Running Context of the Prefetcher.

Hey All,
I work for a whitelisting product which also provides features which provide protection against buffer overflow attacks. The thing is that when the prefetcher does create section on certain dlls I need to deny it (say fro acquire from section sync ), as I don’t want sections of these dlls cached. Is it neccesary that the prefetcher will work in context of "System"process for this particular operation ie nt!CcPfPrefetchSections. If yes then simply failing the create sections for System Process will be a loose detection and should work.

I have tested this to be true but want to be sure.
The OS is in question is Windows XP.

Hi,

I am still looking for an answer. Could someone please help answer my query?

Thanks in advance

On Mon, Apr 27, 2015 at 3:47 PM, wrote:

> Hey All,
> I work for a whitelisting product which also provides features which
> provide protection against buffer overflow attacks. The thing is that when
> the prefetcher does create section on certain dlls I need to deny it (say
> fro acquire from section sync ), as I don’t want sections of these dlls
> cached. Is it neccesary that the prefetcher will work in context of
> "System"process for this particular operation ie nt!CcPfPrefetchSections.
> If yes then simply failing the create sections for System Process will be a
> loose detection and should work.
>
> I have tested this to be true but want to be sure.
> The OS is in question is Windows XP.
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Look for the Prefetcher ECP.
I think there is code how to do it in the AV Sample from WDK.
On Apr 29, 2015 11:19 AM, “Himanshu Yadav”
wrote:

> Hi,
>
> I am still looking for an answer. Could someone please help answer my
> query?
>
> Thanks in advance
>
> On Mon, Apr 27, 2015 at 3:47 PM, wrote:
>
>> Hey All,
>> I work for a whitelisting product which also provides features which
>> provide protection against buffer overflow attacks. The thing is that when
>> the prefetcher does create section on certain dlls I need to deny it (say
>> fro acquire from section sync ), as I don’t want sections of these dlls
>> cached. Is it neccesary that the prefetcher will work in context of
>> "System"process for this particular operation ie nt!CcPfPrefetchSections.
>> If yes then simply failing the create sections for System Process will be a
>> loose detection and should work.
>>
>> I have tested this to be true but want to be sure.
>> The OS is in question is Windows XP.
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTFSD is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers For our schedule of debugging and file system
> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

I must say though that your solution does not sound like the best way to go.
First of all you can disable Prefetcher and Superfetch from windows settings without a driver.
Superfect just go in services and disable the Superfectch service and the Prefetcher in registry with the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
There you will have to change the value EnablePrefetcher and set it to:
0 ? Disables Prefetcher
1 ? Enables Prefetch for Applications only
2 ? Enables Prefetch for Boot files only
3 ? Enables Prefetch for Boot and Application files

Your customers will have some significantly performance issues with these disabled, so your product must make up for it :slight_smile:

Have fun.

ECP is only vista plus… my problem area is xp.

On Wed, Apr 29, 2015 at 3:02 PM, Gabriel Bercea wrote:

> Look for the Prefetcher ECP.
> I think there is code how to do it in the AV Sample from WDK.
> On Apr 29, 2015 11:19 AM, “Himanshu Yadav”
> wrote:
>
>> Hi,
>>
>> I am still looking for an answer. Could someone please help answer my
>> query?
>>
>> Thanks in advance
>>
>> On Mon, Apr 27, 2015 at 3:47 PM, wrote:
>>
>>> Hey All,
>>> I work for a whitelisting product which also provides features which
>>> provide protection against buffer overflow attacks. The thing is that when
>>> the prefetcher does create section on certain dlls I need to deny it (say
>>> fro acquire from section sync ), as I don’t want sections of these dlls
>>> cached. Is it neccesary that the prefetcher will work in context of
>>> "System"process for this particular operation ie nt!CcPfPrefetchSections.
>>> If yes then simply failing the create sections for System Process will be a
>>> loose detection and should work.
>>>
>>> I have tested this to be true but want to be sure.
>>> The OS is in question is Windows XP.
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>
>>> For our schedule of debugging and file system seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>> http://www.osr.com/careers For our schedule of debugging and file system
>> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
>> List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> — NTFSD is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers For our schedule of debugging and file system
> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Then just disable it from registry and with the Cm callbacks (Reg callbacks) monitor the key so it is no enabled back.
In XP it is enabled by default for both boot and applications.