Older O/S version questions WRT filtering

I’m working on a project for Windows XP SP 2 and above that involves a mini
filter and several of the available callbacks (task control, registry,
etc). It seems to work OK.

The powers that be have asked me to implement it on older O/S versions -
first XP w/no service packs and then Windows 2000 and now (gulp) Windows 98.

I’ve got a legacy style filter that implements my set of filtering routines
partly complete and I think it will work OK on the initial release of XP.

I don’t think the registry callbacks are available on Windows 2000 or 98.

Question: Will the legacy filter (‘sfilter’ style stuff) work on 2000?

Question: Is is possible to filter the registry operations on 2000?

Big question: What works on 98? (Snicker.)

Regards,
Mickey.

Mickey,

If you implement a legacy style filter, with the exception of some API calls
into the system it will work back to the NT 4.0 platforms. As for the
registry notification callbacks, these were only very recently fixed, XP sp2
I believe. For older platforms such as 2000, there is no reliable, Microsoft
approved way for filtering the registry calls. I am assuming here that you
actually want to do something when the notification is called and not just
log it.

For 98, you need to implement a whole new driver. I implemented a filesystem
filter for 98 a year or so back and it was fairly straight forward. Just
remember that on 98, you can’t implement the synchronous model that sends a
request to user mode from kernel mode, waiting for a response. It will
deadlock the system.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mickey Lane
Sent: Monday, October 03, 2005 7:50 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Older O/S version questions WRT filtering

I’m working on a project for Windows XP SP 2 and above that involves a mini
filter and several of the available callbacks (task control, registry,
etc). It seems to work OK.

The powers that be have asked me to implement it on older O/S versions -
first XP w/no service packs and then Windows 2000 and now (gulp) Windows 98.

I’ve got a legacy style filter that implements my set of filtering routines
partly complete and I think it will work OK on the initial release of XP.

I don’t think the registry callbacks are available on Windows 2000 or 98.

Question: Will the legacy filter (‘sfilter’ style stuff) work on 2000?

Question: Is is possible to filter the registry operations on 2000?

Big question: What works on 98? (Snicker.)

Regards,
Mickey.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I’m still in the map-out-the-project mode.

Peter Scott wrote:

> […] As for the registry notification callbacks, these
> were only very recently fixed, XP sp2 I believe.

I have several DDKS installed: \WINDDK\2600, \WINDDK\2600.1106 &
\WINDDK\3790.1830

The CmRegisterCallback() is referenced in all of them (for XP). Does your
use of the word ‘fixed’ imply that even though it is in the header file, it
doesn’t work?

Thanks,
Mickey.

That is exactly what I am saying. The interface has been around for sometime
but it will occasionally BSOD the system or just not work.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mickey Lane
Sent: Monday, October 03, 2005 8:26 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Older O/S version questions WRT filtering

I’m still in the map-out-the-project mode.

Peter Scott wrote:

> […] As for the registry notification callbacks, these
> were only very recently fixed, XP sp2 I believe.

I have several DDKS installed: \WINDDK\2600, \WINDDK\2600.1106 &
\WINDDK\3790.1830

The CmRegisterCallback() is referenced in all of them (for XP). Does your
use of the word ‘fixed’ imply that even though it is in the header file, it
doesn’t work?

Thanks,
Mickey.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Fixed in W2K3 SP1 … not in WXP SP2.

“Peter Scott” wrote in message
news:xxxxx@ntfsd…
>
> That is exactly what I am saying. The interface has been around for
> sometime
> but it will occasionally BSOD the system or just not work.
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Mickey Lane
> Sent: Monday, October 03, 2005 8:26 AM
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] Older O/S version questions WRT filtering
>
> I’m still in the map-out-the-project mode.
>
> Peter Scott wrote:
>>
> > […] As for the registry notification callbacks, these
> > were only very recently fixed, XP sp2 I believe.
>
> I have several DDKS installed: \WINDDK\2600, \WINDDK\2600.1106 &
> \WINDDK\3790.1830
>
> The CmRegisterCallback() is referenced in all of them (for XP). Does your
> use of the word ‘fixed’ imply that even though it is in the header file,
> it
> doesn’t work?
>
> Thanks,
> Mickey.
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

Well, there you have it, fixed even later than I thought.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Monday, October 03, 2005 2:57 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Older O/S version questions WRT filtering

Fixed in W2K3 SP1 … not in WXP SP2.

“Peter Scott” wrote in message
news:xxxxx@ntfsd…
>
> That is exactly what I am saying. The interface has been around for
> sometime
> but it will occasionally BSOD the system or just not work.
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Mickey Lane
> Sent: Monday, October 03, 2005 8:26 AM
> To: Windows File Systems Devs Interest List
> Subject: Re: [ntfsd] Older O/S version questions WRT filtering
>
> I’m still in the map-out-the-project mode.
>
> Peter Scott wrote:
>>
> > […] As for the registry notification callbacks, these
> > were only very recently fixed, XP sp2 I believe.
>
> I have several DDKS installed: \WINDDK\2600, \WINDDK\2600.1106 &
> \WINDDK\3790.1830
>
> The CmRegisterCallback() is referenced in all of them (for XP). Does your
> use of the word ‘fixed’ imply that even though it is in the header file,
> it
> doesn’t work?
>
> Thanks,
> Mickey.
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

re:

registry notification callbacks and what versions of the O/S they work on…

and:

The interface has been around for sometime
> but it will occasionally BSOD the system or just not work.
> Pete
> www.KernelDrivers.com

Oi Vey.

Do you (anyone) know what was fixed with the Server 2003 SP 1 version?

On my XP SP 2 system, this stuff has been sort of working but I’ve been
chasing gopher problems - get a little close here and it pops up over
there…

F’instance:

An attempt to set a registry value gives me one of these in the
callback:

struct _REG_SET_VALUE_KEY_INFORMATION {
PVOID Object; // IN
PUNICODE_STRING ValueName; // IN
ULONG TitleIndex; // IN
ULONG Type; // IN
PVOID Data; // IN
ULONG DataSize; // IN
};

I use the Object pointer to get a HANDLE to the value:

NtStatus = ObOpenObjectByPointer (
Object,
OBJ_KERNEL_HANDLE,
0,
0,
0,
KernelMode,
&KeyHandle);

(This always returns STATUS_SUCCESS)

Then I use the handle to see what the existing value of the key is

NtStatus = ZwQueryValueKey (
KeyHandle,
PtrToValueName, // points to a copy of ValueName above
KeyValuePartialInformation,
UmPtr,
UmBufferSizeInBytes,
&ResultLength);

Most of the time this gives me a status of 0x8061AA47 but it does work
every once in a while.

When it works, I go on with:

NtStatus = ZwQueryKey (
KeyHandle,
KeyNodeInformation,
UmPtr,
UmBufferSizeInBytes,
&ResultLength);

Sometimes this fails with a status of 0x80577F00.

I’ll spring for a whole bunch of e-beers for anyone who makes some good
suggestions.

Regards,
Mickey.

Mickey

This was discussed in wonderful detail on ntdev some time past. For example
see this thread http://www.osronline.com/showThread.cfm?link=70296

Cheers
Lyndon

“Mickey Lane” wrote in message news:xxxxx@ntfsd…
> re:
>
> registry notification callbacks and what versions of the O/S they work
> on…
>
> and:
>
> > The interface has been around for sometime
> > but it will occasionally BSOD the system or just not work.
> > Pete
> > www.KernelDrivers.com
>
> Oi Vey.
>
> Do you (anyone) know what was fixed with the Server 2003 SP 1 version?
>
> On my XP SP 2 system, this stuff has been sort of working but I’ve been
> chasing gopher problems - get a little close here and it pops up over
> there…
>
> F’instance:
>
> An attempt to set a registry value gives me one of these in the
> callback:
>
> struct _REG_SET_VALUE_KEY_INFORMATION {
> PVOID Object; // IN
> PUNICODE_STRING ValueName; // IN
> ULONG TitleIndex; // IN
> ULONG Type; // IN
> PVOID Data; // IN
> ULONG DataSize; // IN
> };
>
> I use the Object pointer to get a HANDLE to the value:
>
> NtStatus = ObOpenObjectByPointer (
> Object,
> OBJ_KERNEL_HANDLE,
> 0,
> 0,
> 0,
> KernelMode,
> &KeyHandle);
>
> (This always returns STATUS_SUCCESS)
>
> Then I use the handle to see what the existing value of the key is
>
> NtStatus = ZwQueryValueKey (
> KeyHandle,
> PtrToValueName, // points to a copy of ValueName above
> KeyValuePartialInformation,
> UmPtr,
> UmBufferSizeInBytes,
> &ResultLength);
>
> Most of the time this gives me a status of 0x8061AA47 but it does work
> every once in a while.
>
> When it works, I go on with:
>
> NtStatus = ZwQueryKey (
> KeyHandle,
> KeyNodeInformation,
> UmPtr,
> UmBufferSizeInBytes,
> &ResultLength);
>
> Sometimes this fails with a status of 0x80577F00.
>
> I’ll spring for a whole bunch of e-beers for anyone who makes some good
> suggestions.
>
> Regards,
> Mickey.
>

wrt Cm callbacks, Lyndon J Clarke wrote:

This was discussed in wonderful detail on ntdev some time past. For example
see this thread http://www.osronline.com/showThread.cfm?link=70296

Thanks Lyndon. I wonder why I haven’t seen the crash?

You got lucky? If you dont have something using the registry callbacks then
perhaps you dont see this particular. Hmm now perhaps if you also turn on
forced irql checking for *everything* that might help things along

“Mickey Lane” wrote in message news:xxxxx@ntfsd…
> wrt Cm callbacks, Lyndon J Clarke wrote:
>
>> This was discussed in wonderful detail on ntdev some time past. For
>> example see this thread
>> http://www.osronline.com/showThread.cfm?link=70296
>
> Thanks Lyndon. I wonder why I haven’t seen the crash?
>

I have a mini filter that also uses the registry callbacks. It doesn’t
report everything to user space but it does a little something on each I/O.
I run with driver verifier on. All the crashes I’ve seen have been my own
doing

The error situations I see consist of the two error codes 0x8061AA47 &
0x80577F00 (a lot) and sometimes the whole system just grinding to a halt
(rarely). I think I’d rather the BSOD. At least it’d give me something to
work with…

I haven’t resorted to a checked build and a debugger on a 2nd machine yet.
(Speaking of which - anybody ever try that technique using VMware?)

Mickey.

Lyndon J Clarke wrote:

You got lucky? If you dont have something using the registry callbacks then
perhaps you dont see this particular. Hmm now perhaps if you also turn on
forced irql checking for *everything* that might help things along

“Mickey Lane” wrote in message news:xxxxx@ntfsd…
>
>>wrt Cm callbacks, Lyndon J Clarke wrote:
>>
>>
>>>This was discussed in wonderful detail on ntdev some time past. For
>>>example see this thread
>>>http://www.osronline.com/showThread.cfm?link=70296
>>
>>Thanks Lyndon. I wonder why I haven’t seen the crash?
>>
>
>
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@earthlink.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

If you are referring to running VMWare with a checked kernel? Yes, I have
several versions loadable for my VM systems, including checked and free.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mickey Lane
Sent: Thursday, October 06, 2005 4:46 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Older O/S version questions WRT filtering

I have a mini filter that also uses the registry callbacks. It doesn’t
report everything to user space but it does a little something on each I/O.
I run with driver verifier on. All the crashes I’ve seen have been my own
doing

The error situations I see consist of the two error codes 0x8061AA47 &
0x80577F00 (a lot) and sometimes the whole system just grinding to a halt
(rarely). I think I’d rather the BSOD. At least it’d give me something to
work with…

I haven’t resorted to a checked build and a debugger on a 2nd machine yet.
(Speaking of which - anybody ever try that technique using VMware?)

Mickey.

Lyndon J Clarke wrote:

You got lucky? If you dont have something using the registry callbacks
then
perhaps you dont see this particular. Hmm now perhaps if you also turn on
forced irql checking for *everything* that might help things along

“Mickey Lane” wrote in message news:xxxxx@ntfsd…
>
>>wrt Cm callbacks, Lyndon J Clarke wrote:
>>
>>
>>>This was discussed in wonderful detail on ntdev some time past. For
>>>example see this thread
>>>http://www.osronline.com/showThread.cfm?link=70296
>>
>>Thanks Lyndon. I wonder why I haven’t seen the crash?
>>
>
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@earthlink.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com