Some questions about storage filter drivers’s implementation and installation.
I am a newbie to windows driver implementation and it is my first time to post a question here.
I want to make a storage filter driver(SFD) to capture commands sent to the hard disk in Windows 10.
And some how the disk become non-functional after I installed my SFD.
My question are:
Could there be any problem in my implementation?
Did I install the driver the correct way?
Then I got my harddisk (of name /Device/0000006a) not functional anymore. From device manager I see that device has a yellow triangle with exclamation mark.
Well… sigh. My first point would be that you should almost certainly be writing a WDF driver, not a WDM driver. Your work will be completed more quickly, it’ll be easier, and you’ll be a happier person at the end of the day.
Really.
I don’t see anything obviously wrong in the driver code you posted. But it’s a WDM driver, and reviewing WDM code is notoriously error prone and difficult. As one of the Windows developers said to me one day over a beer about WDM:
“When an experienced dev can’t cut a chunk of code out of a working driver, and paste it into another driver he’s working on and know in advance if it has a good chance of being correct, SOMEthing is wrong with the driver model.”
OK… so now that I’ve complained about that… I’d say your problem PROBABLY lies in your installation process. I’m not familiar with AddFilter… maybe somebody else can help you there.
I wish I could give you more help. But the best help I can give you is to use WDF not WDM…
That tool does not create a “services” registry entry for your driver.Â
Did you do that? Remember that drivers in the kernel are not referenced
by file name. They are always referenced by service name, and the
service points to the binary. Try this in a command shell:
   sc query DiskTrace
If it says the service does not exist, then you need to create it.
   sc create binPath= \SystemRoot\System32\Drivers\DiskTrace.sysÂ
type= kernel start= demand
Note that the spacing there is critical, and unusual. The “=” must be
attached to the parameter name, and must be followed by a space.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
This is a bad analogy. Any experienced dev will certainly know in advance that cutting and pasting any WDM code from one code base to another is highly unlikely to work. Maybe he already had some of the beer ???
From: xxxxx@osr.commailto:xxxxx Sent: February 22, 2018 11:58 AM To: Windows System Software Devs Interest Listmailto:xxxxx Subject: RE:[ntdev] Storage filter drivers’s implementation and installation
Well… sigh. My first point would be that you should almost certainly be writing a WDF driver, not a WDM driver. Your work will be completed more quickly, it’ll be easier, and you’ll be a happier person at the end of the day.
Really.
I don’t see anything obviously wrong in the driver code you posted. But it’s a WDM driver, and reviewing WDM code is notoriously error prone and difficult. As one of the Windows developers said to me one day over a beer about WDM:
“When an experienced dev can’t cut a chunk of code out of a working driver, and paste it into another driver he’s working on and know in advance if it has a good chance of being correct, SOMEthing is wrong with the driver model.”
OK… so now that I’ve complained about that… I’d say your problem PROBABLY lies in your installation process. I’m not familiar with AddFilter… maybe somebody else can help you there.
I wish I could give you more help. But the best help I can give you is to use WDF not WDM…
Thank you all! Problem solved and this IS a installation problem!
@Peter Thanks for the advice about using WDF. Since I cannot find WDF SFD example to start with, so I stick to WDM, in which framework I can find two examples on internet.
@Tim, after I installed the service with command you suggested, I could now see the dbg message now when the disk is accessed.
sc create DiskTrace binPath= \SystemRoot\System32\Drivers\DiskTrace.sys type= kernel start= demand
This is great community!
For those newbies who might have same installation problem, here are some tips.
Having written multiple WDM storage filters, I would never do one again
after WDF. If you cannot figure out how to take a basic WDF filter (such as
from Toaster) and make it work in the storage stack, then you have no
business being in the storage stack period.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, February 22, 2018 10:22 PM
To: Windows System Software Devs Interest List Subject: RE:[ntdev] Storage filter drivers’s implementation and installation
Thank you all! Problem solved and this IS a installation problem!
@Peter Thanks for the advice about using WDF. Since I cannot find WDF SFD example to start with, so I stick to WDM, in which framework I can find two examples on internet.
@Tim, after I installed the service with command you suggested, I could now see the dbg message now when the disk is accessed. sc create DiskTrace binPath= \SystemRoot\System32\Drivers\DiskTrace.sys type= kernel start= demand
This is great community!
For those newbies who might have same installation problem, here are some tips.
Install =========== # copy driver to system driver folder copy /y “.\x64\Debug\DiskTrace.sys” c:\windows\system32\drivers*
>so I stick to WDM, in which framework I can find two examples on internet.
The problem with WDM is that you won’t know if the two sample you’ve found are CORRECT.
But… whatever. Just know that you’re spending your time learning and debugging a technology that is old, deprecated, annoying, and highly prone to error. Conservatively speaking, I’ve worked on well over 100 WDM drivers in my career… and – except for some very specific cases (software only drivers, drivers that are very “IRP-oriented”) I hope to never work on a WDM driver ever again.
Peter, Don, Thanks for pointing to the WDF direction. I am checking if I could make a project working based on Toaster filter sample, based on WDF framework.
On my WDM driver I can capture the IRP_MJ_SCSI (same as IRP_MJ_INTERNAL_DEVICE_CONTROL) event in the dispatch callback function. I set the filter as a lower filter of device, and when disk is being read/write, I can see the IRP_MJ_SCSI got captured and CDB is correctly set as a read/write as the SCSI command.
the code: https://github.com/noguxun/StorTrace/blob/master/DiskTrace/DiskTrace.c
However things are not so smooth on the WDF driver.
On the WDF driver I assume I should set a Queue’s EvtIoInternalDeviceControl callback to get the IRP_MJ_INTERNAL_DEVICE_CONTROL event, however, from the log, seems I did not get them.
This is how I set the callback of the queue dispatch function
When you asked earlier questions you were using the DiskPerf sample and
AddFilter, these are for an upper filter to the disk driver. An upper
filter will not be seeing IRP_MJ_SCSI, it will see Read, Write and IOCTL
IRP’s.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, February 23, 2018 11:16 PM
To: Windows System Software Devs Interest List Subject: RE:[ntdev] Storage filter drivers’s implementation and installation
On my WDM driver I can capture the IRP_MJ_SCSI (same as IRP_MJ_INTERNAL_DEVICE_CONTROL) event in the dispatch callback function. I set the filter as a lower filter of device, and when disk is being read/write, I can see the IRP_MJ_SCSI got captured and CDB is correctly set as a read/write as the SCSI command. the code: https://github.com/noguxun/StorTrace/blob/master/DiskTrace/DiskTrace.c
However things are not so smooth on the WDF driver. On the WDF driver I assume I should set a Queue’s EvtIoInternalDeviceControl callback to get the IRP_MJ_INTERNAL_DEVICE_CONTROL event, however, from the log, seems I did not get them. This is how I set the callback of the queue dispatch function
I figured it out that it is problem during the installation. My script added the filter as a upper filter(just like Scott pointed out), after I changed my script to install it as a lower filter (same as my WDM driver), the WDF version starts to work perfectly.
WDF is much cleaner for coding. Will stick to that direction.