We have a streaming product (streaming an executable from a server like
a website instead of installing the whole thing) that relies on a file
system filter driver (written by us). After installation this requires
a reboot so that we can handle the AV products correctly. Precisely
this is what is happening :
We are installing a file filter driver that should see all the Reads to
the system drive. For this to happen, we are registering the file filter
driver to load on boot so that the driver will be able to see Reads that
go from anywhere to the File System. Specifically, Anti Viruses usually
load in the ‘Anti Virus’ group (also on boot) and we need to load on
boot to see Reads initiated by those. Currently, when we install the
product (and the driver) we wait until the next reboot to attach the
driver to the system drive. The challenge: to be able to install and
attach the driver without the need to reboot the machine while keeping
the ability to see all the Reads that go to the file system.
The question is whether we can do anything to avoid the reboot (at
least the during the initial install). If anyone has done this
(installing a file system filter driver without a reboot) we would like
to give you an outsourced project since this is important to us.
attach the driver without the need to reboot the machine while keeping
the ability to see all the Reads that go to the file system.
To achieve this, you had to be able to install
the filter into the middle of filter stack (above FS,
but under antivirus). This is not possible,
because filters normally save pointers to lower
devices and you are unable to patch them.
On Wed, 26 May 2004 22:16:24 -0700, Srinivasa Venkataraman
wrote:
> > > The question is whether we can do anything to avoid the reboot (at > least the during the initial install). If anyone has done this > (installing a file system filter driver without a reboot) we would like > to give you an outsourced project since this is important to us. >
The source code used to be available for download (I have it but I am not licensed to send it to you). If you don’t have it, the people at sysinternals actully say that you can license the code from them (for money).
Anyway, at first glance it seems they simply do a regular IoAttachDevice at the top of the stack for each drive they want, and just never unload until the next reboot (“unmonitoring a drive” just clears a bool in the deviceextension, so they stop modifying the Irps and FastIo calls).
On Thu, 27 May 2004 09:08:12 +0200, Ladislav Zezula wrote:
>> I am pretty sure that FILEMON from www.sysinternals.com does this all >> the >> time. > > Yes, it does. But it does not attach itself under an existing > filter, which the original question was about. >
Ah, tough. In that case more methods are needed:
trick A: If possible, use IOCTLs (from user mode) to unmount and remount the Volume.
trick B: Use “stealth hooking” as taught in the OSR Advanced Drivers class (I use it for many things, before I took the class too, but the class gives a brief intro for those who don’t already know the technique).
trick C: Attach to the Volume / disk, not the FS. This may get you under the FS and filters.
Due to the current design of the IO System having a filter insert into
the middle of the IO Stack is not possible.
The 3 suggestions given below are possibilities but they have some
caveats:
A) You can’t do this to the system volume.
B) Microsoft highly discourages filters doing direct hooking. In a
future release of windows this will no longer be allowed.
This is a reasonable suggestion if you could make it work for your
product.
Fortunately there is hope in the long term. This is one of several
issues addressed by the Filter Manager. The filter manager will allow
filters to load at any time and to be inserted into the middle of the IO
Stack.
Due to our need to interoperate with existing filters, you will not be
able to tack full advantage of this until all filters have been
converted to use the filter manager. This is why we are strongly
encouraging everyone to start porting to the filter manager.
Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jakob Bohm
Sent: Thursday, May 27, 2004 1:42 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Re:Rebooting after file system filter driver install
On Thu, 27 May 2004 09:08:12 +0200, Ladislav Zezula wrote:
>> the >> time. > > Yes, it does. But it does not attach itself under an existing > filter, which the original question was about. >
Ah, tough. In that case more methods are needed:
trick A: If possible, use IOCTLs (from user mode) to unmount and remount
the Volume.
trick B: Use “stealth hooking” as taught in the OSR Advanced Drivers class (I use it for many things, before I took the class too, but the class gives a brief intro for those who don’t already know the technique).
trick C: Attach to the Volume / disk, not the FS. This may get you under the FS and filters.
At the cost of asking an answered question, any time frame for when the FM will
be released (i.e. not beta/RC)?
Due to our need to interoperate with existing filters, you will not be
able to tack full advantage of this until all filters have been
converted to use the filter manager. This is why we are strongly
encouraging everyone to start porting to the filter manager.
–
Kind regards, Dejan M. MVP for DDK http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
It will be released as part of XP SP2 (which will be very soon).
It will be released as part of Srv03 SP1 (relatively soon).
We are actively working on generating a redistributable QFE that will
work on W2K SP4. I hope to be able to give you a release plan for that
very soon. This implies it will be part of W2K SP5 when that is
released as well.
It will also be released as part of Longhorn.
Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Wednesday, June 16, 2004 8:50 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Re:Rebooting after file system filter driver
install
At the cost of asking an answered question, any time frame for when
the FM will
be released (i.e. not beta/RC)?
Due to our need to interoperate with existing filters, you will not be
able to tack full advantage of this until all filters have been
converted to use the filter manager. This is why we are strongly
encouraging everyone to start porting to the filter manager.
–
Kind regards, Dejan M. MVP for DDK http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.
It will be released as part of XP SP2 (which will be very soon).
It will be released as part of Srv03 SP1 (relatively soon).
We are actively working on generating a redistributable QFE that will
work on W2K SP4. I hope to be able to give you a release plan for that very soon.
This implies it will be part of W2K SP5 when that is
released as well.
It will also be released as part of Longhorn.
–
Kind regards, Dejan M. MVP for DDK http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.