Hello,
http://29a.host.sk/29a-7/Articles/29A-7.004
maybe this could help …
–
Best regards,
Ivona Prenosilova
I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
replacing system drivers and dlls is not allowed unless you do it
manually in safe mode.
I am pretty sure there are cases in which the only way to go is to
really replace a system driver file. But most of the time, there is a
safe and Microsoft-approved way to do it.
Don’t get me wrong, I’m not saying there should not be a way to disable
WDF in a development environment. I’m just trying to find alternatives,
whether or not they miss the point.
Mat
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
Sent: Wednesday, June 16, 2004 9:51 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] WFP is evil
I think that sort of misses the point. WFP, for developers, is a Royal
PITA.
The ‘rules’ appear to change with every OS release, and perhaps with
every
service pack. My understanding is that the clampdown is just getting
worse,
specifically for longhorn. On the other hand virii suck too, and
certainly
loadable kernel dlls are a prime target.
Test versions of the os - as in the msdn and oem distributions, ought to
allow a simple wfp disable mechanism. (The msdn distributions could drop
this policy on activation so that your licensed production versions
would be
fully protected, oem test distributions won’t even activate.)
=====================
Mark Roddy
-----Original Message-----
From: Mathieu Routhier [mailto:xxxxx@cvds.com]
Sent: Wednesday, June 16, 2004 9:38 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] WFP is evil
Would it be possible, in your case, to insert a filter driver and
basically
ignore the other driver instead of replacing the driver file?
I’m pretty sure you thought of that before.
Also, did you try to write an INF with a date more recent than the
system
driver but the same HWID so you can “update” the driver for this device?
Mat
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
Sent: Wednesday, June 16, 2004 3:45 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] WFP is evil
Have I mentioned lately that I hate WFP and the lack of any reasonable,
consistent and reliable way to turn it off?
Okay, so I am working on a driver that just happens to replace an
existing
system driver. Silly me. Everything is going along fine for hours and
then
suddenly I start having some issues. I end up spending close to a
friggin
half an hour trying to figure out why I can’t get my symbols to match up
in
WinDbg. I know it can’t be WFP because I have set the proper values in
my
target’s registry, I have yet to reboot my target without a debugger
hooked
up, and just to make sure I renamed all of the cab files in my
\Windows\Driver Cache directory and deleted everything in my
\Windows\System32\DllCache directory. So, there is absolutely no way it
could be WFP screwing me up right? Well no, actually it can. Despite
all
of my best efforts, I made the single mistake of putting XP SP1 on my
target. SP1 adds some cab files in another directory. One of these
somehow
avoided all of the rules and allowed WFP to blow away my driver when I
copied it in. Oh, but not everytime??
Once I renamed all of the new SP1 cab files all went as planned. I
would
have looked to WFP right away, but I knew I had it turned off for good.
I
didn’t notice that I was replacing the same version of driver for a few
copies. Yet another half an hour of my life flushed down the
‘completely
unnecessary and highly irritating waste of my time’ toilet.
Someone please take away this scourge on all driver developers
everywhere
and give us some sane way to shut this crap off once and for all!!
–
Bill McKenzie
Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
Inc.
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@cvds.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@cvds.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
I had heard about this, that is actually a pretty clever solution.
Isn’t it wonderful the hoops we must jump through just to get some work
done.
–
Bill McKenzie
Software Engineer - Prism 802.11 Wireless Solutions
Conexant Systems, Inc.
“ivona prenosilova” wrote in message news:xxxxx@ntdev…
> Hello,
>
> http://29a.host.sk/29a-7/Articles/29A-7.004
> maybe this could help …
>
> –
> Best regards,
> Ivona Prenosilova
>
>
Mat,
I was making a statement more than looking for help. I can get the drivers
replaced one way or another. What bothers me is the unnecessary pain of
doing so. I suppose not that many folks replace system files in their
development. I seem to find the need to do so often for weird reasons of
one type or another. As I always use a target system (which will not be
used for anything else) to test my drivers, I would just love a way to say
‘thanks but I don’t need all of the protection’. As Mark said, it appears
that future versions of Windows will be more problematic in this area, not
less.
I can’t believe I forgot to mention this at WinHEC.
–
Bill McKenzie
Software Engineer - Prism 802.11 Wireless Solutions
Conexant Systems, Inc.
“Mathieu Routhier” wrote in message news:xxxxx@ntdev…
> I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
> replacing system drivers and dlls is not allowed unless you do it
> manually in safe mode.
>
> I am pretty sure there are cases in which the only way to go is to
> really replace a system driver file. But most of the time, there is a
> safe and Microsoft-approved way to do it.
>
> Don’t get me wrong, I’m not saying there should not be a way to disable
> WDF in a development environment. I’m just trying to find alternatives,
> whether or not they miss the point.
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
> Sent: Wednesday, June 16, 2004 9:51 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> I think that sort of misses the point. WFP, for developers, is a Royal
> PITA.
> The ‘rules’ appear to change with every OS release, and perhaps with
> every
> service pack. My understanding is that the clampdown is just getting
> worse,
> specifically for longhorn. On the other hand virii suck too, and
> certainly
> loadable kernel dlls are a prime target.
>
> Test versions of the os - as in the msdn and oem distributions, ought to
> allow a simple wfp disable mechanism. (The msdn distributions could drop
> this policy on activation so that your licensed production versions
> would be
> fully protected, oem test distributions won’t even activate.)
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Mathieu Routhier [mailto:xxxxx@cvds.com]
> Sent: Wednesday, June 16, 2004 9:38 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> Would it be possible, in your case, to insert a filter driver and
> basically
> ignore the other driver instead of replacing the driver file?
> I’m pretty sure you thought of that before.
>
> Also, did you try to write an INF with a date more recent than the
> system
> driver but the same HWID so you can “update” the driver for this device?
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
> Sent: Wednesday, June 16, 2004 3:45 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WFP is evil
>
> Have I mentioned lately that I hate WFP and the lack of any reasonable,
> consistent and reliable way to turn it off?
>
> Okay, so I am working on a driver that just happens to replace an
> existing
> system driver. Silly me. Everything is going along fine for hours and
> then
> suddenly I start having some issues. I end up spending close to a
> friggin
> half an hour trying to figure out why I can’t get my symbols to match up
> in
> WinDbg. I know it can’t be WFP because I have set the proper values in
> my
> target’s registry, I have yet to reboot my target without a debugger
> hooked
> up, and just to make sure I renamed all of the cab files in my
> \Windows\Driver Cache directory and deleted everything in my
> \Windows\System32\DllCache directory. So, there is absolutely no way it
> could be WFP screwing me up right? Well no, actually it can. Despite
> all
> of my best efforts, I made the single mistake of putting XP SP1 on my
> target. SP1 adds some cab files in another directory. One of these
> somehow
> avoided all of the rules and allowed WFP to blow away my driver when I
> copied it in. Oh, but not everytime??
>
> Once I renamed all of the new SP1 cab files all went as planned. I
> would
> have looked to WFP right away, but I knew I had it turned off for good.
> I
> didn’t notice that I was replacing the same version of driver for a few
> copies. Yet another half an hour of my life flushed down the
> ‘completely
> unnecessary and highly irritating waste of my time’ toilet.
>
> Someone please take away this scourge on all driver developers
> everywhere
> and give us some sane way to shut this crap off once and for all!!
>
>
>
> –
> Bill McKenzie
> Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
> Inc.
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Hooking would not work in this case ?? If it does, go for it 
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Bill McKenzie
Sent: Wednesday, June 16, 2004 7:25 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] WFP is evil
Mat,
I was making a statement more than looking for help. I can get the drivers
replaced one way or another. What bothers me is the unnecessary pain of
doing so. I suppose not that many folks replace system files in their
development. I seem to find the need to do so often for weird reasons of
one type or another. As I always use a target system (which will not be
used for anything else) to test my drivers, I would just love a way to say
‘thanks but I don’t need all of the protection’. As Mark said, it appears
that future versions of Windows will be more problematic in this area, not
less.
I can’t believe I forgot to mention this at WinHEC.
–
Bill McKenzie
Software Engineer - Prism 802.11 Wireless Solutions
Conexant Systems, Inc.
“Mathieu Routhier” wrote in message news:xxxxx@ntdev…
> I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
> replacing system drivers and dlls is not allowed unless you do it
> manually in safe mode.
>
> I am pretty sure there are cases in which the only way to go is to
> really replace a system driver file. But most of the time, there is a
> safe and Microsoft-approved way to do it.
>
> Don’t get me wrong, I’m not saying there should not be a way to disable
> WDF in a development environment. I’m just trying to find alternatives,
> whether or not they miss the point.
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
> Sent: Wednesday, June 16, 2004 9:51 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> I think that sort of misses the point. WFP, for developers, is a Royal
> PITA.
> The ‘rules’ appear to change with every OS release, and perhaps with
> every
> service pack. My understanding is that the clampdown is just getting
> worse,
> specifically for longhorn. On the other hand virii suck too, and
> certainly
> loadable kernel dlls are a prime target.
>
> Test versions of the os - as in the msdn and oem distributions, ought to
> allow a simple wfp disable mechanism. (The msdn distributions could drop
> this policy on activation so that your licensed production versions
> would be
> fully protected, oem test distributions won’t even activate.)
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Mathieu Routhier [mailto:xxxxx@cvds.com]
> Sent: Wednesday, June 16, 2004 9:38 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> Would it be possible, in your case, to insert a filter driver and
> basically
> ignore the other driver instead of replacing the driver file?
> I’m pretty sure you thought of that before.
>
> Also, did you try to write an INF with a date more recent than the
> system
> driver but the same HWID so you can “update” the driver for this device?
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
> Sent: Wednesday, June 16, 2004 3:45 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WFP is evil
>
> Have I mentioned lately that I hate WFP and the lack of any reasonable,
> consistent and reliable way to turn it off?
>
> Okay, so I am working on a driver that just happens to replace an
> existing
> system driver. Silly me. Everything is going along fine for hours and
> then
> suddenly I start having some issues. I end up spending close to a
> friggin
> half an hour trying to figure out why I can’t get my symbols to match up
> in
> WinDbg. I know it can’t be WFP because I have set the proper values in
> my
> target’s registry, I have yet to reboot my target without a debugger
> hooked
> up, and just to make sure I renamed all of the cab files in my
> \Windows\Driver Cache directory and deleted everything in my
> \Windows\System32\DllCache directory. So, there is absolutely no way it
> could be WFP screwing me up right? Well no, actually it can. Despite
> all
> of my best efforts, I made the single mistake of putting XP SP1 on my
> target. SP1 adds some cab files in another directory. One of these
> somehow
> avoided all of the rules and allowed WFP to blow away my driver when I
> copied it in. Oh, but not everytime??
>
> Once I renamed all of the new SP1 cab files all went as planned. I
> would
> have looked to WFP right away, but I knew I had it turned off for good.
> I
> didn’t notice that I was replacing the same version of driver for a few
> copies. Yet another half an hour of my life flushed down the
> ‘completely
> unnecessary and highly irritating waste of my time’ toilet.
>
> Someone please take away this scourge on all driver developers
> everywhere
> and give us some sane way to shut this crap off once and for all!!
>
>
>
> –
> Bill McKenzie
> Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
> Inc.
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Well, if any of active list members wants an utility which uses SfcTerminateWatcherThread method and finds WinLogon PID on its own, let me know. It simply stops WFP until next reboot. I use it since SFC was introduced (~2000) and it seems to work for all available OS/SP versions up to XP SP1. I guess it works on w2k3, too, but I can’t remember if I really tested it or only planned. Memory corruption
Don’t worry, it needs admin rights. And yes, I agree WFP is a PITA for developers and would appreciatte if MS creates official way how to disable it which doesn’t need WinDbg connected. For example, similar utility included in the Resource Kit.
BTW, I wonder if I should ask Ratter for credit as I published this method here about year ago 
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Bill McKenzie[SMTP:xxxxx@conexant.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, June 16, 2004 4:08 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Re[2]: WFP is evilI had heard about this, that is actually a pretty clever solution.
Isn’t it wonderful the hoops we must jump through just to get some work
done.–
Bill McKenzie
Software Engineer - Prism 802.11 Wireless Solutions
Conexant Systems, Inc.“ivona prenosilova” wrote in message news:xxxxx@ntdev…
> > Hello,
> >
> > http://29a.host.sk/29a-7/Articles/29A-7.004
> > maybe this could help …
> >
> > –
> > Best regards,
> > Ivona Prenosilova
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
You and me both. I think it is the off-putting niceness of what is supposed
to be The Borg, what with their new openness and helpfulness and
eager-to-make-things-rightness, bringing up the remaining lame cruft they
still foist on us just seems rude.
=====================
Mark Roddy
-----Original Message-----
I can’t believe I forgot to mention this at WinHEC.
–
Bill McKenzie
Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems, Inc.
I’m not about to start defending WFP…
But you might have a lot more luch with a different strategy. Generate a
certificate yourself and then install it as a test certificate on your
target machine. Then sign all your drivers with that certificate. WFP will
happily treat them as trusted.
Granted that that’s a lot of work to set up for the first time. And
Microsoft did it for me, so I have little idea how long it would take
somebody to do it for themselves. But it does solve the problem.
–
Jake Oshins
Windows Kernel Group
This posting is provided “AS IS” with no warranties, and confers no rights.
“Mathieu Routhier” wrote in message news:xxxxx@ntdev…
>I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
> replacing system drivers and dlls is not allowed unless you do it
> manually in safe mode.
>
> I am pretty sure there are cases in which the only way to go is to
> really replace a system driver file. But most of the time, there is a
> safe and Microsoft-approved way to do it.
>
> Don’t get me wrong, I’m not saying there should not be a way to disable
> WDF in a development environment. I’m just trying to find alternatives,
> whether or not they miss the point.
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
> Sent: Wednesday, June 16, 2004 9:51 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> I think that sort of misses the point. WFP, for developers, is a Royal
> PITA.
> The ‘rules’ appear to change with every OS release, and perhaps with
> every
> service pack. My understanding is that the clampdown is just getting
> worse,
> specifically for longhorn. On the other hand virii suck too, and
> certainly
> loadable kernel dlls are a prime target.
>
> Test versions of the os - as in the msdn and oem distributions, ought to
> allow a simple wfp disable mechanism. (The msdn distributions could drop
> this policy on activation so that your licensed production versions
> would be
> fully protected, oem test distributions won’t even activate.)
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Mathieu Routhier [mailto:xxxxx@cvds.com]
> Sent: Wednesday, June 16, 2004 9:38 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> Would it be possible, in your case, to insert a filter driver and
> basically
> ignore the other driver instead of replacing the driver file?
> I’m pretty sure you thought of that before.
>
> Also, did you try to write an INF with a date more recent than the
> system
> driver but the same HWID so you can “update” the driver for this device?
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
> Sent: Wednesday, June 16, 2004 3:45 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WFP is evil
>
> Have I mentioned lately that I hate WFP and the lack of any reasonable,
> consistent and reliable way to turn it off?
>
> Okay, so I am working on a driver that just happens to replace an
> existing
> system driver. Silly me. Everything is going along fine for hours and
> then
> suddenly I start having some issues. I end up spending close to a
> friggin
> half an hour trying to figure out why I can’t get my symbols to match up
> in
> WinDbg. I know it can’t be WFP because I have set the proper values in
> my
> target’s registry, I have yet to reboot my target without a debugger
> hooked
> up, and just to make sure I renamed all of the cab files in my
> \Windows\Driver Cache directory and deleted everything in my
> \Windows\System32\DllCache directory. So, there is absolutely no way it
> could be WFP screwing me up right? Well no, actually it can. Despite
> all
> of my best efforts, I made the single mistake of putting XP SP1 on my
> target. SP1 adds some cab files in another directory. One of these
> somehow
> avoided all of the rules and allowed WFP to blow away my driver when I
> copied it in. Oh, but not everytime??
>
> Once I renamed all of the new SP1 cab files all went as planned. I
> would
> have looked to WFP right away, but I knew I had it turned off for good.
> I
> didn’t notice that I was replacing the same version of driver for a few
> copies. Yet another half an hour of my life flushed down the
> ‘completely
> unnecessary and highly irritating waste of my time’ toilet.
>
> Someone please take away this scourge on all driver developers
> everywhere
> and give us some sane way to shut this crap off once and for all!!
>
>
>
> –
> Bill McKenzie
> Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
> Inc.
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
I’m sorry you brought that route up. As far as I can tell, in order to
generate a test certificate you have to have an account with verisign or its
equivalent in order to authenticate the darn thing. Easy enough if you are
Microsoft, or even a modestly sized company, but rather yet another royal
PITA for the rest of us. I’m also not sure which os version support test
certificates. Also the documentation about how to do this is about as muddy
as it gets, scattered KB articles, various SDK references, inferences in the
DDK, rumors here and elsewhere, etc. I gave up after about a day or so when
I hit the ‘you need to go get a verisign account problem’.
=====================
Mark Roddy
-----Original Message-----
From: Jake Oshins [mailto:xxxxx@windows.microsoft.com]
Sent: Wednesday, June 16, 2004 5:18 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] WFP is evil
I’m not about to start defending WFP…
But you might have a lot more luch with a different strategy. Generate a
certificate yourself and then install it as a test certificate on your
target machine. Then sign all your drivers with that certificate. WFP will
happily treat them as trusted.
Granted that that’s a lot of work to set up for the first time. And
Microsoft did it for me, so I have little idea how long it would take
somebody to do it for themselves. But it does solve the problem.
–
Jake Oshins
Windows Kernel Group
This posting is provided “AS IS” with no warranties, and confers no rights.
“Mathieu Routhier” wrote in message news:xxxxx@ntdev…
>I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
> replacing system drivers and dlls is not allowed unless you do it
>manually in safe mode.
>
> I am pretty sure there are cases in which the only way to go is to
> really replace a system driver file. But most of the time, there is a
> safe and Microsoft-approved way to do it.
>
> Don’t get me wrong, I’m not saying there should not be a way to
> disable WDF in a development environment. I’m just trying to find
> alternatives, whether or not they miss the point.
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
> Sent: Wednesday, June 16, 2004 9:51 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> I think that sort of misses the point. WFP, for developers, is a Royal
> PITA.
> The ‘rules’ appear to change with every OS release, and perhaps with
> every service pack. My understanding is that the clampdown is just
> getting worse, specifically for longhorn. On the other hand virii suck
> too, and certainly loadable kernel dlls are a prime target.
>
> Test versions of the os - as in the msdn and oem distributions, ought
> to allow a simple wfp disable mechanism. (The msdn distributions could
> drop this policy on activation so that your licensed production
> versions would be fully protected, oem test distributions won’t even
> activate.)
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Mathieu Routhier [mailto:xxxxx@cvds.com]
> Sent: Wednesday, June 16, 2004 9:38 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> Would it be possible, in your case, to insert a filter driver and
> basically ignore the other driver instead of replacing the driver
> file?
> I’m pretty sure you thought of that before.
>
> Also, did you try to write an INF with a date more recent than the
> system driver but the same HWID so you can “update” the driver for
> this device?
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
> Sent: Wednesday, June 16, 2004 3:45 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WFP is evil
>
> Have I mentioned lately that I hate WFP and the lack of any
> reasonable, consistent and reliable way to turn it off?
>
> Okay, so I am working on a driver that just happens to replace an
> existing system driver. Silly me. Everything is going along fine for
> hours and then suddenly I start having some issues. I end up spending
> close to a friggin half an hour trying to figure out why I can’t get
> my symbols to match up in WinDbg. I know it can’t be WFP because I
> have set the proper values in my target’s registry, I have yet to
> reboot my target without a debugger hooked up, and just to make sure I
> renamed all of the cab files in my \Windows\Driver Cache directory and
> deleted everything in my \Windows\System32\DllCache directory. So,
> there is absolutely no way it could be WFP screwing me up right? Well
> no, actually it can. Despite all of my best efforts, I made the
> single mistake of putting XP SP1 on my target. SP1 adds some cab
> files in another directory. One of these somehow avoided all of the
> rules and allowed WFP to blow away my driver when I copied it in. Oh,
> but not everytime??
>
> Once I renamed all of the new SP1 cab files all went as planned. I
> would have looked to WFP right away, but I knew I had it turned off
> for good.
> I
> didn’t notice that I was replacing the same version of driver for a
> few copies. Yet another half an hour of my life flushed down the
> ‘completely unnecessary and highly irritating waste of my time’
> toilet.
>
> Someone please take away this scourge on all driver developers
> everywhere and give us some sane way to shut this crap off once and
> for all!!
>
>
>
> –
> Bill McKenzie
> Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
> Inc.
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
No, just install Certificate Server somewhere in your organization, create
a root certificate, then add in to Certificate Store of each computer - the
latter step is automated using Active Directory.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Roddy, Mark”
To: “Windows System Software Devs Interest List”
Sent: Thursday, June 17, 2004 5:01 PM
Subject: RE: [ntdev] WFP is evil
> I’m sorry you brought that route up. As far as I can tell, in order to
> generate a test certificate you have to have an account with verisign or its
> equivalent in order to authenticate the darn thing. Easy enough if you are
> Microsoft, or even a modestly sized company, but rather yet another royal
> PITA for the rest of us. I’m also not sure which os version support test
> certificates. Also the documentation about how to do this is about as muddy
> as it gets, scattered KB articles, various SDK references, inferences in the
> DDK, rumors here and elsewhere, etc. I gave up after about a day or so when
> I hit the ‘you need to go get a verisign account problem’.
>
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Jake Oshins [mailto:xxxxx@windows.microsoft.com]
> Sent: Wednesday, June 16, 2004 5:18 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] WFP is evil
>
> I’m not about to start defending WFP…
>
> But you might have a lot more luch with a different strategy. Generate a
> certificate yourself and then install it as a test certificate on your
> target machine. Then sign all your drivers with that certificate. WFP will
> happily treat them as trusted.
>
> Granted that that’s a lot of work to set up for the first time. And
> Microsoft did it for me, so I have little idea how long it would take
> somebody to do it for themselves. But it does solve the problem.
>
> –
> Jake Oshins
> Windows Kernel Group
>
> This posting is provided “AS IS” with no warranties, and confers no rights.
>
>
> “Mathieu Routhier” wrote in message news:xxxxx@ntdev…
> >I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
> > replacing system drivers and dlls is not allowed unless you do it
> >manually in safe mode.
> >
> > I am pretty sure there are cases in which the only way to go is to
> > really replace a system driver file. But most of the time, there is a
> > safe and Microsoft-approved way to do it.
> >
> > Don’t get me wrong, I’m not saying there should not be a way to
> > disable WDF in a development environment. I’m just trying to find
> > alternatives, whether or not they miss the point.
> >
> > Mat
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
> > Sent: Wednesday, June 16, 2004 9:51 AM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] WFP is evil
> >
> > I think that sort of misses the point. WFP, for developers, is a Royal
> > PITA.
> > The ‘rules’ appear to change with every OS release, and perhaps with
> > every service pack. My understanding is that the clampdown is just
> > getting worse, specifically for longhorn. On the other hand virii suck
> > too, and certainly loadable kernel dlls are a prime target.
> >
> > Test versions of the os - as in the msdn and oem distributions, ought
> > to allow a simple wfp disable mechanism. (The msdn distributions could
> > drop this policy on activation so that your licensed production
> > versions would be fully protected, oem test distributions won’t even
> > activate.)
> >
> > =====================
> > Mark Roddy
> >
> > -----Original Message-----
> > From: Mathieu Routhier [mailto:xxxxx@cvds.com]
> > Sent: Wednesday, June 16, 2004 9:38 AM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] WFP is evil
> >
> > Would it be possible, in your case, to insert a filter driver and
> > basically ignore the other driver instead of replacing the driver
> > file?
> > I’m pretty sure you thought of that before.
> >
> > Also, did you try to write an INF with a date more recent than the
> > system driver but the same HWID so you can “update” the driver for
> > this device?
> >
> > Mat
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
> > Sent: Wednesday, June 16, 2004 3:45 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] WFP is evil
> >
> > Have I mentioned lately that I hate WFP and the lack of any
> > reasonable, consistent and reliable way to turn it off?
> >
> > Okay, so I am working on a driver that just happens to replace an
> > existing system driver. Silly me. Everything is going along fine for
> > hours and then suddenly I start having some issues. I end up spending
> > close to a friggin half an hour trying to figure out why I can’t get
> > my symbols to match up in WinDbg. I know it can’t be WFP because I
> > have set the proper values in my target’s registry, I have yet to
> > reboot my target without a debugger hooked up, and just to make sure I
> > renamed all of the cab files in my \Windows\Driver Cache directory and
> > deleted everything in my \Windows\System32\DllCache directory. So,
> > there is absolutely no way it could be WFP screwing me up right? Well
> > no, actually it can. Despite all of my best efforts, I made the
> > single mistake of putting XP SP1 on my target. SP1 adds some cab
> > files in another directory. One of these somehow avoided all of the
> > rules and allowed WFP to blow away my driver when I copied it in. Oh,
> > but not everytime??
> >
> > Once I renamed all of the new SP1 cab files all went as planned. I
> > would have looked to WFP right away, but I knew I had it turned off
> > for good.
> > I
> > didn’t notice that I was replacing the same version of driver for a
> > few copies. Yet another half an hour of my life flushed down the
> > ‘completely unnecessary and highly irritating waste of my time’
> > toilet.
> >
> > Someone please take away this scourge on all driver developers
> > everywhere and give us some sane way to shut this crap off once and
> > for all!!
> >
> >
> >
> > –
> > Bill McKenzie
> > Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
> > Inc.
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@cvds.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@stratus.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@cvds.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Yup you aren’t far wrong.
The verisign part was a particular PITA for us being in the UK.
Having been through (most of) the WHQL process having a test signed package
has been essential for developing the install side stuff. BUT, from a driver
development/testing point of view it is a bit of pain.
You have to sign your package (using the signcode.exe wizard app), go
through a bunch of questions on the whql web front end EVERY TIME, then
upload your package, and then you have to wait for it to upload the package
to an ftp account you specify. (you do get an email notification) Oh… and
sometimes it never completes the test signing process! I believe they’ve
removed the requirement for the ftp and added the ability to download from
the whql site now.
So all in all it can take up to an hour to get a test signing done for your
drivers.
To use test cerficates you need to install a root certificate on the
machine, it’ll then show a “for testing purposes only” on the desktop.
As for O/S support. I’ve only used test certificates under 2K/XP as the
reason we’re doing this was for a USB device that couldnt be added as a
non-administrator on machines that have the “signed drivers only” thing set,
and have no on-site admin.
br,
Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.co.uk
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Roddy, Mark
Sent: 17 June 2004 14:01
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] WFP is evil
I’m sorry you brought that route up. As far as I can tell, in order to
generate a test certificate you have to have an account with verisign or its
equivalent in order to authenticate the darn thing. Easy enough if you are
Microsoft, or even a modestly sized company, but rather yet another royal
PITA for the rest of us. I’m also not sure which os version support test
certificates. Also the documentation about how to do this is about as muddy
as it gets, scattered KB articles, various SDK references, inferences in the
DDK, rumors here and elsewhere, etc. I gave up after about a day or so when
I hit the ‘you need to go get a verisign account problem’.
=====================
Mark Roddy
-----Original Message-----
From: Jake Oshins [mailto:xxxxx@windows.microsoft.com]
Sent: Wednesday, June 16, 2004 5:18 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] WFP is evil
I’m not about to start defending WFP…
But you might have a lot more luch with a different strategy. Generate a
certificate yourself and then install it as a test certificate on your
target machine. Then sign all your drivers with that certificate. WFP will
happily treat them as trusted.
Granted that that’s a lot of work to set up for the first time. And
Microsoft did it for me, so I have little idea how long it would take
somebody to do it for themselves. But it does solve the problem.
–
Jake Oshins
Windows Kernel Group
This posting is provided “AS IS” with no warranties, and confers no rights.
“Mathieu Routhier” wrote in message news:xxxxx@ntdev…
>I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
> replacing system drivers and dlls is not allowed unless you do it
>manually in safe mode.
>
> I am pretty sure there are cases in which the only way to go is to
> really replace a system driver file. But most of the time, there is a
> safe and Microsoft-approved way to do it.
>
> Don’t get me wrong, I’m not saying there should not be a way to
> disable WDF in a development environment. I’m just trying to find
> alternatives, whether or not they miss the point.
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
> Sent: Wednesday, June 16, 2004 9:51 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> I think that sort of misses the point. WFP, for developers, is a Royal
> PITA.
> The ‘rules’ appear to change with every OS release, and perhaps with
> every service pack. My understanding is that the clampdown is just
> getting worse, specifically for longhorn. On the other hand virii suck
> too, and certainly loadable kernel dlls are a prime target.
>
> Test versions of the os - as in the msdn and oem distributions, ought
> to allow a simple wfp disable mechanism. (The msdn distributions could
> drop this policy on activation so that your licensed production
> versions would be fully protected, oem test distributions won’t even
> activate.)
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Mathieu Routhier [mailto:xxxxx@cvds.com]
> Sent: Wednesday, June 16, 2004 9:38 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] WFP is evil
>
> Would it be possible, in your case, to insert a filter driver and
> basically ignore the other driver instead of replacing the driver
> file?
> I’m pretty sure you thought of that before.
>
> Also, did you try to write an INF with a date more recent than the
> system driver but the same HWID so you can “update” the driver for
> this device?
>
> Mat
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
> Sent: Wednesday, June 16, 2004 3:45 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WFP is evil
>
> Have I mentioned lately that I hate WFP and the lack of any
> reasonable, consistent and reliable way to turn it off?
>
> Okay, so I am working on a driver that just happens to replace an
> existing system driver. Silly me. Everything is going along fine for
> hours and then suddenly I start having some issues. I end up spending
> close to a friggin half an hour trying to figure out why I can’t get
> my symbols to match up in WinDbg. I know it can’t be WFP because I
> have set the proper values in my target’s registry, I have yet to
> reboot my target without a debugger hooked up, and just to make sure I
> renamed all of the cab files in my \Windows\Driver Cache directory and
> deleted everything in my \Windows\System32\DllCache directory. So,
> there is absolutely no way it could be WFP screwing me up right? Well
> no, actually it can. Despite all of my best efforts, I made the
> single mistake of putting XP SP1 on my target. SP1 adds some cab
> files in another directory. One of these somehow avoided all of the
> rules and allowed WFP to blow away my driver when I copied it in. Oh,
> but not everytime??
>
> Once I renamed all of the new SP1 cab files all went as planned. I
> would have looked to WFP right away, but I knew I had it turned off
> for good.
> I
> didn’t notice that I was replacing the same version of driver for a
> few copies. Yet another half an hour of my life flushed down the
> ‘completely unnecessary and highly irritating waste of my time’
> toilet.
>
> Someone please take away this scourge on all driver developers
> everywhere and give us some sane way to shut this crap off once and
> for all!!
>
>
>
> –
> Bill McKenzie
> Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
> Inc.
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@cvds.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com
Ah, that is interesting. So you are saying that you can, within an NT
domain, have your own certificate authority. I assume you have to put your
test machines on that domain, which I generally don’t do. It would be real
nice, especially considering the longhorn requirements, if this were all
explicitly documented in one place.
=====================
Mark Roddy
-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Thursday, June 17, 2004 9:21 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] WFP is evil
No, just install Certificate Server somewhere in your organization,
create a root certificate, then add in to Certificate Store of each computer
- the latter step is automated using Active Directory.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Roddy, Mark”
To: “Windows System Software Devs Interest List”
Sent: Thursday, June 17, 2004 5:01 PM
Subject: RE: [ntdev] WFP is evil
> I’m sorry you brought that route up. As far as I can tell, in order to
> generate a test certificate you have to have an account with verisign or
its
> equivalent in order to authenticate the darn thing. Easy enough if you are
> Microsoft, or even a modestly sized company, but rather yet another royal
> PITA for the rest of us. I’m also not sure which os version support test
> certificates. Also the documentation about how to do this is about as
muddy
> as it gets, scattered KB articles, various SDK references, inferences in
the
> DDK, rumors here and elsewhere, etc. I gave up after about a day or so
when
> I hit the ‘you need to go get a verisign account problem’.
>
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Jake Oshins [mailto:xxxxx@windows.microsoft.com]
> Sent: Wednesday, June 16, 2004 5:18 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] WFP is evil
>
> I’m not about to start defending WFP…
>
> But you might have a lot more luch with a different strategy. Generate a
> certificate yourself and then install it as a test certificate on your
> target machine. Then sign all your drivers with that certificate. WFP
will
> happily treat them as trusted.
>
> Granted that that’s a lot of work to set up for the first time. And
> Microsoft did it for me, so I have little idea how long it would take
> somebody to do it for themselves. But it does solve the problem.
>
> –
> Jake Oshins
> Windows Kernel Group
>
> This posting is provided “AS IS” with no warranties, and confers no
rights.
>
>
> “Mathieu Routhier” wrote in message
news:xxxxx@ntdev…
> >I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
> > replacing system drivers and dlls is not allowed unless you do it
> >manually in safe mode.
> >
> > I am pretty sure there are cases in which the only way to go is to
> > really replace a system driver file. But most of the time, there is a
> > safe and Microsoft-approved way to do it.
> >
> > Don’t get me wrong, I’m not saying there should not be a way to
> > disable WDF in a development environment. I’m just trying to find
> > alternatives, whether or not they miss the point.
> >
> > Mat
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
> > Sent: Wednesday, June 16, 2004 9:51 AM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] WFP is evil
> >
> > I think that sort of misses the point. WFP, for developers, is a Royal
> > PITA.
> > The ‘rules’ appear to change with every OS release, and perhaps with
> > every service pack. My understanding is that the clampdown is just
> > getting worse, specifically for longhorn. On the other hand virii suck
> > too, and certainly loadable kernel dlls are a prime target.
> >
> > Test versions of the os - as in the msdn and oem distributions, ought
> > to allow a simple wfp disable mechanism. (The msdn distributions could
> > drop this policy on activation so that your licensed production
> > versions would be fully protected, oem test distributions won’t even
> > activate.)
> >
> > =====================
> > Mark Roddy
> >
> > -----Original Message-----
> > From: Mathieu Routhier [mailto:xxxxx@cvds.com]
> > Sent: Wednesday, June 16, 2004 9:38 AM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] WFP is evil
> >
> > Would it be possible, in your case, to insert a filter driver and
> > basically ignore the other driver instead of replacing the driver
> > file?
> > I’m pretty sure you thought of that before.
> >
> > Also, did you try to write an INF with a date more recent than the
> > system driver but the same HWID so you can “update” the driver for
> > this device?
> >
> > Mat
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
> > Sent: Wednesday, June 16, 2004 3:45 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] WFP is evil
> >
> > Have I mentioned lately that I hate WFP and the lack of any
> > reasonable, consistent and reliable way to turn it off?
> >
> > Okay, so I am working on a driver that just happens to replace an
> > existing system driver. Silly me. Everything is going along fine for
> > hours and then suddenly I start having some issues. I end up spending
> > close to a friggin half an hour trying to figure out why I can’t get
> > my symbols to match up in WinDbg. I know it can’t be WFP because I
> > have set the proper values in my target’s registry, I have yet to
> > reboot my target without a debugger hooked up, and just to make sure I
> > renamed all of the cab files in my \Windows\Driver Cache directory and
> > deleted everything in my \Windows\System32\DllCache directory. So,
> > there is absolutely no way it could be WFP screwing me up right? Well
> > no, actually it can. Despite all of my best efforts, I made the
> > single mistake of putting XP SP1 on my target. SP1 adds some cab
> > files in another directory. One of these somehow avoided all of the
> > rules and allowed WFP to blow away my driver when I copied it in. Oh,
> > but not everytime??
> >
> > Once I renamed all of the new SP1 cab files all went as planned. I
> > would have looked to WFP right away, but I knew I had it turned off
> > for good.
> > I
> > didn’t notice that I was replacing the same version of driver for a
> > few copies. Yet another half an hour of my life flushed down the
> > ‘completely unnecessary and highly irritating waste of my time’
> > toilet.
> >
> > Someone please take away this scourge on all driver developers
> > everywhere and give us some sane way to shut this crap off once and
> > for all!!
> >
> >
> >
> > –
> > Bill McKenzie
> > Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
> > Inc.
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@cvds.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@stratus.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@cvds.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Yes. This works for SSL, provided the users will explicitly declare your
certificate authority as trusted in MSIE.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Roddy, Mark”
To: “Windows System Software Devs Interest List”
Sent: Thursday, June 17, 2004 6:03 PM
Subject: RE: [ntdev] WFP is evil
> Ah, that is interesting. So you are saying that you can, within an NT
> domain, have your own certificate authority. I assume you have to put your
> test machines on that domain, which I generally don’t do. It would be real
> nice, especially considering the longhorn requirements, if this were all
> explicitly documented in one place.
>
>
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
> Sent: Thursday, June 17, 2004 9:21 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] WFP is evil
>
> No, just install Certificate Server somewhere in your organization,
> create a root certificate, then add in to Certificate Store of each computer
> - the latter step is automated using Active Directory.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> ----- Original Message -----
> From: “Roddy, Mark”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, June 17, 2004 5:01 PM
> Subject: RE: [ntdev] WFP is evil
>
>
> > I’m sorry you brought that route up. As far as I can tell, in order to
> > generate a test certificate you have to have an account with verisign or
> its
> > equivalent in order to authenticate the darn thing. Easy enough if you are
> > Microsoft, or even a modestly sized company, but rather yet another royal
> > PITA for the rest of us. I’m also not sure which os version support test
> > certificates. Also the documentation about how to do this is about as
> muddy
> > as it gets, scattered KB articles, various SDK references, inferences in
> the
> > DDK, rumors here and elsewhere, etc. I gave up after about a day or so
> when
> > I hit the ‘you need to go get a verisign account problem’.
> >
> >
> > =====================
> > Mark Roddy
> >
> > -----Original Message-----
> > From: Jake Oshins [mailto:xxxxx@windows.microsoft.com]
> > Sent: Wednesday, June 16, 2004 5:18 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re:[ntdev] WFP is evil
> >
> > I’m not about to start defending WFP…
> >
> > But you might have a lot more luch with a different strategy. Generate a
> > certificate yourself and then install it as a test certificate on your
> > target machine. Then sign all your drivers with that certificate. WFP
> will
> > happily treat them as trusted.
> >
> > Granted that that’s a lot of work to set up for the first time. And
> > Microsoft did it for me, so I have little idea how long it would take
> > somebody to do it for themselves. But it does solve the problem.
> >
> > –
> > Jake Oshins
> > Windows Kernel Group
> >
> > This posting is provided “AS IS” with no warranties, and confers no
> rights.
> >
> >
> > “Mathieu Routhier” wrote in message
> news:xxxxx@ntdev…
> > >I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
> > > replacing system drivers and dlls is not allowed unless you do it
> > >manually in safe mode.
> > >
> > > I am pretty sure there are cases in which the only way to go is to
> > > really replace a system driver file. But most of the time, there is a
> > > safe and Microsoft-approved way to do it.
> > >
> > > Don’t get me wrong, I’m not saying there should not be a way to
> > > disable WDF in a development environment. I’m just trying to find
> > > alternatives, whether or not they miss the point.
> > >
> > > Mat
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
> > > Sent: Wednesday, June 16, 2004 9:51 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE: [ntdev] WFP is evil
> > >
> > > I think that sort of misses the point. WFP, for developers, is a Royal
> > > PITA.
> > > The ‘rules’ appear to change with every OS release, and perhaps with
> > > every service pack. My understanding is that the clampdown is just
> > > getting worse, specifically for longhorn. On the other hand virii suck
> > > too, and certainly loadable kernel dlls are a prime target.
> > >
> > > Test versions of the os - as in the msdn and oem distributions, ought
> > > to allow a simple wfp disable mechanism. (The msdn distributions could
> > > drop this policy on activation so that your licensed production
> > > versions would be fully protected, oem test distributions won’t even
> > > activate.)
> > >
> > > =====================
> > > Mark Roddy
> > >
> > > -----Original Message-----
> > > From: Mathieu Routhier [mailto:xxxxx@cvds.com]
> > > Sent: Wednesday, June 16, 2004 9:38 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE: [ntdev] WFP is evil
> > >
> > > Would it be possible, in your case, to insert a filter driver and
> > > basically ignore the other driver instead of replacing the driver
> > > file?
> > > I’m pretty sure you thought of that before.
> > >
> > > Also, did you try to write an INF with a date more recent than the
> > > system driver but the same HWID so you can “update” the driver for
> > > this device?
> > >
> > > Mat
> > >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
> > > Sent: Wednesday, June 16, 2004 3:45 AM
> > > To: Windows System Software Devs Interest List
> > > Subject: [ntdev] WFP is evil
> > >
> > > Have I mentioned lately that I hate WFP and the lack of any
> > > reasonable, consistent and reliable way to turn it off?
> > >
> > > Okay, so I am working on a driver that just happens to replace an
> > > existing system driver. Silly me. Everything is going along fine for
> > > hours and then suddenly I start having some issues. I end up spending
> > > close to a friggin half an hour trying to figure out why I can’t get
> > > my symbols to match up in WinDbg. I know it can’t be WFP because I
> > > have set the proper values in my target’s registry, I have yet to
> > > reboot my target without a debugger hooked up, and just to make sure I
> > > renamed all of the cab files in my \Windows\Driver Cache directory and
> > > deleted everything in my \Windows\System32\DllCache directory. So,
> > > there is absolutely no way it could be WFP screwing me up right? Well
> > > no, actually it can. Despite all of my best efforts, I made the
> > > single mistake of putting XP SP1 on my target. SP1 adds some cab
> > > files in another directory. One of these somehow avoided all of the
> > > rules and allowed WFP to blow away my driver when I copied it in. Oh,
> > > but not everytime??
> > >
> > > Once I renamed all of the new SP1 cab files all went as planned. I
> > > would have looked to WFP right away, but I knew I had it turned off
> > > for good.
> > > I
> > > didn’t notice that I was replacing the same version of driver for a
> > > few copies. Yet another half an hour of my life flushed down the
> > > ‘completely unnecessary and highly irritating waste of my time’
> > > toilet.
> > >
> > > Someone please take away this scourge on all driver developers
> > > everywhere and give us some sane way to shut this crap off once and
> > > for all!!
> > >
> > >
> > >
> > > –
> > > Bill McKenzie
> > > Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
> > > Inc.
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@cvds.com To
> > > unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@stratus.com To
> > > unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@cvds.com To
> > > unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@stratus.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
You don’t even have to put your test machines into the domain. But if you
do, you don’t have to manually install the certificate on them.
–
Jake Oshins
Windows Kernel Group
This posting is provided “AS IS” with no warranties, and confers no rights.
“Roddy, Mark” wrote in message news:xxxxx@ntdev…
> Ah, that is interesting. So you are saying that you can, within an NT
> domain, have your own certificate authority. I assume you have to put your
> test machines on that domain, which I generally don’t do. It would be real
> nice, especially considering the longhorn requirements, if this were all
> explicitly documented in one place.
>
>
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
> Sent: Thursday, June 17, 2004 9:21 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] WFP is evil
>
> No, just install Certificate Server somewhere in your organization,
> create a root certificate, then add in to Certificate Store of each
> computer
> - the latter step is automated using Active Directory.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> ----- Original Message -----
> From: “Roddy, Mark”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, June 17, 2004 5:01 PM
> Subject: RE: [ntdev] WFP is evil
>
>
>> I’m sorry you brought that route up. As far as I can tell, in order to
>> generate a test certificate you have to have an account with verisign or
> its
>> equivalent in order to authenticate the darn thing. Easy enough if you
>> are
>> Microsoft, or even a modestly sized company, but rather yet another royal
>> PITA for the rest of us. I’m also not sure which os version support test
>> certificates. Also the documentation about how to do this is about as
> muddy
>> as it gets, scattered KB articles, various SDK references, inferences in
> the
>> DDK, rumors here and elsewhere, etc. I gave up after about a day or so
> when
>> I hit the ‘you need to go get a verisign account problem’.
>>
>>
>> =====================
>> Mark Roddy
>>
>> -----Original Message-----
>> From: Jake Oshins [mailto:xxxxx@windows.microsoft.com]
>> Sent: Wednesday, June 16, 2004 5:18 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] WFP is evil
>>
>> I’m not about to start defending WFP…
>>
>> But you might have a lot more luch with a different strategy. Generate a
>> certificate yourself and then install it as a test certificate on your
>> target machine. Then sign all your drivers with that certificate. WFP
> will
>> happily treat them as trusted.
>>
>> Granted that that’s a lot of work to set up for the first time. And
>> Microsoft did it for me, so I have little idea how long it would take
>> somebody to do it for themselves. But it does solve the problem.
>>
>> –
>> Jake Oshins
>> Windows Kernel Group
>>
>> This posting is provided “AS IS” with no warranties, and confers no
> rights.
>>
>>
>> “Mathieu Routhier” wrote in message
> news:xxxxx@ntdev…
>> >I haven’t played a lot with WFP, but AFAIK the rule is quite simple:
>> > replacing system drivers and dlls is not allowed unless you do it
>> >manually in safe mode.
>> >
>> > I am pretty sure there are cases in which the only way to go is to
>> > really replace a system driver file. But most of the time, there is a
>> > safe and Microsoft-approved way to do it.
>> >
>> > Don’t get me wrong, I’m not saying there should not be a way to
>> > disable WDF in a development environment. I’m just trying to find
>> > alternatives, whether or not they miss the point.
>> >
>> > Mat
>> >
>> > -----Original Message-----
>> > From: xxxxx@lists.osr.com
>> > [mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
>> > Sent: Wednesday, June 16, 2004 9:51 AM
>> > To: Windows System Software Devs Interest List
>> > Subject: RE: [ntdev] WFP is evil
>> >
>> > I think that sort of misses the point. WFP, for developers, is a Royal
>> > PITA.
>> > The ‘rules’ appear to change with every OS release, and perhaps with
>> > every service pack. My understanding is that the clampdown is just
>> > getting worse, specifically for longhorn. On the other hand virii suck
>> > too, and certainly loadable kernel dlls are a prime target.
>> >
>> > Test versions of the os - as in the msdn and oem distributions, ought
>> > to allow a simple wfp disable mechanism. (The msdn distributions could
>> > drop this policy on activation so that your licensed production
>> > versions would be fully protected, oem test distributions won’t even
>> > activate.)
>> >
>> > =====================
>> > Mark Roddy
>> >
>> > -----Original Message-----
>> > From: Mathieu Routhier [mailto:xxxxx@cvds.com]
>> > Sent: Wednesday, June 16, 2004 9:38 AM
>> > To: Windows System Software Devs Interest List
>> > Subject: RE: [ntdev] WFP is evil
>> >
>> > Would it be possible, in your case, to insert a filter driver and
>> > basically ignore the other driver instead of replacing the driver
>> > file?
>> > I’m pretty sure you thought of that before.
>> >
>> > Also, did you try to write an INF with a date more recent than the
>> > system driver but the same HWID so you can “update” the driver for
>> > this device?
>> >
>> > Mat
>> >
>> > -----Original Message-----
>> > From: xxxxx@lists.osr.com
>> > [mailto:xxxxx@lists.osr.com] On Behalf Of Bill McKenzie
>> > Sent: Wednesday, June 16, 2004 3:45 AM
>> > To: Windows System Software Devs Interest List
>> > Subject: [ntdev] WFP is evil
>> >
>> > Have I mentioned lately that I hate WFP and the lack of any
>> > reasonable, consistent and reliable way to turn it off?
>> >
>> > Okay, so I am working on a driver that just happens to replace an
>> > existing system driver. Silly me. Everything is going along fine for
>> > hours and then suddenly I start having some issues. I end up spending
>> > close to a friggin half an hour trying to figure out why I can’t get
>> > my symbols to match up in WinDbg. I know it can’t be WFP because I
>> > have set the proper values in my target’s registry, I have yet to
>> > reboot my target without a debugger hooked up, and just to make sure I
>> > renamed all of the cab files in my \Windows\Driver Cache directory and
>> > deleted everything in my \Windows\System32\DllCache directory. So,
>> > there is absolutely no way it could be WFP screwing me up right? Well
>> > no, actually it can. Despite all of my best efforts, I made the
>> > single mistake of putting XP SP1 on my target. SP1 adds some cab
>> > files in another directory. One of these somehow avoided all of the
>> > rules and allowed WFP to blow away my driver when I copied it in. Oh,
>> > but not everytime??
>> >
>> > Once I renamed all of the new SP1 cab files all went as planned. I
>> > would have looked to WFP right away, but I knew I had it turned off
>> > for good.
>> > I
>> > didn’t notice that I was replacing the same version of driver for a
>> > few copies. Yet another half an hour of my life flushed down the
>> > ‘completely unnecessary and highly irritating waste of my time’
>> > toilet.
>> >
>> > Someone please take away this scourge on all driver developers
>> > everywhere and give us some sane way to shut this crap off once and
>> > for all!!
>> >
>> >
>> >
>> > –
>> > Bill McKenzie
>> > Software Engineer - Prism 802.11 Wireless Solutions Conexant Systems,
>> > Inc.
>> >
>> >
>> >
>> >
>> > —
>> > Questions? First check the Kernel Driver FAQ at
>> > http://www.osronline.com/article.cfm?id=256
>> >
>> > You are currently subscribed to ntdev as: xxxxx@cvds.com To
>> > unsubscribe send a blank email to xxxxx@lists.osr.com
>> >
>> >
>> > —
>> > Questions? First check the Kernel Driver FAQ at
>> > http://www.osronline.com/article.cfm?id=256
>> >
>> > You are currently subscribed to ntdev as: xxxxx@stratus.com To
>> > unsubscribe send a blank email to xxxxx@lists.osr.com
>> >
>> > —
>> > Questions? First check the Kernel Driver FAQ at
>> > http://www.osronline.com/article.cfm?id=256
>> >
>> > You are currently subscribed to ntdev as: xxxxx@cvds.com To
>> > unsubscribe send a blank email to xxxxx@lists.osr.com
>> >
>> >
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@stratus.com To
>> unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
The reason it’s a PITA to disable is that if it were easy, virus’s would
just do that (if you have admin privs, you’re screwed if you activate a
virus anyway, so having a way to kill the thread with admin privs is
reasonably harmless).
I’m not sure I understand what the problem is with having a debugger
connected (other debuggers could trigger the same behavior if they
wanted to take the trouble, so I don’t want to get into any wars of
WinDbg vs. SoftICE).
I generally only care about the fact that it’s a PITA if you’re actively
debugging and therefore have to do it a lot. If you’re actively
debugging, don’t you typically have a debugger attached?
Most of the time when I’m not debugging, I’d rather be protected against
doing something stupid like replacing/deleting my system files :-).
Michal Vodicka wrote:
Well, if any of active list members wants an utility which uses SfcTerminateWatcherThread method and finds WinLogon PID on its own, let me know. It simply stops WFP until next reboot. I use it since SFC was introduced (~2000) and it seems to work for all available OS/SP versions up to XP SP1. I guess it works on w2k3, too, but I can’t remember if I really tested it or only planned. Memory corruption
Don’t worry, it needs admin rights. And yes, I agree WFP is a PITA for developers and would appreciatte if MS creates official way how to disable it which doesn’t need WinDbg connected. For example, similar utility included in the Resource Kit.
BTW, I wonder if I should ask Ratter for credit as I published this method here about year ago
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]>----------
>From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Bill McKenzie[SMTP:xxxxx@conexant.com]
>Reply To: Windows System Software Devs Interest List
>Sent: Wednesday, June 16, 2004 4:08 PM
>To: Windows System Software Devs Interest List
>Subject: Re:[ntdev] Re[2]: WFP is evil
>
>I had heard about this, that is actually a pretty clever solution.
>
>Isn’t it wonderful the hoops we must jump through just to get some work
>done.
>
>–
>Bill McKenzie
>Software Engineer - Prism 802.11 Wireless Solutions
>Conexant Systems, Inc.
>
>
>“ivona prenosilova” wrote in message news:xxxxx@ntdev…
>>
>>>Hello,
>>>
>>>http://29a.host.sk/29a-7/Articles/29A-7.004
>>>maybe this could help …
>>>
>>>–
>>>Best regards,
>>>Ivona Prenosilova
>>>
>>>
>>
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as: xxxxx@upek.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>
–
…/ray..
Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.
Seriously don’t think this is for virus protection
-pro
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Ray Trent[SMTP:xxxxx@synaptics.spamblock.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, June 17, 2004 10:44 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] WFP is evilThe reason it’s a PITA to disable is that if it were easy, virus’s would
just do that (if you have admin privs, you’re screwed if you activate a
virus anyway, so having a way to kill the thread with admin privs is
reasonably harmless).
It is a PITA because there isn’t a (official, supported) tool or documented API which would allow to disable it with admin rigths. On the other hand, there are several undocumented ways how to do it so any virus can. There has to be a way because of SP and hotfixes. It is security through obscurity.
I’m not sure I understand what the problem is with having a debugger
connected (other debuggers could trigger the same behavior if they
wanted to take the trouble, so I don’t want to get into any wars of
WinDbg vs. SoftICE).
I probably missed the part of DDK docs which documents how to do it. SoftICE doesn’t and connecting WinDbg just for this purpose is also PITA. Next, I don’t use debugger too much for driver development nowadays. Traces are usually sufficient.
I generally only care about the fact that it’s a PITA if you’re actively
debugging and therefore have to do it a lot. If you’re actively
debugging, don’t you typically have a debugger attached?
Usually I have started DbgView only. Debugger is necessary only if I make some really stupid coding bug or need to examine OS behaviour.
Most of the time when I’m not debugging, I’d rather be protected against
doing something stupid like replacing/deleting my system files :-).
Yes, WFP idea is good one. Implementation is the problem at usual
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
I’ve been told that WFP does not work on FAT32. Is this true?
ned
Programmers Society Prokash Sinha wrote:
Seriously don’t think this is for virus protection
-pro
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@colorts.com.au
To unsubscribe send a blank email to xxxxx@lists.osr.com
> I’ve been told that WFP does not work on FAT32 …
I doubt this stmt. It should work on a FAT32 BASED SYSTEMS TOO. Find it hard to reason otherway.
Here mostly the discussion is around *Disabling* the feature when some one needs to replace protected components …
-pro
> I’m not sure I understand what the problem is with having a debugger
connected
Perhaps you didn’t read my original post, I have yet to boot that particular
machine without a debugger attached.
The reason it’s a PITA to disable is that if it were easy, virus’s would
just do that
How hard is it to go rename all of the cab files? Well, except ones you
didn’t realize were there
I have yet to see a good reason why an admin shouldn’t be able to disable
something like this easily. An admin could certainly disable it anyway.
–
Bill McKenzie
Software Engineer - Prism 802.11 Wireless Solutions
Conexant Systems, Inc.
“Ray Trent” wrote in message
news:xxxxx@ntdev…
> The reason it’s a PITA to disable is that if it were easy, virus’s would
> just do that (if you have admin privs, you’re screwed if you activate a
> virus anyway, so having a way to kill the thread with admin privs is
> reasonably harmless).
>
> I’m not sure I understand what the problem is with having a debugger
> connected (other debuggers could trigger the same behavior if they
> wanted to take the trouble, so I don’t want to get into any wars of
> WinDbg vs. SoftICE).
>
> I generally only care about the fact that it’s a PITA if you’re actively
> debugging and therefore have to do it a lot. If you’re actively
> debugging, don’t you typically have a debugger attached?
>
> Most of the time when I’m not debugging, I’d rather be protected against
> doing something stupid like replacing/deleting my system files :-).
>
> Michal Vodicka wrote:
>
> > Well, if any of active list members wants an utility which uses
SfcTerminateWatcherThread method and finds WinLogon PID on its own, let me
know. It simply stops WFP until next reboot. I use it since SFC was
introduced (~2000) and it seems to work for all available OS/SP versions up
to XP SP1. I guess it works on w2k3, too, but I can’t remember if I really
tested it or only planned. Memory corruption
> >
> > Don’t worry, it needs admin rights. And yes, I agree WFP is a PITA for
developers and would appreciatte if MS creates official way how to disable
it which doesn’t need WinDbg connected. For example, similar utility
included in the Resource Kit.
> >
> > BTW, I wonder if I should ask Ratter for credit as I published this
method here about year ago
> >
> > Best regards,
> >
> > Michal Vodicka
> > UPEK, Inc.
> > [xxxxx@upek.com, http:://www.upek.com]
> >
> >
> >>----------
> >>From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
behalf of Bill McKenzie[SMTP:xxxxx@conexant.com]
> >>Reply To: Windows System Software Devs Interest List
> >>Sent: Wednesday, June 16, 2004 4:08 PM
> >>To: Windows System Software Devs Interest List
> >>Subject: Re:[ntdev] Re[2]: WFP is evil
> >>
> >>I had heard about this, that is actually a pretty clever solution.
> >>
> >>Isn’t it wonderful the hoops we must jump through just to get some work
> >>done.
> >>
> >>–
> >>Bill McKenzie
> >>Software Engineer - Prism 802.11 Wireless Solutions
> >>Conexant Systems, Inc.
> >>
> >>
> >>“ivona prenosilova” wrote in message
news:xxxxx@ntdev…
> >>
> >>>Hello,
> >>>
> >>>http://29a.host.sk/29a-7/Articles/29A-7.004
> >>>maybe this could help …
> >>>
> >>>–
> >>>Best regards,
> >>>Ivona Prenosilova
> >>>
> >>>
> >>
> >>
> >>
> >>—
> >>Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
> >>
> >>You are currently subscribed to ntdev as: xxxxx@upek.com
> >>To unsubscribe send a blank email to xxxxx@lists.osr.com
> >>
> >
> >
>
> –
> …/ray..
>
> Please remove “.spamblock” from my email address if you need to contact
> me outside the newsgroup.
>