Based on feedback I got from a question about drive letter enumerating and
Unicode and filter attachment, I decided to change my filter driver from a
dynamic approach (like Filemon) to a boot file system filter approach. My
DriverEntry now registers for Fs notifications via
IoRegisterFsRegistrationChange, and I field the IRP_MJ_FILE_SYSTEM_CONTROL
looking for IRP_MN_MOUNT_VOLUME requests.
This is working, sort of… Debugging in at boot time, I see that I am
getting Fs notifications and subsequent mount indications, but only, it
appears, for the floppy device. I do get one non-floppy notification, but
DriverActive is FALSE. My filter gets hooked in on top of the floppy file
system and works as expected with respect to file accesses on that device,
but I can’t get a hook over NTFS with this approach.
Why am I not seeing any notifications for the NTFS FS? Am I too late in
the boot sequence?
Thanks,
Bill
P.S. I may learn quickly, but I wasn’t born with any of this knowledge.
It is refreshing (and a privilege) to have access to a group like this
one. Thanks once again for your willingness to share and “help”.
Are you loading at boot time? Set group order to “filter”, maybe that work.
----- Original Message -----
From: “Bill”
To: “File Systems Developers”
Sent: Friday, February 07, 2003 6:42 AM
Subject: [ntfsd] IoRegisterFsRegistrationChange and NTFS
> Based on feedback I got from a question about drive letter enumerating and
> Unicode and filter attachment, I decided to change my filter driver from a
> dynamic approach (like Filemon) to a boot file system filter approach. My
> DriverEntry now registers for Fs notifications via
> IoRegisterFsRegistrationChange, and I field the IRP_MJ_FILE_SYSTEM_CONTROL
> looking for IRP_MN_MOUNT_VOLUME requests.
>
> This is working, sort of… Debugging in at boot time, I see that I am
> getting Fs notifications and subsequent mount indications, but only, it
> appears, for the floppy device. I do get one non-floppy notification, but
> DriverActive is FALSE. My filter gets hooked in on top of the floppy file
> system and works as expected with respect to file accesses on that device,
> but I can’t get a hook over NTFS with this approach.
>
> Why am I not seeing any notifications for the NTFS FS? Am I too late in
> the boot sequence?
>
> Thanks,
> Bill
>
> P.S. I may learn quickly, but I wasn’t born with any of this knowledge.
> It is refreshing (and a privilege) to have access to a group like this
> one. Thanks once again for your willingness to share and “help”.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
A FSF must load in the Filter group as Boot start driver - otherwise, the
Boot file system will load after - and I think File system, too.
Bill wrote:
Based on feedback I got from a question about drive letter enumerating and
Unicode and filter attachment, I decided to change my filter driver from a
dynamic approach (like Filemon) to a boot file system filter approach. My
DriverEntry now registers for Fs notifications via
IoRegisterFsRegistrationChange, and I field the IRP_MJ_FILE_SYSTEM_CONTROL
looking for IRP_MN_MOUNT_VOLUME requests.
This is working, sort of… Debugging in at boot time, I see that I am
getting Fs notifications and subsequent mount indications, but only, it
appears, for the floppy device. I do get one non-floppy notification, but
DriverActive is FALSE. My filter gets hooked in on top of the floppy file
system and works as expected with respect to file accesses on that device,
but I can’t get a hook over NTFS with this approach.
Why am I not seeing any notifications for the NTFS FS? Am I too late in
the boot sequence?
Thanks,
Bill
P.S. I may learn quickly, but I wasn’t born with any of this knowledge.
It is refreshing (and a privilege) to have access to a group like this
one. Thanks once again for your willingness to share and “help”.
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
I though I had that covered…
I have:
Type=2 (file system driver)
Group=“File System” (I’ve also tried Group=“Filter”)
Start=2 (auto start)
and, of course,
ErrorControl=1
Are you loading at boot time? Set group order to “filter”, maybe that work.
Start = 0
----- Original Message -----
From: “Bill”
To: “File Systems Developers”
Sent: Friday, February 07, 2003 10:18 AM
Subject: [ntfsd] Re: IoRegisterFsRegistrationChange and NTFS
> I though I had that covered…
>
> I have:
>
> Type=2 (file system driver)
> Group=“File System” (I’ve also tried Group=“Filter”)
> Start=2 (auto start)
>
> and, of course,
>
> ErrorControl=1
>
> > Are you loading at boot time? Set group order to “filter”, maybe that
work.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Thanks, Ratmil. I was just trying that one when I saw your reply. Works
for me!
That spawns another question… Now that my driver is registered as
Start=0, can I still “bypass” it by booting into Safe Mode?
Start = 0
No. There is no way your driver doesn’t load now.
----- Original Message -----
From: “Bill”
To: “File Systems Developers”
Sent: Friday, February 07, 2003 10:52 AM
Subject: [ntfsd] Re: IoRegisterFsRegistrationChange and NTFS
> Thanks, Ratmil. I was just trying that one when I saw your reply. Works
> for me!
>
> That spawns another question… Now that my driver is registered as
> Start=0, can I still “bypass” it by booting into Safe Mode?
>
> > Start = 0
>
> —
> You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
You can do it like SoftIce… Pres ESC to cancel loading you driver. Do
this by using ZwDisplayString() and the likes to get user input and
display a message.
Jamey
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ratmil Torres
Sent: Friday, February 07, 2003 2:26 PM
To: File Systems Developers
Subject: [ntfsd] Re: IoRegisterFsRegistrationChange and NTFS
No. There is no way your driver doesn’t load now.
----- Original Message -----
From: “Bill”
To: “File Systems Developers”
Sent: Friday, February 07, 2003 10:52 AM
Subject: [ntfsd] Re: IoRegisterFsRegistrationChange and NTFS
> Thanks, Ratmil. I was just trying that one when I saw your reply.
Works
> for me!
>
> That spawns another question… Now that my driver is registered as
> Start=0, can I still “bypass” it by booting into Safe Mode?
>
> > Start = 0
>
> —
> You are currently subscribed to ntfsd as: xxxxx@seg.inf.cu
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Anyone have any details on how to do the user input
part of this? I can find info on ZwDisplayString but
nothing on keyboard input.
Thanks,
Randy
— Jamey Kirby wrote:
> You can do it like SoftIce… Pres ESC to cancel
> loading you driver. Do
> this by using ZwDisplayString() and the likes to get
> user input and
> display a message.
>
> Jamey
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf
> Of Ratmil Torres
> Sent: Friday, February 07, 2003 2:26 PM
> To: File Systems Developers
> Subject: [ntfsd] Re: IoRegisterFsRegistrationChange
> and NTFS
>
> No. There is no way your driver doesn’t load now.
> ----- Original Message -----
> From: “Bill”
> To: “File Systems Developers”
> Sent: Friday, February 07, 2003 10:52 AM
> Subject: [ntfsd] Re: IoRegisterFsRegistrationChange
> and NTFS
>
>
> > Thanks, Ratmil. I was just trying that one when I
> saw your reply.
> Works
> > for me!
> >
> > That spawns another question… Now that my
> driver is registered as
> > Start=0, can I still “bypass” it by booting into
> Safe Mode?
> >
> > > Start = 0
> >
> > —
> > You are currently subscribed to ntfsd as:
> xxxxx@seg.inf.cu
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@storagecraft.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Hmm, ZwDisplayString didn’t work on 2K and XP, in some situations -
not sure if it was with the GUI boot or without it - so better check it.
Randy Cook wrote:
Anyone have any details on how to do the user input
part of this? I can find info on ZwDisplayString but
nothing on keyboard input.
Thanks,
Randy
— Jamey Kirby wrote:
> > You can do it like SoftIce… Pres ESC to cancel
> > loading you driver. Do
> > this by using ZwDisplayString() and the likes to get
> > user input and
> > display a message.
> >
> > Jamey
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf
> > Of Ratmil Torres
> > Sent: Friday, February 07, 2003 2:26 PM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: IoRegisterFsRegistrationChange
> > and NTFS
> >
> > No. There is no way your driver doesn’t load now.
> > ----- Original Message -----
> > From: “Bill”
> > To: “File Systems Developers”
> > Sent: Friday, February 07, 2003 10:52 AM
> > Subject: [ntfsd] Re: IoRegisterFsRegistrationChange
> > and NTFS
> >
> >
> > > Thanks, Ratmil. I was just trying that one when I
> > saw your reply.
> > Works
> > > for me!
> > >
> > > That spawns another question… Now that my
> > driver is registered as
> > > Start=0, can I still “bypass” it by booting into
> > Safe Mode?
> > >
> > > > Start = 0
> > >
> > > —
> > > You are currently subscribed to ntfsd as:
> > xxxxx@seg.inf.cu
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as:
> > xxxxx@storagecraft.com
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.
I use SoftICE. They put the /noguiboot flag so that
you can see their messages during boot.
I’ve set my driver to load at boot time, but I still
can’t see anything when I use ZwDisplayString in my
DriverEntry routine. Just for kicks I tried
HalDisplayString as well. No luck.
So it appears as though SoftICE must be using
something else or I’m using ZwDisplayString the wrong
way.
— Dejan Maksimovic wrote:
>
> Hmm, ZwDisplayString didn’t work on 2K and XP,
> in some situations -
> not sure if it was with the GUI boot or without it -
> so better check it.
>
> Randy Cook wrote:
>
> > Anyone have any details on how to do the user
> input
> > part of this? I can find info on ZwDisplayString
> but
> > nothing on keyboard input.
> >
> > Thanks,
> >
> > Randy
> >
> > — Jamey Kirby wrote:
> > > You can do it like SoftIce… Pres ESC to cancel
> > > loading you driver. Do
> > > this by using ZwDisplayString() and the likes to
> get
> > > user input and
> > > display a message.
> > >
> > > Jamey
> > >
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On
> Behalf
> > > Of Ratmil Torres
> > > Sent: Friday, February 07, 2003 2:26 PM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Re:
> IoRegisterFsRegistrationChange
> > > and NTFS
> > >
> > > No. There is no way your driver doesn’t load
> now.
> > > ----- Original Message -----
> > > From: “Bill”
> > > To: “File Systems Developers”
>
> > > Sent: Friday, February 07, 2003 10:52 AM
> > > Subject: [ntfsd] Re:
> IoRegisterFsRegistrationChange
> > > and NTFS
> > >
> > >
> > > > Thanks, Ratmil. I was just trying that one
> when I
> > > saw your reply.
> > > Works
> > > > for me!
> > > >
> > > > That spawns another question… Now that my
> > > driver is registered as
> > > > Start=0, can I still “bypass” it by booting
> into
> > > Safe Mode?
> > > >
> > > > > Start = 0
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as:
> > > xxxxx@seg.inf.cu
> > > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as:
> > > xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as:
> > > xxxxx@yahoo.com
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> >
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> > http://mailplus.yahoo.com
> >
> > —
> > You are currently subscribed to ntfsd as:
> xxxxx@alfasp.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
> –
> Kind regards, Dejan M. www.alfasp.com
> E-mail: xxxxx@alfasp.com
> Alfa Transparent File Encryptor - Transparent file
> encryption services.
> Alfa File Protector - File protection and hiding
> library for Win32
> developers.
> Alfa File Monitor - File monitoring library for
> Win32 developers.
>
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
What are you doing? Softice’s nature is to apply ugly hackery. 
The F8 tweak I’ve described lately works well on any 2k/XP I’ve ever seen,
and is applied to a debuggee in half a minute.
----- Original Message -----
From: “Randy Cook”
To: “File Systems Developers”
Sent: Saturday, February 08, 2003 2:31 AM
Subject: [ntfsd] Re: IoRegisterFsRegistrationChange and NTFS
> I use SoftICE. They put the /noguiboot flag so that
> you can see their messages during boot.
>
> I’ve set my driver to load at boot time, but I still
> can’t see anything when I use ZwDisplayString in my
> DriverEntry routine. Just for kicks I tried
> HalDisplayString as well. No luck.
>
> So it appears as though SoftICE must be using
> something else or I’m using ZwDisplayString the wrong
> way.
> Why am I not seeing any notifications for the NTFS FS? Am I too
late in
the boot sequence?
Maybe, set your filter to “filter” group and to Boot start type.
Max
You will need to call the undocumented InbvEnableDisplayString on
these OSes to switch the boot UI to a mode where it can display
strings. AUTOCHK does the same.
Max
----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Saturday, February 08, 2003 2:39 AM
Subject: [ntfsd] Re: IoRegisterFsRegistrationChange and NTFS
>
> Hmm, ZwDisplayString didn’t work on 2K and XP, in some
situations -
> not sure if it was with the GUI boot or without it - so better check
it.
>
> Randy Cook wrote:
>
> > Anyone have any details on how to do the user input
> > part of this? I can find info on ZwDisplayString but
> > nothing on keyboard input.
> >
> > Thanks,
> >
> > Randy
> >
> > — Jamey Kirby wrote:
> > > You can do it like SoftIce… Pres ESC to cancel
> > > loading you driver. Do
> > > this by using ZwDisplayString() and the likes to get
> > > user input and
> > > display a message.
> > >
> > > Jamey
> > >
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf
> > > Of Ratmil Torres
> > > Sent: Friday, February 07, 2003 2:26 PM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Re: IoRegisterFsRegistrationChange
> > > and NTFS
> > >
> > > No. There is no way your driver doesn’t load now.
> > > ----- Original Message -----
> > > From: “Bill”
> > > To: “File Systems Developers”
> > > Sent: Friday, February 07, 2003 10:52 AM
> > > Subject: [ntfsd] Re: IoRegisterFsRegistrationChange
> > > and NTFS
> > >
> > >
> > > > Thanks, Ratmil. I was just trying that one when I
> > > saw your reply.
> > > Works
> > > > for me!
> > > >
> > > > That spawns another question… Now that my
> > > driver is registered as
> > > > Start=0, can I still “bypass” it by booting into
> > > Safe Mode?
> > > >
> > > > > Start = 0
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as:
> > > xxxxx@seg.inf.cu
> > > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as:
> > > xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as:
> > > xxxxx@yahoo.com
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > http://mailplus.yahoo.com
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> > To unsubscribe send a blank email to
xxxxx@lists.osr.com
>
> –
> Kind regards, Dejan M. www.alfasp.com
> E-mail: xxxxx@alfasp.com
> Alfa Transparent File Encryptor - Transparent file encryption
services.
> Alfa File Protector - File protection and hiding library for Win32
> developers.
> Alfa File Monitor - File monitoring library for Win32 developers.
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>