PsSetCreateProcessNotifyRoutine and driver unload.

NTDEV
1

Hi,
I’m using the PsSetCreateProcessNotifyRoutine function and I was
surprised when found the following in the MSDN:

"An IFS or highest-level system-profiling driver might register a
process-creation callback to track the system-wide creation and deletion
of processes against the driver’s internal state. The system can
register up to eight process-creation callbacks. Any driver that
successfully registers a callback must remain loaded until the system
itself is shut down. "

Question: Does this mean that I cannot unload if I used this routine?
Really I found this when tried to debug BSOD caused when unloading the
driver…

Lev Zlotin
xxxxx@Intel.com
iNet: 8-465-6740
tel: 972-4-865-6740

2

It depends, on some OS’es the remove flag did not work correctly. It should
work on any of the current OS’es.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Zlotin, Lev” wrote in message news:xxxxx@ntdev…
Hi,
I’m using the PsSetCreateProcessNotifyRoutine function and I was
surprised when found the following in the MSDN:

"An IFS or highest-level system-profiling driver might register a
process-creation callback to track the system-wide creation and deletion
of processes against the driver’s internal state. The system can
register up to eight process-creation callbacks. Any driver that
successfully registers a callback must remain loaded until the system
itself is shut down. "

Question: Does this mean that I cannot unload if I used this routine?
Really I found this when tried to debug BSOD caused when unloading the
driver…

Lev Zlotin
xxxxx@Intel.com
iNet: 8-465-6740
tel: 972-4-865-6740

3

Translation:

“This mechanism uses a fixed size table lookup scheme and is thus not
dynamic. You cannot unload once you register because the slots in the
table are set but never unset.”

The trick is in learning to “read” the implementation through the
caveats. There are many functions in the FSD land (where I usually hang
out) that once used mean you cannot unload (ExQueueWorkItem being one of
my favorites - obsolete for garden variety drivers, the file systems
folks cling to it like a much loved old sweater…) But we don’t care
because our mantra is “never unload, never unload, never unload,…”

Drivers are cheap though so one way to solve this is to split your
functionality into two pieces - one that has all those unloadable calls,
and one that invokes exports from the first one. Just make sure you
write the code so it correctly serializes the load/unload of the second
driver and you’ll be fine (read “use a nice serialization primitive like
a read-mostly, write-rarely lock”.)

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006 (note new date - MS scheduled plugfest the
same week again.)

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Zlotin, Lev
Sent: Tuesday, February 28, 2006 10:22 AM
To: ntdev redirect
Subject: [ntdev] PsSetCreateProcessNotifyRoutine and driver unload.

Hi,
I’m using the PsSetCreateProcessNotifyRoutine function and I was
surprised when found the following in the MSDN:

"An IFS or highest-level system-profiling driver might register a
process-creation callback to track the system-wide creation and deletion
of processes against the driver’s internal state. The system can
register up to eight process-creation callbacks. Any driver that
successfully registers a callback must remain loaded until the system
itself is shut down. "

Question: Does this mean that I cannot unload if I used this routine?
Really I found this when tried to debug BSOD caused when unloading the
driver…

Lev Zlotin
xxxxx@Intel.com
iNet: 8-465-6740
tel: 972-4-865-6740

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

4

>Question: Does this mean that I cannot unload if I used this routine?

Yes.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com