Hello,
I am querying the list of device drivers from kernel mode using AuxKlibQueryModuleInformation API. I find that, the FullPathName returned in AUX_MODULE_EXTENDED_INFO does not always contain full path. Sometimes it is just filename.sys, sometimes it is \SystemRoot.…\filename.sys and sometimes it’s ??.…\filename.sys and so on.
Is there a way by which I can translate this path into normalized path? I am fine if the normalized path is a NT path OR Win32 path as long as it’s consistent.
The user mode equivalent EnumDeviceDrivers/GetDeviceDriverFileName also returns the paths in similar fashion. I guess that’s because both auxlib and PSAPI are relying on the same NtQuerySystemInformation (info class 11) to query the device driver list and the system call implementation doesn’t seem to return normalized paths?
Thanks.
-Prasad
You will have to normalize it yourself
outside of the filrname, why is the path interesting? Are you opening the drivers as files?
d
debt from my phone
From: xxxxx@vmware.com
Sent: 7/9/2012 9:54 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] querying device driver list from kernel mode…
Hello,
I am querying the list of device drivers from kernel mode using AuxKlibQueryModuleInformation API. I find that, the FullPathName returned in AUX_MODULE_EXTENDED_INFO does not always contain full path. Sometimes it is just filename.sys, sometimes it is \SystemRoot.…\filename.sys and sometimes it’s ??.…\filename.sys and so on.
Is there a way by which I can translate this path into normalized path? I am fine if the normalized path is a NT path OR Win32 path as long as it’s consistent.
The user mode equivalent EnumDeviceDrivers/GetDeviceDriverFileName also returns the paths in similar fashion. I guess that’s because both auxlib and PSAPI are relying on the same NtQuerySystemInformation (info class 11) to query the device driver list and the system call implementation doesn’t seem to return normalized paths?
Thanks.
-Prasad
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
@Doron, thanks for the response.
How do l I normalize myself from kernel mode? Are you suggesting doing string manipulations like replacing \SystemRoot\ with actual system root OR replacing ??\C: with C: etc?
Sometimes the filename returned is just the .sys file e.g. mup.sys. In this case, how do I normalize? OR just assume that it must be from \SystemRoot\system32\drivers?
No, I am not opening driver as files.
Thanks.
-Prasad
So can you please tell us why you need fullpath?
LoadModuleNotify callback also returns these “short” paths, so if one needs
to open the file he must normalize the path.
Usually, there’re several types of paths in these callbacks:
- \SystemRoot -> open this symlink, call ObQueryNameString and you’ll get
\Device\HarddiskX\PartitionY format; if it doesn’t fit your needs (you
prefer HarddiskVolume format, then convert it again)
- ?? (easily conversion)
- \ (net redirectors, …)
- dosdevice
- lastfilename part only (I think this is only for system boot drivers, you
can assume they’re stored in \windows\system32\drivers)
Petr
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@vmware.com
Sent: Tuesday, July 10, 2012 10:49 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] querying device driver list from kernel mode…
@Doron, thanks for the response.
How do l I normalize myself from kernel mode? Are you suggesting doing
string manipulations like replacing \SystemRoot\ with actual system root OR
replacing ??\C: with C: etc?
Sometimes the filename returned is just the .sys file e.g. mup.sys. In this
case, how do I normalize? OR just assume that it must be from
\SystemRoot\system32\drivers?
No, I am not opening driver as files.
Thanks.
-Prasad
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>full path. Sometimes it is just filename.sys, sometimes it is \SystemRoot.…\filename.sys
Probably the heuristic is the same as in ImagePath registry, where the lack of full path means \SystemRoot\system32\drivers
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com