Legacy FSFD loading but not filtering on 2008 x64

Very strange situation. On one specific Windows 2008 x64 machine, my legacy
FSFD is definitely loading but is not filtering any devices. When I run
DeviceTree 2.21 it shows the driver loaded but not attached to any devices.

Interestingly, DeviceTree Wlh/Amd64 loads, but WNet/Amd64 gives me an error
saying that “Administrator must run it”, even though I have administrative
rights on the machine.

The driver is definitely properly signed (it does load).

Is there some strange new permissions thing going on in Window 2008 x64 that
blocks legacy FSFDs from filtering?

Neil Weicher wrote:

Very strange situation. On one specific Windows 2008 x64 machine, my legacy
FSFD is definitely loading but is not filtering any devices. When I run
DeviceTree 2.21 it shows the driver loaded but not attached to any devices.

Interestingly, DeviceTree Wlh/Amd64 loads, but WNet/Amd64 gives me an error
saying that “Administrator must run it”, even though I have administrative
rights on the machine.

The driver is definitely properly signed (it does load).

Is there some strange new permissions thing going on in Window 2008 x64 that
blocks legacy FSFDs from filtering?

Are you attaching to file system control devices correctly? You should
see this in DeviceTree.

Are you processing mount requests targeted for these CDO’s?

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

If it is happening on a “particular” machine only, I would suggest that you
start off by seeing the volumes that you are filtering (put a breakpoint or
something in the mount dispatch/ completion routine and see what’s going on)
and also see if there are any other filters above you and *possibly*
bypassing your filter (although the chances are less, but do check it)?

Regards,
Ayush Gupta
AI Consulting

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Neil Weicher
Sent: Wednesday, January 27, 2010 4:25 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Legacy FSFD loading but not filtering on 2008 x64

Very strange situation. On one specific Windows 2008 x64 machine, my legacy
FSFD is definitely loading but is not filtering any devices. When I run
DeviceTree 2.21 it shows the driver loaded but not attached to any devices.

Interestingly, DeviceTree Wlh/Amd64 loads, but WNet/Amd64 gives me an error
saying that “Administrator must run it”, even though I have administrative
rights on the machine.

The driver is definitely properly signed (it does load).

Is there some strange new permissions thing going on in Window 2008 x64 that
blocks legacy FSFDs from filtering?


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

“Peter Scott” wrote in message
news:xxxxx@ntfsd…
> Neil Weicher wrote:
>> Very strange situation. On one specific Windows 2008 x64 machine, my
>> legacy
>> FSFD is definitely loading but is not filtering any devices. When I run
>> DeviceTree 2.21 it shows the driver loaded but not attached to any
>> devices.
>>
>> Interestingly, DeviceTree Wlh/Amd64 loads, but WNet/Amd64 gives me an
>> error
>> saying that “Administrator must run it”, even though I have
>> administrative
>> rights on the machine.
>>
>> The driver is definitely properly signed (it does load).
>>
>> Is there some strange new permissions thing going on in Window 2008 x64
>> that
>> blocks legacy FSFDs from filtering?
>>
> Are you attaching to file system control devices correctly? You should see
> this in DeviceTree.
>
> Are you processing mount requests targeted for these CDO’s?

Thanks, Peter. It is only happening on one particular 2008 x64 machine (so
far). All the others I have tested work fine. This particular 2008 machine
is also the one with the strange DeviceTree behavior.

Thanks, Ayush. Yes, it is on a specific machine. It is also the one where
DeviceTree is behaving strange, so I was wondering if there was something
with permissions in 2008 x64.

“Ayush Gupta” wrote in message news:xxxxx@ntfsd…
> If it is happening on a “particular” machine only, I would suggest that
> you
> start off by seeing the volumes that you are filtering (put a breakpoint
> or
> something in the mount dispatch/ completion routine and see what’s going
> on)
> and also see if there are any other filters above you and possibly
> bypassing your filter (although the chances are less, but do check it)?
>
> Regards,
> Ayush Gupta
> AI Consulting
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Neil Weicher
> Sent: Wednesday, January 27, 2010 4:25 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] Legacy FSFD loading but not filtering on 2008 x64
>
> Very strange situation. On one specific Windows 2008 x64 machine, my
> legacy
> FSFD is definitely loading but is not filtering any devices. When I run
> DeviceTree 2.21 it shows the driver loaded but not attached to any
> devices.
>
> Interestingly, DeviceTree Wlh/Amd64 loads, but WNet/Amd64 gives me an
> error
> saying that “Administrator must run it”, even though I have administrative
> rights on the machine.
>
> The driver is definitely properly signed (it does load).
>
> Is there some strange new permissions thing going on in Window 2008 x64
> that
> blocks legacy FSFDs from filtering?
>
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>

Ok, here is some more information.

I added some code to create event log entries on the dispatch and completion
of IRP_MJ_FILE_SYSTEM_CONTROL for minor codes: IRP_MN_MOUNT_VOLUME and
IRP_MN_LOAD_FILE_SYSTEM.

I do not see any entries on the problem system 2008 x64, although I do see
them on all other 2008 x64 systems I’ve tried it on.

Any idea where to look next?

Thanks.


“Neil Weicher” wrote in message news:xxxxx@ntfsd…
> Very strange situation. On one specific Windows 2008 x64 machine, my
> legacy
> FSFD is definitely loading but is not filtering any devices. When I run
> DeviceTree 2.21 it shows the driver loaded but not attached to any
> devices.
>
> Interestingly, DeviceTree Wlh/Amd64 loads, but WNet/Amd64 gives me an
> error
> saying that “Administrator must run it”, even though I have administrative
> rights on the machine.
>
> The driver is definitely properly signed (it does load).
>
> Is there some strange new permissions thing going on in Window 2008 x64
> that
> blocks legacy FSFDs from filtering?
>
>
>
>
>
>

Neil Weicher wrote:

Ok, here is some more information.

I added some code to create event log entries on the dispatch and completion
of IRP_MJ_FILE_SYSTEM_CONTROL for minor codes: IRP_MN_MOUNT_VOLUME and
IRP_MN_LOAD_FILE_SYSTEM.

I do not see any entries on the problem system 2008 x64, although I do see
them on all other 2008 x64 systems I’ve tried it on.

Any idea where to look next?

Are you calling IoRegisterFsRegistrationChange(Ex) to register your
legacy filter for file system load changes? Are you sure it succeeds and
if it does, do you get callbacks in that callback routine?

Or do you manually attach to the file system CDO’s?

Pete

Thanks.


“Neil Weicher” wrote in message news:xxxxx@ntfsd…
>> Very strange situation. On one specific Windows 2008 x64 machine, my
>> legacy
>> FSFD is definitely loading but is not filtering any devices. When I run
>> DeviceTree 2.21 it shows the driver loaded but not attached to any
>> devices.
>>
>> Interestingly, DeviceTree Wlh/Amd64 loads, but WNet/Amd64 gives me an
>> error
>> saying that “Administrator must run it”, even though I have administrative
>> rights on the machine.
>>
>> The driver is definitely properly signed (it does load).
>>
>> Is there some strange new permissions thing going on in Window 2008 x64
>> that
>> blocks legacy FSFDs from filtering?
>>
>>
>>
>>
>>
>>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295