unloading tcp filter driver?

ChuckN · May 8, 2006, 11:05am

Hey ho,
i want to detach a filter driver I attached to the “\Device\Tcp”-device.
Unfortunately, there is one little problem. Sometimes I get a
BSOD(“DRIVER_UNLOADED_WITHOUT_CANCELING_PENDING_OPERATIONS”).
The problem is, that some applications like MSN or Browser still want to do
I/O to my filter device, even when its unloaded. What can I do aginst that?
How can I detect, wheather there are still “connections” on my device?
Thx,
Chuck

ChuckN · May 8, 2006, 11:11am

Ah, i got an idea. PointerCount and HandleCount of the OBJECT_HEADER of my
device. That should work

“ChuckN” schrieb im Newsbeitrag news:xxxxx@ntdev…
> Hey ho,
> i want to detach a filter driver I attached to the “\Device\Tcp”-device.
> Unfortunately, there is one little problem. Sometimes I get a
> BSOD(“DRIVER_UNLOADED_WITHOUT_CANCELING_PENDING_OPERATIONS”).
> The problem is, that some applications like MSN or Browser still want to
> do I/O to my filter device, even when its unloaded. What can I do aginst
> that? How can I detect, wheather there are still “connections” on my
> device?
> Thx,
> Chuck
>
>

Thomas_F_Divine · May 8, 2006, 11:28am

The real answer is: Don’t attempt to unload this type of filter.

There is no reliable way to inform other devices that may have opened TCP
about the removal of your filter.

Yes, you can get away with it occasionally. But not reliably.

Thomas F. Divine, Windows DDK MVP

“ChuckN” wrote in message news:xxxxx@ntdev…
> Hey ho,
> i want to detach a filter driver I attached to the “\Device\Tcp”-device.
> Unfortunately, there is one little problem. Sometimes I get a
> BSOD(“DRIVER_UNLOADED_WITHOUT_CANCELING_PENDING_OPERATIONS”).
> The problem is, that some applications like MSN or Browser still want to
> do I/O to my filter device, even when its unloaded. What can I do aginst
> that? How can I detect, wheather there are still “connections” on my
> device?
> Thx,
> Chuck
>
>

Doron_Holan · May 8, 2006, 11:52am

You can’t reliably look at those fields and figure out state. You can’t
acquire the lock that guards those values and changes in driver state.
As a TCP filter you can’t unload.

d

– I can spell, I just can’t type.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ChuckN
Sent: Monday, May 08, 2006 8:11 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] unloading tcp filter driver?

Ah, i got an idea. PointerCount and HandleCount of the OBJECT_HEADER of
my device. That should work

“ChuckN” schrieb im Newsbeitrag
news:xxxxx@ntdev…
> Hey ho,
> i want to detach a filter driver I attached to the
“\Device\Tcp”-device.
> Unfortunately, there is one little problem. Sometimes I get a
> BSOD(“DRIVER_UNLOADED_WITHOUT_CANCELING_PENDING_OPERATIONS”).
> The problem is, that some applications like MSN or Browser still want
> to do I/O to my filter device, even when its unloaded. What can I do
> aginst that? How can I detect, wheather there are still “connections”
> on my device?
> Thx,
> Chuck
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

ChuckN · May 8, 2006, 12:54pm

mmmh, are there other, better unloadable possibilities for a tcp filter
driver?

“Doron Holan” schrieb im Newsbeitrag
news:xxxxx@ntdev…
You can’t reliably look at those fields and figure out state. You can’t
acquire the lock that guards those values and changes in driver state.
As a TCP filter you can’t unload.

d

– I can spell, I just can’t type.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ChuckN
Sent: Monday, May 08, 2006 8:11 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] unloading tcp filter driver?

Ah, i got an idea. PointerCount and HandleCount of the OBJECT_HEADER of
my device. That should work

“ChuckN” schrieb im Newsbeitrag
news:xxxxx@ntdev…
> Hey ho,
> i want to detach a filter driver I attached to the
“\Device\Tcp”-device.
> Unfortunately, there is one little problem. Sometimes I get a
> BSOD(“DRIVER_UNLOADED_WITHOUT_CANCELING_PENDING_OPERATIONS”).
> The problem is, that some applications like MSN or Browser still want
> to do I/O to my filter device, even when its unloaded. What can I do
> aginst that? How can I detect, wheather there are still “connections”
> on my device?
> Thx,
> Chuck
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Doron_Holan · May 8, 2006, 4:53pm

I think Thomas gave you the definitive answer. You can’t safely do
this.

d

– I can spell, I just can’t type.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ChuckN
Sent: Monday, May 08, 2006 9:54 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] unloading tcp filter driver?

mmmh, are there other, better unloadable possibilities for a tcp filter
driver?

“Doron Holan” schrieb im Newsbeitrag
news:xxxxx@ntdev…
You can’t reliably look at those fields and figure out state. You can’t
acquire the lock that guards those values and changes in driver state.
As a TCP filter you can’t unload.

d

– I can spell, I just can’t type.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ChuckN
Sent: Monday, May 08, 2006 8:11 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] unloading tcp filter driver?

Ah, i got an idea. PointerCount and HandleCount of the OBJECT_HEADER of
my device. That should work

“ChuckN” schrieb im Newsbeitrag
news:xxxxx@ntdev…
> Hey ho,
> i want to detach a filter driver I attached to the
“\Device\Tcp”-device.
> Unfortunately, there is one little problem. Sometimes I get a
> BSOD(“DRIVER_UNLOADED_WITHOUT_CANCELING_PENDING_OPERATIONS”).
> The problem is, that some applications like MSN or Browser still want
> to do I/O to my filter device, even when its unloaded. What can I do
> aginst that? How can I detect, wheather there are still “connections”
> on my device?
> Thx,
> Chuck
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Maxim_S_Shatskih · May 8, 2006, 7:46pm

You cannot do this without having this BSOD once per some time

Forget about unloading the TDI filters. Not supported (well, TDI filters
are not supported too ). Just turn the filter to do-nothing passthru mode.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “ChuckN”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Monday, May 08, 2006 7:04 PM
Subject: [ntdev] unloading tcp filter driver?

> Hey ho,
> i want to detach a filter driver I attached to the “\Device\Tcp”-device.
> Unfortunately, there is one little problem. Sometimes I get a
> BSOD(“DRIVER_UNLOADED_WITHOUT_CANCELING_PENDING_OPERATIONS”).
> The problem is, that some applications like MSN or Browser still want to do
> I/O to my filter device, even when its unloaded. What can I do aginst that?
> How can I detect, wheather there are still “connections” on my device?
> Thx,
> Chuck
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Maxim_S_Shatskih · May 8, 2006, 7:49pm

> mmmh, are there other, better unloadable possibilities for a tcp filter

driver?

No. Only to switch it off (turn on to “pass everything without changes” mode).

Such kinds of filters are 100% undocumented, work by mere luck, and violating
the rules even more due to the unload requirement is a very bad idea.

Anyway - the turned-off filter will eat about ~60KB of RAM, on an ~1GB machine

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · May 9, 2006, 5:54am

Maxim S. Shatskih wrote:

> mmmh, are there other, better unloadable possibilities for a tcp filter
> driver?
>

No. Only to switch it off (turn on to “pass everything without changes” mode).

Such kinds of filters are 100% undocumented, work by mere luck, and violating
the rules even more due to the unload requirement is a very bad idea.

Anyway - the turned-off filter will eat about ~60KB of RAM, on an ~1GB machine

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Maxim, nice solution

But i’m a developer. Certainly, i will load/unload this filter driver
many times… So, have any better solution for /me to restrain the BSOD
bugchecks ?
Some one told me about replace target Dispatch’s table … he say that
is a good solution for developer ? Is that’s correct ?

Thanks,

nm.

Maxim_S_Shatskih · May 9, 2006, 11:32am

> But i’m a developer. Certainly, i will load/unload this filter driver

many times…

Then have BSODs sometimes. The usual way is to reboot on each driver binary
change.

So, have any better solution for /me to restrain the BSOD
bugchecks ?

No ways.

Some one told me about replace target Dispatch’s table … he say that
is a good solution for developer ?

No. The risk of BSOD gets large.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com