mode between the two modes of >> loading above ? The ErrorControl mentions 1(Normal) in both cases. >> >> Thanks >> — NTFSD is sponsored by OSR OSR is hiring!! Info at >> http://www.osr.com/careers For our schedule of debugging and file system >> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the >> List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer > > > — NTFSD is sponsored by OSR OSR is hiring!! Info at > http://www.osr.com/careers For our schedule of debugging and file system > seminars visit: http://www.osr.com/seminars To unsubscribe, visit the > List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer
Maybe if you create some registries in HKLM\Software as part of
installation of your driver, you can try and read those values. At
boot-time you won’t be able to read them. But if someone uses fltmc load,
you’ll be able to read them.
Check the currently running processes at load time. If only the System
process is running then you loaded at boot. If other processes are also
running then someone loaded using fltmc.
Thanks
On Mon, May 4, 2015 at 11:56 PM, Arun M. Krishnakumar wrote:
> Apologies: I looked at the question for a while but stopped looking since > I recently moved out the company. But I would still like to know the answer. > > Basically I would like to know if the minifilter was loaded interactively > by a user-mode program (fltmc) / service or at boot. The problem is that > the minifilter processes IRP_MJ_CREATE calls. So some files that were > opened before the interactive load (such as catdb files, WMI repository > etc) will not be processed. I would like to know if we could achieve this > somehow in a clean fashion. > > There are some heuristic ways (filter checking if the files above are > already open etc), but want to know if there is a nice deterministic way > about this. > > Thanks, > > > On Tue, Apr 21, 2015 at 8:51 AM, Alex Carp > wrote: > >> What do you mean by “Is there a way to differentiate from user-mode >> between the two modes of loading” ? I don’t get the bit about “from user >> mode” …Do you have another component (like a user mode service) and would >> like that to know whether the driver has been loaded at boot or >> interactively ? >> >> Thanks, >> Alex. >> >> On Mon, Apr 20, 2015 at 11:40 AM, Arun M. Krishnakumar >> wrote: >> >>> Hi, >>> >>> I have a FS minifilter that is supposed to be loaded at boot (Start = 0, >>> Type = 2 in the CurrentControlSet\Services entry). However someone could >>> install the driver and manually load it using “fltmc load” rather than >>> restarting the machine. >>> >>> Is there a way to differentiate from user-mode between the two modes of >>> loading above ? The ErrorControl mentions 1(Normal) in both cases. >>> >>> Thanks >>> — NTFSD is sponsored by OSR OSR is hiring!! Info at >>> http://www.osr.com/careers For our schedule of debugging and file >>> system seminars visit: http://www.osr.com/seminars To unsubscribe, >>> visit the List Server section of OSR Online at >>> http://www.osronline.com/page.cfm?name=ListServer >> >> >> — NTFSD is sponsored by OSR OSR is hiring!! Info at >> http://www.osr.com/careers For our schedule of debugging and file system >> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the >> List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer > > > — NTFSD is sponsored by OSR OSR is hiring!! Info at > http://www.osr.com/careers For our schedule of debugging and file system > seminars visit: http://www.osr.com/seminars To unsubscribe, visit the > List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
There is also InitializationPhase global var IIRC, and IoRegisterDriverReinitialization
“Arun M. Krishnakumar” wrote in message news:xxxxx@ntfsd… Apologies: I looked at the question for a while but stopped looking since I recently moved out the company. But I would still like to know the answer.
Basically I would like to know if the minifilter was loaded interactively by a user-mode program (fltmc) / service or at boot. The problem is that the minifilter processes IRP_MJ_CREATE calls. So some files that were opened before the interactive load (such as catdb files, WMI repository etc) will not be processed. I would like to know if we could achieve this somehow in a clean fashion.
There are some heuristic ways (filter checking if the files above are already open etc), but want to know if there is a nice deterministic way about this.
Thanks,
On Tue, Apr 21, 2015 at 8:51 AM, Alex Carp wrote:
What do you mean by “Is there a way to differentiate from user-mode between the two modes of loading” ? I don’t get the bit about “from user mode” …Do you have another component (like a user mode service) and would like that to know whether the driver has been loaded at boot or interactively ?
Thanks, Alex.
On Mon, Apr 20, 2015 at 11:40 AM, Arun M. Krishnakumar wrote:
Hi,
I have a FS minifilter that is supposed to be loaded at boot (Start = 0, Type = 2 in the CurrentControlSet\Services entry). However someone could install the driver and manually load it using “fltmc load” rather than restarting the machine.
Is there a way to differentiate from user-mode between the two modes of loading above ? The ErrorControl mentions 1(Normal) in both cases.