Minifilter usage question

I have been studying the scanner sample in the Win2003 IFS Kit beta. This
sample sends buffers to user mode to be scanned. Is it recommended that we
(3rd party devs) offload some or all processing to user mode? I mean,
rather than process the buffers in kernel mode. Is this a security and
safety issue (no BSOD in user land), or simply an example of what is
possible?

Thanks,

Jon

Jon,

There is no rule that says what needs to be done in user mode vs kernel
mode. This is up to you to decide. This is simply a sample that shows
what is possible.

Making this decision should really depend on the complexity of what you
are doing. For example many AV products do their AV scanning in user
mode because they don’t want to take the risk of having their AV engine
(which is very complex) crash the machine. Others do it in kernel mode
and simply do a lot of testing before they release or update it.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jon Anglin
Sent: Wednesday, December 01, 2004 6:23 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Minifilter usage question

I have been studying the scanner sample in the Win2003 IFS Kit beta.
This
sample sends buffers to user mode to be scanned. Is it recommended that
we
(3rd party devs) offload some or all processing to user mode? I mean,
rather than process the buffers in kernel mode. Is this a security and
safety issue (no BSOD in user land), or simply an example of what is
possible?

Thanks,

Jon


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> There is no rule that says what needs to be done in user mode vs kernel

mode. This is up to you to decide. This is simply a sample that shows
what is possible.

One thing that is worth consideration is the performance issue.
Every inverted call back to user mode means a lot of work
for the OS, and consumes CPU time.

Another one may be recursive issue - for example,
I would not recommend to encrypt the buffer
sent with paging write request in user mode,
because if the code
that does the encryption is paged out at the moment,
it might deadlock or even crash.

L.