This isn’t due to SFP, but due to an implementation difference between the boot debugger and the kernel debugger.
For various implementation convenience reasons, when pulling a file from kd, the boot debugger reads the whole thing into a memory buffer and just takes that as the file data. The full-blown kernel debugger (stub) in ntos, however, reads the file from kd and writes it back out to disk, then continues to load the file (driver) as normal (from disk once more).
S (Msft)
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@broadcom.com
Sent: Tuesday, March 29, 2011 10:48 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Trying to prevent PnP driver from auto-loading during driver development?
“One possible
exception, which I have had no reason to test, is in loading a replacement for something shipped with the OS, such as FastFat.”
.kdfiles only takes effect when the image is actually in the process of being loaded. FastFat I guess is boot-load type, so you may not get a chance to intercept its load. Also, system file protection may kick in and replace it back at once.
No, NTFS is also set to demand start on that machine. Disabled will still
load as well if somebody tries to mount a suitably formatted volume.
This is decidedly not my area, but I think that that’s documented.
Mm
On Mar 29, 2011 9:28 PM, wrote: > “Oddly enough, I used .kdfiles with fastfat a few weeks ago, and you can > intercept it. It seems to be demand start on Win7 at least” > > I guess that’s because Windows (Vista+) doesn’t support boot from FAT anymore. Good riddance, I’d say. > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
In driver entry (or the add device) function check for the time.
If the time is less than 30 seconds this is boot, so return an error. After you boot, you can manually replace the file and then disable/enable the device.
The code looks something like:
{
int QueryTimeIncrement = KeQueryTimeIncrement();
LARGE_INTEGER Ticks;
KeQueryTickCount(&Ticks);
if (Ticks.QuadPart * QueryTimeIncrement / 10000 < 30000) // 10,000 moves from 100ns to ms
{
return STATUS_NO_MEMORY;
}
}
Tzachi
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-447333- xxxxx@lists.osr.com] On Behalf Of xxxxx@jungo.com
Sent: Wednesday, March 30, 2011 4:42 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Trying to prevent PnP driver from auto-loading during
driver development?
This what I do with faulty PnP drivers:
Boot in “Safe Mode”, your driver will not load.
Delete your .sys
Reboot in “Normal mode”.
Steps 2,3 you can wrap in a nice .BAT file that looks something like this:
del %SystemRoot%\system32\drivers\mydrv.sys
shutdown -r -t 0
Then the entire debug cycle gets even faster, though not as fast as with Linux
