When my FS filter is loaded during bootup I get the following message in
the System Log: The System Restore filter encountered the unexpected error
‘0xC0000001’ while processing the file ‘’ on the volume ‘HarddiskVolume1’.
It has stopped monitoring the volume.
Anyone have any ideas how I could debug this? Unfortunately FileMon
doesn’t have a log boot option or I might get a clue that way.
Anyone know what SR is doing during the boot process?
Thx
Scott
On boot, SR doesn’t do anything special – it’s just doing what is
always does which is looking for changes to the set of files it monitors
(generally .exe, .dll, .ini, and the like), then logging the changes and
possibly renaming or copying the file to its restore location (under the
\System Volume Information directory). The large majority of IO
operations that SR will generate to do this work will not be seen by
filters above SR in the filter stack.
I’ve got a couple questions for you:
Thanks,
Molly Brown
Microsoft Corporation
This posting is provided “AS IS” with no warranties and confers no
rights.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, October 02, 2003 8:59 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] System Restore has probs with my FS filter
When my FS filter is loaded during bootup I get the following message in
the System Log: The System Restore filter encountered the unexpected
error ‘0xC0000001’ while processing the file ‘’ on the volume
‘HarddiskVolume1’.
It has stopped monitoring the volume.
Anyone have any ideas how I could debug this? Unfortunately FileMon
doesn’t have a log boot option or I might get a clue that way.
Anyone know what SR is doing during the boot process?
Thx
Scott
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Check if there are other (beside your and SR) FS filters in the stack. They
might fail some IO operation. WBR Primoz
-----Original Message-----
From: xxxxx@yahoo.com [mailto:xxxxx@yahoo.com]
Sent: Thursday, October 02, 2003 5:59 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] System Restore has probs with my FS filter
When my FS filter is loaded during bootup I get the following message in the
System Log: The System Restore filter encountered the unexpected error
‘0xC0000001’ while processing the file ‘’ on the volume ‘HarddiskVolume1’.
It has stopped monitoring the volume.
Anyone have any ideas how I could debug this? Unfortunately FileMon doesn’t
have a log boot option or I might get a clue that way.
Anyone know what SR is doing during the boot process?
Thx
Scott
You are currently subscribed to ntfsd as: xxxxx@hermes.si To
unsubscribe send a blank email to xxxxx@lists.osr.com
Molly,
- Are you loaded above or below SR in the filter stack?
For security reasons we attempt to load multiple times. According to the
boot log our first load is prior to SR We fail subsequent loadings once
successfully loaded.
- Are there any operations which your filter fails that would generally
succeed if your filter was not present (like maybe some set of
functionality that you have not yet implemented)?
Our filter is a file-hiding filter. As a precaution against unauthorized
users disabling it we hide the driver file once loaded. Could prob be SR
sees subsequent loading attempts on a filter it can’t locate?
Thx,
Scott
Scott,
What does “loading” entail for you? Once your filter’s DriverEntry has
return STATUS_SUCCESS, it should not be called again. Also, the OS
loading a driver does not change the .sys file in any way that would
cause SR to want to back it up.
Are you maybe trying to overwrite the driver file in the
%systemroot%\system32\drivers directory before you actually load the
driver?
I don’t think that you really want to hide your driver file. It is very
useful for users to be able to see what driver files are on the system.
There are not interested in modifying the file, just to read the file
name and timestamp information.
You should be able to achieve your desired result of protecting your
driver by failing operations which would modify your driver file, e.g.
failing creates which ask for write access, failing creates which would
overwrite your .sys file, etc.
Thanks,
Molly Brown
Microsoft Corporation
This posting is provided “AS IS” with no warranties and confers no
rights.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Friday, October 03, 2003 9:52 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] RE: System Restore has probs with my FS filter
Molly,
- Are you loaded above or below SR in the filter stack?
For security reasons we attempt to load multiple times. According to
the boot log our first load is prior to SR We fail subsequent loadings
once successfully loaded.
- Are there any operations which your filter fails that would
generally
succeed if your filter was not present (like maybe some set of
functionality that you have not yet implemented)?
Our filter is a file-hiding filter. As a precaution against
unauthorized users disabling it we hide the driver file once loaded.
Could prob be SR sees subsequent loading attempts on a filter it can’t
locate?
Thx,
Scott
You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com