> If DriverEntry isn’t called, then there is most likely an undefined
symbol (or possibly a dependent DLL load that fails.) In general, MM
This can be confirmed by using 64-bit version of DEPENDS.EXE.
Sinds driver file is just an ordinary PE file, Depends.exe
is able to look at its imports and also say if some of them
are missing in NTOSKRNL.exe or HAL.DLL.
BTW, have you tried to watch the load driver operation with
FileSpy ? You will at least find if there was an attempt to open
the SYS file or not (sorry for giving you such stupid advices,
but I always say "Never trust myself and check, check, check :-))
L.
I had that error due to ImagePath sintax. The sintax for my driver on WXP32 was wrong on WXP64.
What’s exactly your ImagePath value?
From: Dejan Maksimovic
Reply-To: “Windows File Systems Devs Interest List”
To: “Windows File Systems Devs Interest List”
Subject: [ntfsd] x64 driver
Date: Wed, 20 Dec 2006 00:45:31 +0100
>
> Hi,
>
> I’m hoping this is something simple I have overlooked, but I
>can’t figure it out yet…
> I have a 64-bit driver that won’t load, and fltmc load Drv says
>“The system cannot find the file specified.”. When I check for
>file/registry activity, the load only goes though
>CurrentControlSet001\Drv and queries ObjectName value -
absolutely
>nothing else related to the driver is seen in the output.
> It is not a digital signature issue, that is the only thing I
>can safely rule out. The driver is installed via Inf method.
>
> Any ideas? The only thing I can think of is unsupported APIs on
>the 64-bit OS, but that should pop a box saying so.
>
>–
>King regards, Dejan
>http://www.alfasp.com
>File system audit, security and encryption kits.
>
>
>
>—
>Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
clear=all>
Express yourself instantly with MSN Messenger! MSN Messenger Download today it’s FREE!
Have you checked the linkage of your driver? It’s possible the linking is
incorrect hence the file not found error message (eg the file not found is
not your driver but the missing dll).
Or is the driver not even opened? From what I read you say only the registry
entry is queried and then nothing? Try to make sure your image is opened for
loading.
–
EA
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-273608-
xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Wednesday, December 20, 2006 00:46
To: Windows File Systems Devs Interest List
Subject: [ntfsd] x64 driver
Hi,
I’m hoping this is something simple I have overlooked, but I
can’t figure it out yet…
I have a 64-bit driver that won’t load, and fltmc load Drv says
“The system cannot find the file specified.”. When I check for
file/registry activity, the load only goes though
CurrentControlSet001\Drv and queries ObjectName value - absolutely
nothing else related to the driver is seen in the output.
It is not a digital signature issue, that is the only thing I
can safely rule out. The driver is installed via Inf method.
Any ideas? The only thing I can think of is unsupported APIs on
the 64-bit OS, but that should pop a box saying so.
–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@fausse.info To
unsubscribe send a blank email to xxxxx@lists.osr.com
Same issue on XP64.
OK, I’ve tracked the issue down. Unresolved externals (Thanks, Tony, I assumed
it would pop a message, rather than require me to go through the event log for this).
Strange, the linker for the crypto driver generated a LIB that sets imports
from a .DLL instead of the .SYS file.
Deja.
MM wrote:
Vista64?
–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
I often overlook the small issues (not to say I always look at the bigger picture
;-).
A checklist is definitely not stupid. I did look with Process Monitor. Absolutely
no references to my driver file! And it was a linker error, that caused unresolved
externals. I’m puzzled.
(Solved, yes)
BTW, have you tried to watch the load driver operation with FileSpy ? You will at
least find if there was an attempt to open the SYS file or not (sorry for giving
you such stupid advices, but I always say "Never trust myself and check, check,
check :-))
–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
System32\Drivers\Drv.sys
Same as any IFS Kit sample uses and works.
Alejandra Rodriguez Varela wrote:
I had that error due to ImagePath sintax. The sintax for my driver on
WXP32 was wrong on WXP64.
What’s exactly your ImagePath value?
From: Dejan Maksimovic
> Reply-To: “Windows File Systems Devs Interest List”
>
> To: “Windows File Systems Devs Interest List”
>
> Subject: [ntfsd] x64 driver
> Date: Wed, 20 Dec 2006 00:45:31 +0100
> >
> > Hi,
> >
> > I’m hoping this is something simple I have
> overlooked, but I
> >can’t figure it out yet…
> > I have a 64-bit driver that won’t load, and fltmc
> load Drv says
> >“The system cannot find the file specified.”. When I check
> for
> >file/registry activity, the load only goes though
> >CurrentControlSet001\Drv and queries ObjectName value -
> absolutely
> >nothing else related to the driver is seen in the output.
> > It is not a digital signature issue, that is the
> only thing I
> >can safely rule out. The driver is installed via Inf
> method.
> >
> > Any ideas? The only thing I can think of is
> unsupported APIs on
> >the 64-bit OS, but that should pop a box saying so.
> >
> >–
> >King regards, Dejan
> >http://www.alfasp.com
> >File system audit, security and encryption kits.
> >
> >
> >
> >—
> >Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> >You are currently subscribed to ntfsd as:
> xxxxx@hotmail.com
> >To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> -----------------------------------------------------------------------
> Express yourself instantly with MSN Messenger! MSN Messenger Download
> today it’s FREE!
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
I solved the issue but am still puzzled. This is what happened: DrvA.sys is the
mini-filter, DrvC.sys is the crypto module (nothing other than crypto exports). Now
the linker, when it generated the DrvC.sys, has generated DrvC.lib which,
incorrectly, imports from DrvC.dll. I know it is the right LIB file, because the
driver has completely different functions from the DLL.
Now the strange part is the Process Monitor, or any file monitoring proggie, does
not show access to DrvA.sys, even though the error is obvious now (it was missing
DrvC.dll which does not exist of course;-)
Dejan.
“Edouard A.” wrote:
Have you checked the linkage of your driver? It’s possible the linking is
incorrect hence the file not found error message (eg the file not found is
not your driver but the missing dll).
Or is the driver not even opened? From what I read you say only the registry
entry is queried and then nothing? Try to make sure your image is opened for
loading.
–
EA
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-273608-
> xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
> Sent: Wednesday, December 20, 2006 00:46
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] x64 driver
>
>
> Hi,
>
> I’m hoping this is something simple I have overlooked, but I
> can’t figure it out yet…
> I have a 64-bit driver that won’t load, and fltmc load Drv says
> “The system cannot find the file specified.”. When I check for
> file/registry activity, the load only goes though
> CurrentControlSet001\Drv and queries ObjectName value - absolutely
> nothing else related to the driver is seen in the output.
> It is not a digital signature issue, that is the only thing I
> can safely rule out. The driver is installed via Inf method.
>
> Any ideas? The only thing I can think of is unsupported APIs on
> the 64-bit OS, but that should pop a box saying so.
>
> –
> King regards, Dejan
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@fausse.info To
> unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
King regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
> A checklist is definitely not stupid. I did look with Process Monitor.
Absolutely
Try the breakpoint in MmLoadSystemImage, then in some MiXxx functions called by
it.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com