Newbie filter driver problem

Hello Osr List,

I have made an upper filter driver using the template from
Walter Oney’s book and attached it to a USB storage device
using the DDK addfilter program, but when I do so, the USB
device drive vanishes from the list of hard disk drives in
My Computer! I checked the driver with WinDbg and
Verifier but didn’t get any error messages.

When I type “addfilter /listdevices” the filter and device
still appear, though. When I remove and re-insert the USB
drive, WinDbg prints the IRP messages that the filter
driver detects,e.g:

TESTFILTER4 - IRP_MJ_DEVICE_CONTROL
TESTFILTER4 - IRP_MJ_DEVICE_CONTROL
TESTFILTER4 - IRP_MJ_DEVICE_CONTROL
TESTFILTER4 - IRP_MJ_CLEANUP
TESTFILTER4 - IRP_MJ_CLOSE
TESTFILTER4 - IRP_MJ_CLEANUP
TESTFILTER4 - IRP_MJ_CLOSE
TESTFILTER4 - IRP_MJ_DEVICE_CONTROL
TESTFILTER4 - IRP_MJ_DEVICE_CONTROL
TESTFILTER4 - IRP_MJ_DEVICE_CONTROL
TESTFILTER4 - IRP_MJ_DEVICE_CONTROL
TESTFILTER4 - IRP_MJ_DEVICE_CONTROL
TESTFILTER4 - IRP_MJ_READ
TESTFILTER4 - IRP_MJ_DEVICE_CONTROL
TESTFILTER4 - IRP_MJ_READ

Is it possible that my filter driver is blocking the IOCTL
messages somewhere so that the disk drive doesn’t appear
in My Computer ?

The program is not meant to interfere with the IRPs for
the device, just detect them and print messages in WinDbg,
and then pass them on.

Is there anything in this method which would stop the IRPs
being passed down the stack to the device ?

#pragma LOCKEDCODE // make no assumptions about
pageability of dispatch fcns

NTSTATUS DispatchAny(IN PDEVICE_OBJECT fido, IN PIRP Irp)
{ // DispatchAny
PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION)
fido->DeviceExtension;
PIO_STACK_LOCATION stack =
IoGetCurrentIrpStackLocation(Irp);
#if DBG
static char* irpname = {
“IRP_MJ_CREATE”,
“IRP_MJ_CREATE_NAMED_PIPE”,
“IRP_MJ_CLOSE”,
“IRP_MJ_READ”,
“IRP_MJ_WRITE”,
“IRP_MJ_QUERY_INFORMATION”,
“IRP_MJ_SET_INFORMATION”,
“IRP_MJ_QUERY_EA”,
“IRP_MJ_SET_EA”,
“IRP_MJ_FLUSH_BUFFERS”,
“IRP_MJ_QUERY_VOLUME_INFORMATION”,
“IRP_MJ_SET_VOLUME_INFORMATION”,
“IRP_MJ_DIRECTORY_CONTROL”,
“IRP_MJ_FILE_SYSTEM_CONTROL”,
“IRP_MJ_DEVICE_CONTROL”,
“IRP_MJ_INTERNAL_DEVICE_CONTROL”,
“IRP_MJ_SHUTDOWN”,
“IRP_MJ_LOCK_CONTROL”,
“IRP_MJ_CLEANUP”,
“IRP_MJ_CREATE_MAILSLOT”,
“IRP_MJ_QUERY_SECURITY”,
“IRP_MJ_SET_SECURITY”,
“IRP_MJ_POWER”,
“IRP_MJ_SYSTEM_CONTROL”,
“IRP_MJ_DEVICE_CHANGE”,
“IRP_MJ_QUERY_QUOTA”,
“IRP_MJ_SET_QUOTA”,
“IRP_MJ_PNP”,
};

UCHAR type = stack->MajorFunction;

if (type >= arraysize(irpname))
KdPrint((DRIVERNAME " - Unknown IRP, major type %X\n",
type));
else
KdPrint((DRIVERNAME " - %s\n", irpname[type]));
#endif
// Pass request down without additional processing

NTSTATUS status;
status = IoAcquireRemoveLock(&pdx->RemoveLock, Irp);
if (!NT_SUCCESS(status))
return CompleteRequest(Irp, status, 0);
IoSkipCurrentIrpStackLocation(Irp);
status = IoCallDriver(pdx->LowerDeviceObject, Irp);
IoReleaseRemoveLock(&pdx->RemoveLock, Irp);
return status;
} // DispatchAny

If anybody could help me with this I would greatly
appreciate it.

Scott

— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!'(B
> NTDEV Digest for Sunday, May 15, 2005.
>
> 1. Getting the Thread Context of a ring3 application
> 2. RE: Getting the Thread Context of a ring3
> application
> 3. RE: Virtual serial port software announce
> 4. Re: Virtual serial port software announce
> 5. draw icons and window titles in display driver
> 6. RE: Virtual serial port software announce
>
>
----------------------------------------------------------------------
>
> Subject: Getting the Thread Context of a ring3
> application
> From: “…”
> Date: Sun, 15 May 2005 19:57:32 +0200
> X-Message-Number: 1
>
> hello osr list,
>
> i set up a PsSetCreateProcessNotifyRoutine()
> when this callback now gets control i can obtain
> the eprocess and the threadid with
> PsLookupProcessByProcessId( ParentId,
> &ProcessPtr);
> PsGetCurrentThreadId();
> is it possible to obtain the whole register set of
> the ring3
> process(ParentId), with this information?
>
> i found this function, in the kernel exports
> PsGetContextThread()
> but i think there is no documentation about it.
>
> how can a ring0 debugger like syser or softice, read
> this values?
> with a user mode part, which uses the win32 debug
> api ?
>
> i hope somebody can give me a hint , thanks a lot
>
>
>
----------------------------------------------------------------------
>
> Subject: RE: Getting the Thread Context of a ring3
> application
> From: “Gary G. Little”
> Date: Sun, 15 May 2005 15:21:22 -0500
> X-Message-Number: 2
>
> Well …
>
> The questions is why? Tell us what you why you want
> to do that and perhaps
> we can give you a better answer, since, typically,
> what you asked is best
> left to the HAL.
>
> And … is a bit rude when the rest of us are not
> shy about using our
> names.
>
> Gary
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf
> Of …
> Sent: Sunday, May 15, 2005 12:58 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Getting the Thread Context of a
> ring3 application
>
> hello osr list,
>
> i set up a PsSetCreateProcessNotifyRoutine()
> when this callback now gets control i can obtain
> the eprocess and the threadid with
> PsLookupProcessByProcessId( ParentId,
> &ProcessPtr);
> PsGetCurrentThreadId();
> is it possible to obtain the whole register set of
> the ring3
> process(ParentId), with this information?
>
> i found this function, in the kernel exports
> PsGetContextThread()
> but i think there is no documentation about it.
>
> how can a ring0 debugger like syser or softice, read
> this values?
> with a user mode part, which uses the win32 debug
> api ?
>
> i hope somebody can give me a hint , thanks a lot
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> glittle@mn.rr.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
> NOD32 1.1097 (20050515) Information
>

>
> This message was checked by NOD32 antivirus system.
> http://www.nod32.com
>
>
>
>
----------------------------------------------------------------------
>
> Subject: RE: Virtual serial port software announce
> From: “Gary G. Little”
> Date: Sun, 15 May 2005 15:21:40 -0500
> X-Message-Number: 3
>
> Hmmm,
>
> Peter or Scott must have taken the weekend off. This
> kind of crap normally
> does not get through this list. Oh well … First?
> Hardly? I was doing this
> stuff (virtual anything) in 1976, in 12K of RAM
> supporting 8 users and 5
> print spoolers.
>
> Gary
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf
> Of Yura
> Sent: Saturday, May 14, 2005 3:47 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Virtual serial port software
> announce
>
> Hello ,Windows
>
> I would like to announce the program called
> Advanced Virtual COM Port.
> This is another virtual serial port software but
> has something
> interesting.
>
> It can create virtual serial ports and connect
> them locally or
> through the network. It can also share real serial
> ports trough the
> network.
> Another feature is a virtual ports monitoring
> feature
> (it shows port signals, number of bytes sent and
> received, etc.)
>
> Program can be found at:
> http://www.advancedvirtualcomport.com
>
> All NTDEV users will get 20% discount.
>
> Thanks for reading.
> –
> Best regards,
> Yura
> mailto:xxxxx@mail.zp.ua
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> glittle@mn.rr.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
> NOD32 1.1097 (20050515) Information
>

>
> This message was checked by NOD32 antivirus system.
> http://www.nod32.com
>
>
>
>
----------------------------------------------------------------------
>
> Subject: Re: Virtual serial port software announce
> From: “Peter Viscarola (OSR)”
> Date: Sun, 15 May 2005 14:17:54 -0700
> X-Message-Number: 4
>
> “Gary G. Little” wrote in
> message news:xxxxx@ntdev…
> > Hmmm,
> >
> > Peter or Scott must have taken the weekend off.
> This
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/

Dear OsrList,

I have now found that if I add the filter to a floppy
drive as an upper filter, it works normally, but if I add
it to a USB mass storage device, then the USB device is
still running, but the F: drive disappears from view.
Should I add the filter somewhere else to avoid blocking
the F: drive ?

Scott

— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!'(B
> NTDEV Digest for Monday, May 16, 2005.
>
> 1. Re: enabling wpp
> 2. Re: ExDeleteNPagedLookasideList – XP vs W2K3SP1
> 3. RE: DMA + common buffer ARC
> 4. Newbie filter driver problem
> 5. When is a CdRom not a CdRom?
> 6. NUMA API
> 7. Encrypted/ Non Encrypted Files Detection.
> 8. RE: Encrypted/ Non Encrypted Files Detection.
> 9. Re: Encrypted/ Non Encrypted Files Detection.
> 10. Compiling NT4 driver for alpha
> 11. RE: DMA + common buffer ARC
> 12. RE: DMA + common buffer ARC
> 13. RE: DMA + common buffer ARC
> 14. RE: DMA + common buffer ARC
> 15. RE: NUMA API
> 16. Re: DMA + common buffer ARC
> 17. !miniport cmd (ndiskd) is broken??
> 18. Re: NUMA API
> 19. No echo response.
> 20. Re: No echo response.
> 21. RE: No echo response.
> 22. Re: No echo response.
> 23. RE: No echo response.
> 24. Re: DMA + common buffer ARC
> 25. Re: No echo response.
> 26. RE: No echo response.
> 27. Re: INACCESSIBLE_BOOT_DEVICE using diskperf.sys
> DDK sample
> 28. RE: INACCESSIBLE_BOOT_DEVICE using diskperf.sys
> DDK sample
> 29. RE: INACCESSIBLE_BOOT_DEVICE using diskperf.sys
> DDK sample
>
>
----------------------------------------------------------------------
>
> Subject: Re: enabling wpp
> From: “Yagmur Konuslu”
> Date: Fri, 6 May 2005 08:45:05 +0300
> X-Message-Number: 1
>
> I had the same problem, copying mspdb70.dll into the
> path where
> traceview.exe is located solved the issue.
>
>
> “Manasi Deval” wrote in message
> news:xxxxx@ntdev…
> > I was not using the tracepdb because i get the
> following error message :
> > tracepdb : error BNP0000: WPPFMT Failed to load
> library mspdb70.dll
> > (0x0000007E)
> >
> > Actually mspdb70.dll is in the path and i’m not
> sure what else i need to
> do
> > to make it work.
> >
> > Manasi
> >
> > >From: “Jose Sua”
> > >Reply-To: “Windows System Software Devs Interest
> List”
> > >
> > >To: “Windows System Software Devs Interest List”
>
> > >Subject: RE: [ntdev] enabling wpp
> > >Date: Wed, 23 Mar 2005 07:55:44 -0800
> > >
> > >run Tracepdb -f yourdriver.pdb to create the TMF
> and TMC files.
> > >
> > >The TMC file is used by TraceView to get the the
> flags to enable in your
> > >driver.
> > >
> > >If the TMC file has your control GUID and Flags
> then eveithing is OK
> > >then try again with Traceview to enable the trace
> using the pdb. Or you
> > >can use the TMC file also.
> > >
> > >
> > >
> > >Thanks,
> > >Jose Sua
> > >ETW Dev Team
> > >Microsoft Corporation
> > >
> > >This posting is provided “AS IS” with no
> warranties andconfers no
> > >rights.
> > >
> > >-----Original Message-----
> > >From: xxxxx@lists.osr.com
> > >[mailto:xxxxx@lists.osr.com] On
> Behalf Of Manasi Deval
> > >Sent: Tuesday, March 22, 2005 4:33 PM
> > >To: Windows System Software Devs Interest List
> > >Subject: RE: [ntdev] enabling wpp
> > >
> > >Yes i am.
> > >
> > >This is how i’m doing it…
> > >
> > >
> > >#define WPP_CONTROL_GUIDS <br>> > > WPP_DEFINE_CONTROL_GUID(wppDriver,
> (##guidnum##),<br>> > > WPP_DEFINE_BIT(DBG_INIT_1) /* bit 0 =
> > >0x00000001 / <br>> > > WPP_DEFINE_BIT(DBG_INIT_2) / bit 1 =
> > >0x00000002 */ <br>> > > )
> > >
> > >Thanks,
> > >Manasi
> > >
> > > >From: “Jose Sua”
>
> > > >Reply-To: “Windows System Software Devs
> Interest List”
> > > >
> > > >To: “Windows System Software Devs Interest
> List”
> > > >Subject: RE: [ntdev] enabling wpp
> > > >Date: Mon, 21 Mar 2005 10:23:19 -0800
> > > >
> > > >This could be because it can not find the
> control GUID information, in
> > > >the PDB.
> > > >
> > > >Are you sure you are using WPP_CONTROL_GUIDS to
> define your control
> > > >GUID ?
> > > >
> > > >-----Original Message-----
> > > >From: xxxxx@lists.osr.com
> > > >[mailto:xxxxx@lists.osr.com] On
> Behalf Of Manasi Deval
> > > >Sent: Friday, March 18, 2005 3:38 PM
> > > >To: Windows System Software Devs Interest List
> > > >Subject: RE: [ntdev] enabling wpp
> > > >
> > > >Yes, it looks a lot easier to use but for some
> reason it does not like
> > > >the pdb file i input at startup. Therefore when
> i do file->create new
> > > >log
> > > >session->add provider, and try to input my file
> driver.pdb, it tells me
> > > >cannot find pdb file. I built my driver as a
> free driver using ndis
> > >5.1.
> > > >
> > > >Do let me know if there is an easy solution to
> this.
> > > >
> > > >Manasi
> > > >
> > > > >From: “Mark Roddy”
> > > > >Reply-To: “Windows System Software Devs
> Interest List”
> > > > >
> > > > >To: “Windows System Software Devs Interest
> List”
> > > > >
> > > > >Subject: RE: [ntdev] enabling wpp
> > > > >Date: Fri, 18 Mar 2005 15:27:44 -0500
> > > > >
> > > > >Traceview is a bit easier to use. It is in
> the ddk tools.
> > > > >
> > > > >=====================
> > > > >Mark Roddy
> > > > >Windows .NET/XP/2000 Consulting
> > > > >Hollis Technology Solutions 603-321-1032
> www.hollistech.com
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: xxxxx@lists.osr.com
> > > > > > [mailto:xxxxx@lists.osr.com]
> On Behalf Of Manasi
> > > > > > Deval
> > > > > > Sent: Friday, March 18, 2005 2:20 PM
> > > > > > To: Windows System Software Devs Interest
> List
> > > > > > Subject: RE: [ntdev] enabling wpp
> > > > > >
> > > > > > I had a multiple definition of the flags
> which was causing all
> > > > > > kinds of problems.
> > > > > >
> > > > > > After I compiled it, I tried to run
> tracelog to capture messages
> > > > > > as, I did a tracelog -enumguids to see if
> the guid is registered
> > > > > > and then
> > > > > >
>
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/

$B%V%i%&%s(B $B%9%3%C%H(B wrote:

Dear OsrList,

I have now found that if I add the filter to a floppy
drive as an upper filter, it works normally, but if I add
it to a USB mass storage device, then the USB device is
still running, but the F: drive disappears from view.
Should I add the filter somewhere else to avoid blocking
the F: drive ?

Scott

Hello ??? <- put your name here please.

I think it’s normal to be this way. You have a problem if the drive
doesn’t reapear when you insert the USB device.

Andrei


This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/

I found the reason why the filter wasn’t working.
I hadn’t handled the IRP_MN_START_DEVICE command properly.

Scott

— Windows System Software Devs Interest List digest

$B$+$i$N%a%C%;!<%8!'(B
> NTDEV Digest for Thursday, May 19, 2005.
>
> 1. RE: W2K build using 2003 DDK is different to a
> build using 2000 DDK
> 2. Re: W2K build using 2003 DDK is different to a
> build using 2000 DDK
> 3. RE: Modem Installation 2
> 4. Tape IO
> 5. RE: Migrating to Storport Environment
> 6. Question about high performance timers on XP
> systems
> 7. Re: Question about high performance timers on XP
> systems
> 8. Re: W2K build using 2003 DDK is different to a
> build using 2000 DDK
> 9. Re: Question about high performance timers on XP
> systems
> 10. example of sending ata commands to a HDD
> 11. Re: example of sending ata commands to a HDD
> 12. session space
> 13. Re: Question about high performance timers on XP
> systems
> 14. RE: W2K build using 2003 DDK is different to a
> build using 2000 DDK
> 15. tracelog -dpcisr in WinXP AMD64?
> 16. RE: Migrating to Storport Environment
> 17. Hardware Filter & Filter-centric
> 18. virtual serial port over usb bus
> loading/unloading
> 19. RE: virtual serial port over usb bus
> loading/unloading
> 20. Re: Question about high performance timers on XP
> systems
> 21. Printer Driver Debugging
>
>
----------------------------------------------------------------------
>
> Subject: RE: W2K build using 2003 DDK is different
> to a build using 2000 DDK
> From: “Daryl Baker”
> Date: Thu, 19 May 2005 10:24:03 +0100
> X-Message-Number: 1
>
> Which sample did you build?
>
> I also used another machine with only 2003 DDK
> installed and it still
> exhibits the same problem.
>
> >
> > I used a test driver built with the w2k checked
> build env w2k3 ddk sp1
> (3790.1830).
> > The driver loads/unloads ok. So, it’s not the
> ddk…
>
>
----------------------------------------------------------------------
>
> Subject: Re: W2K build using 2003 DDK is different
> to a build using 2000 DDK
> From: Andrei Zlate-Podani
> Date: Thu, 19 May 2005 13:20:31 +0300
> X-Message-Number: 2
>
> Daryl Baker wrote:
>
> >Which sample did you build?
> >
> >
> I wrote a small driver, just a skeleton that I use
> for tests. It’s very
> simple and supports unload.
> It also creates a device object that can be opened
> from user mode.
>
> >I also used another machine with only 2003 DDK
> installed and it still
> >exhibits the same problem.
> >
> >
> The driver would not unload if there are open
> handles to any of it’s
> device objects.
> I’m not sure what error code is returned in that
> case.
>
> >
> >
> >>I used a test driver built with the w2k checked
> build env w2k3 ddk sp1
> >>
> >>
> >(3790.1830).
> >
> >
> >>The driver loads/unloads ok. So, it’s not the
> ddk…
> >>
> >>
> >
> >—
> >Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> >You are currently subscribed to ntdev as: unknown
> lmsubst tag argument: ‘’
> >To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
> >
> >
> >
>
>
> –
> Ignorance more frequently begets confidence than
> does knowledge.
> — Charles Darwin
>
>
>
> –
> This message was scanned for spam and viruses by
> BitDefender.
> For more information please visit
> http://linux.bitdefender.com/
>
>
>
----------------------------------------------------------------------
>
> Subject: RE: Modem Installation 2
> From: “Ilya Faenson”
> Date: Thu, 19 May 2005 07:54:24 -0400
> X-Message-Number: 3
>
> Danail/Mathieu,
>
> Here’s how you install a modem programmatically on a
> given COM port:
>
> 1. Create the container for the to-be-created device
> information element.
> 2. Create the element using the Class GUID and Name
> from the INF file.
> 3. Add your hardware id to the device’s
> SPDRP_HARDWAREID property.
> 4. Write the COM port string into the “AttachedTo”
> value of the device’s sw
> instance key.
> 5. Register device as a modem via the
> SetupDiRegisterDeviceInfo() call.
> 6. Last but not least, bring everything into life
> via the
> UpdateDriverForPlugAndPlayDevices().
>
> These steps have been working for me for years.
>
> Hope that helps,
> Ilya Faenson
>
> >Subject: RE: Modem Installation 2
> >From: “Danail Kirov”
> >Date: Wed, 18 May 2005 13:33:25 -0700
> >X-Message-Number: 18
> >
> >This is a multi-part message in MIME format.
> >
> >------_=_NextPart_001_01C55BE8.D7C573DC
> >Content-Type: text/plain;
> > charset=“us-ascii”
> >Content-Transfer-Encoding: quoted-printable
> >
> >Hi All,
> >I’ve recently joined this list and I’ve looked at
> osr archives the
> >thread “Modem Installation”. I have exactly the
> same problem as Wim
> >Vervoorn.
> >The last response Michael Jones suggest to look at
> the devcon example
> >which I did, but I still can not find how one can
> automatically install
> >a modem on a particular COMx port.=20
> >
> >I have MyModem.inf describing my modem and I need
> to able to setup one
> >or more COM ports to use MyModem.
> >In NT4 this was possible by writing to a text file
> Unattended.txt :
> >
> >[MyModems]
> >COMx1 =3D “MyModemName”=20
> >COMx2 =3D “MyModemName”=20
> >
> >And then executing :
> >
> >“rundll32.exe shell32.dll,Control_RunDLL
> modem.cpl,Modems,noui
> >inf=3DUnattended.txt sect=3DMyModems”
> >
> >Could somebody shed some light why this approach is
> not
=== message truncated ==

__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/