Hi,
I’m new to driver development and have two questions that some of you will hopefully be able to answer. I searched for similar problems, but was unfortunately unable to find any working solutions.
1.)
I’m working on a minifilter driver for 64-bit Vista SP1 and no matter what I do, I can’t get driver to load using fltmc. I keep getting “This driver has been blocked from loading” error (code 0x800704fb), no matter which build environment I use.
Now, I understand that every driver in Vista 64 needs to be digitally signed to load successfully. I tried to test-sign my driver using signtool.exe (and other SelfSign tools), but it didn’t solve the problem; nor did disabling driver signature enforcement (using F8 during boot and some other programs).
And it’s not just my driver I can’t get to load, it’s WinDDK samples as well. E.g., when I build minispy example, build succeeds, but “fltmc load minispy” will again return “this driver has been blocked from loading”.
I tried OSRLoader and got the same result.
However, I downloaded FileSpy (http://www.zezula.net/en/fstools/filespy.html) and it works - it successfully loads minifilter which I am then able to see with fltmc command.
Being a beginner I’ve run out of ideas what I could be doing wrong…
2.)
What is the best (cleanest, most robust) way to limit filtering operations to a certain directory? E.g. I only want to filter file writes to C:\temp (and possibly subdirectories), and ignore the rest.
Any help would be much appreciated.
> However, I downloaded FileSpy (http://www.zezula.net/en/fstools/filespy.html)
and
it works - it successfully loads minifilter which I am then able to see with
fltmc
command.
FileSpy is signed by OSR’s certificate.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Dule,
I’m working on a minifilter driver for 64-bit Vista SP1 and no matter what I do, I can’t get driver to load using fltmc. I keep getting “This driver has been blocked from loading” error (code 0x800704fb), no matter which build environment I use.
Now, I understand that every driver in Vista 64 needs to be digitally signed to load successfully. I tried to test-sign my driver using signtool.exe (and other SelfSign tools), but it didn’t solve the problem; nor did disabling driver signature enforcement (using F8 during boot and some other programs).
And it’s not just my driver I can’t get to load, it’s WinDDK samples as well. E.g., when I build minispy example, build succeeds, but “fltmc load minispy” will again return “this driver has been blocked from loading”.
You are aware that disabling driver signature enforcement works for a single boot only?
You did follow exact steps provided in the signing for 64-bit Vista document? (they definitely work for test signing, so there’s something wrong in the steps if it doesn’t load - it’s very hard to tell what really).
Look up the error in the Event Viewer for more information; it might be useful, it might not be.
What is the best (cleanest, most robust) way to limit filtering operations to a certain directory? E.g. I only want to filter file writes to C:\temp (and possibly subdirectories), and ignore the rest.
Since the FltMgr and the File Systems cannot do this for you, the best way is to check in the open/create/replace (IRP_MJ_CREATE) whether the file is inside your directory, create and associate a context with the file object, and in any other IRP_xxx handle only the file objects that have associated
contexts.
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
Hi!
Now, I understand that every driver in Vista 64 needs to be digitally
signed to load successfully. I tried to test-sign my driver using
signtool.exe (and other SelfSign tools), but it didn’t solve the
problem; nor did disabling driver signature enforcement (using F8
during boot and some other programs).
Two things that I would like to mention:
- If you want to disable signing, you have to do it at “EVERY” boot.
- If you test-sign your driver and use it, then you need to enable
test-signing on your system.
Regards,
Ayush Gupta