Hi All,
We have a software device created in driver and we register for process creation callback PsSetCreateProcessNotifyRoutineEx to be notified about the new processes.
There is a user-mode service which starts the driver (as service) and then the software device is opened to do IOCTLs.
I am trying to harden the driver and hence, looking for possible issues.
What happens if the user-mode service program stops the driver (which results in calling unload routing) when the driver is executing inside ProcessCreateNotifyRoutine callback. Will OS guarantee that unload routine is called only when no driver code is getting executed?? Or, should I (as developer) do something to make things good!!
Thanks,
Reddy
The OS does not safe guard this directly. Your unload routine must unregister the callback and wait for outstanding work items, timers, etc on your own.
d
Bent from my phone
From: Vijayabhaskarreddy_CH
Sent: Monday, February 4, 2019 8:21:29 AM
To: Doron Holan
Subject: [NTDEV] When is driver unload routine called!!
OSR https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.osr.com%2F&data=02|01|doron.holan%40microsoft.com|cf5d63e6f38d42bd7d7f08d68abcd28a|72f988bf86f141af91ab2d7cd011db47|1|1|636848940924042380&sdata=umYSVTN2ac3qrRYVuVqQ8FiRhZfwH5cgWt4C4Ovc%2FLg%3D&reserved=0
Vijayabhaskarreddy_CH started a new discussion: When is driver unload routine called!!
Hi All,
We have a software device created in driver and we register for process creation callback PsSetCreateProcessNotifyRoutineEx to be notified about the new processes.
There is a user-mode service which starts the driver (as service) and then the software device is opened to do IOCTLs.
I am trying to harden the driver and hence, looking for possible issues.
What happens if the user-mode service program stops the driver (which results in calling unload routing) when the driver is executing inside ProcessCreateNotifyRoutine callback. Will OS guarantee that unload routine is called only when no driver code is getting executed?? Or, should I (as developer) do something to make things good!!
Thanks,
Reddy
You need to unregister your process create notify routine from within your driver unload callback by calling PsSetCreateProcessNotifyRoutineEx with Remove set to TRUE. Once this call returns you’re guaranteed that your callback is not executing.
@“Scott_Noone_(OSR)” said:
You need to unregister your process create notify routine from within your driver unload callback by calling PsSetCreateProcessNotifyRoutineEx with Remove set to TRUE. Once this call returns you’re guaranteed that your callback is not executing.
If I read this correctly, what you are saying is that “unregister” call will not return until all the currently running callback routines are completed.
Or is it that no new routing is called once “unregister” call is made.
If I read this correctly, what you are saying is that “unregister” call will not return until all the currently running callback routines are completed.
I couldn’t say this is true for all currently running callbacks, but it’s definitely true for the callback you are unregistering.
I couldn’t say this is true for all currently running callbacks, but it’s definitely true for the callback you are unregistering.
Sorry for not being clear in my previous reply. What I meant was is that all the currently running instances of that the particular callback that I am about to unregister.
If there are 4 instances of the same callback running (4 processes are getting created from 4 different processes/threads at the same time), and if the callback is unregistered, will unregister call return only after those 4 callback instance executions complete??
if the callback is unregistered, will unregister call return only after those 4 callback instance executions complete??
You are correct, it will not return until all execution completes.