Minifilter doesn't receive user-mode event

Bill_Leimkuehler · November 30, 2006, 10:24am

In my minifilter, I use a system worker thread via FltQueueDeferredIoWorkItem to wait with a timeout on an event from my user-mode service. The user-mode service sends the event correctly, but it is not received in kernel mode. There are no errors at all when setting the event in user mode or waiting on the corresponding object in kernel mode. I’ve included the abbreviate source code below. Any help would be appreciated.

Here’s essentially what my user-mode code does (I do check for all errors, but exclude that code here):

context->Event = CreateEvent( NULL, // Default security
FALSE, // Auto reset
FALSE, // non-signaled state
NULL); // No

myThread = CreateThread( NULL,
0,
ScannerWorker,
context,
0,
&threadId );

// ScannerWorker routine:
if (SetEvent(Context->Event) == TRUE)
{
printf(“Sent event %X to the kernel to let it know our processing is complete!\n”, Context->Event);
}
else
{
printf( “Unable to send event %p to the kernel. Got error %X\n”, Context->Event, HRESULT_FROM_WIN32(GetLastError()) );
}

FreeScannerThreadContext(Context);

ExitThread(hr);

// Now here is the corresponding callback routine I pass to FltQueueDeferredIoWorkItem
// Error checking excluded

PRKEVENT gpEventObject;
OBJECT_HANDLE_INFORMATION objHandleInfo;

hr = ObReferenceObjectByHandle(
pWorkerContext->hUserModeEvent,
GENERIC_ALL,
NULL,
KernelMode,
&gpEventObject,
&objHandleInfo);

// Wait for the handle (actually the object returned by ObReferenceObjectByHandle
hr = KeWaitForSingleObject(
(PVOID) gpEventObject,
Executive,
KernelMode,
FALSE,
GetKernelWorkerTimeout());

When the last line returns hr always = STATUS_TIMEOUT. Any ideas? Thanks for your help!

Bill

Daniel_Terhell · November 30, 2006, 10:37am

You must make sure the you are calling in the context of the application
that created the event, those work items run in the context of the system
process. When you call ObReferenceObjectByHandle, you must specify Usermode
instead of Kernelmode and specify ExEventObjectType as object type. These
suggestions and more you can take from
http://www.osronline.com/article.cfm?id=108

/Daniel

wrote in message news:xxxxx@ntfsd…
> In my minifilter, I use a system worker thread via
> FltQueueDeferredIoWorkItem to wait with a timeout on an event from my
> user-mode service. The user-mode service sends the event correctly, but
> it is not received in kernel mode. There are no errors at all when
> setting the event in user mode or waiting on the corresponding object in
> kernel mode. I’ve included the abbreviate source code below. Any help
> would be appreciated.
>
> Here’s essentially what my user-mode code does (I do check for all errors,
> but exclude that code here):
>
> -----------------------------------------------------------------------------------------------
>
> context->Event = CreateEvent( NULL, // Default security
> FALSE, // Auto reset
> FALSE, // non-signaled state
> NULL); // No
>
> myThread = CreateThread( NULL,
> 0,
> ScannerWorker,
> context,
> 0,
> &threadId );
>
> // ScannerWorker routine:
> if (SetEvent(Context->Event) == TRUE)
> {
> printf(“Sent event %X to the kernel to let it know our processing is
> complete!\n”, Context->Event);
> }
> else
> {
> printf( “Unable to send event %p to the kernel. Got error %X\n”,
> Context->Event, HRESULT_FROM_WIN32(GetLastError()) );
> }
>
> FreeScannerThreadContext(Context);
>
> ExitThread(hr);
>
> ------------------------------------------------------------
>
> // Now here is the corresponding callback routine I pass to
> FltQueueDeferredIoWorkItem
> // Error checking excluded
>
> PRKEVENT gpEventObject;
> OBJECT_HANDLE_INFORMATION objHandleInfo;
>
> hr = ObReferenceObjectByHandle(
> pWorkerContext->hUserModeEvent,
> GENERIC_ALL,
> NULL,
> KernelMode,
> &gpEventObject,
> &objHandleInfo);
>
>
> // Wait for the handle (actually the object returned by
> ObReferenceObjectByHandle
> hr = KeWaitForSingleObject(
> (PVOID) gpEventObject,
> Executive,
> KernelMode,
> FALSE,
> GetKernelWorkerTimeout());
>
> When the last line returns hr always = STATUS_TIMEOUT. Any ideas? Thanks
> for your help!
>
> Bill
>
>

Bill_Leimkuehler · November 30, 2006, 10:51am

Thanks for your help Daniel. I had tried using UserMode and ExEventObjectType earlier and I overlooked the fact that I must be in that thread’s context! Thanks for the article, it was exactly what I was looking for. The answer was right under my nose! Wonder why that didn’t show up in my google searches, though. Oh well, thanks for your help! I really appreciate it!

Bill

Daniel_Terhell · November 30, 2006, 11:01am

You don’t necessarily need to be in the same thread context, but in the same
process because the usermode handle tables are per process. The other
solution is to create a named event, although the article says it’s a good
idea I believe it is not documented where you can find it in the object name
space.

/Daniel

wrote in message news:xxxxx@ntfsd…
> Thanks for your help Daniel. I had tried using UserMode and
> ExEventObjectType earlier and I overlooked the fact that I must be in that
> thread’s context! Thanks for the article, it was exactly what I was
> looking for. The answer was right under my nose! Wonder why that didn’t
> show up in my google searches, though. Oh well, thanks for your help! I
> really appreciate it!
>
> Bill
>