Windows 7 Beta WDK and OACR - feedback and impressions

Sarosh,

Two questions then:

(1) Since filter manager is a legacy filter, is the expectation that it
will be merged with the OS so that filter driver functions (like
IoAttachDevicetoDeviceStackSafe) will be removed from the OS? If not,
I’m not sure I see how one can prevent legacy filters (since filter
manager is itself a legacy filter.)

(2) How do you propose distinguishing between “legacy filters that
cannot be implemented as mini-filters” and “legacy filters that can -
and should - be implemented as mini-filters.” I’ve certainly provides
examples of the latter over the years, and we’ve been called upon within
the past few months to implement exactly such a filter - a filter that
CANNOT be implemented by a mini-filter in order to achieve its
functionality.

Of course, I am assuming that this prohibition does not apply to layered
file systems, right?

Tony
OSR

Tony,

It is premature to discuss the mechanics of how we would bring about the
transition to the minifilter model for the file system filter stack.

File systems will still conform to the legacy model. This is why we have
retained the FastFat and Cdfs samples in the WDK.

With respect to file system filters, I would like to believe that there
is nothing in the category of “legacy filters that cannot be implemented
as mini-filters”.

Folks,

If there is something that prevents any of you from moving to the
minifilter model, I would like to know about it. Send us an e-mail 1:1
and we can see what we can do to help you. The upcoming plugfest is a
good opportunity for you to have this discussion with us as well.

Regards,
Sarosh.
File System Filter Lead
Microsoft Corp

This posting is provided “AS IS” with no warranties, and confers no Rights

Tony Mason wrote:

Sarosh,

Two questions then:

(1) Since filter manager is a legacy filter, is the expectation that it
will be merged with the OS so that filter driver functions (like
IoAttachDevicetoDeviceStackSafe) will be removed from the OS? If not,
I’m not sure I see how one can prevent legacy filters (since filter
manager is itself a legacy filter.)

(2) How do you propose distinguishing between “legacy filters that
cannot be implemented as mini-filters” and “legacy filters that can -
and should - be implemented as mini-filters.” I’ve certainly provides
examples of the latter over the years, and we’ve been called upon within
the past few months to implement exactly such a filter - a filter that
CANNOT be implemented by a mini-filter in order to achieve its
functionality.

Of course, I am assuming that this prohibition does not apply to layered
file systems, right?

Tony
OSR

It would have been a great help if this was forced in Vista even. Having only
mini-filter AV software would have helped a LOT.

Sarosh Havewala wrote:

Folks,

Thank you for your feedback so far. I have requested folks from the WDK
team to engage you folks on this thread to leverage your feedback and
post any clarifications if necessary.

Gabriel,

We will not support legacy filters on newer OSes once we decide to make
the switch. The legacies will continue to be supported on the older OSes
that they were developed and shipped on. But there will be no exception
on the new OS for legacy filters that were shipped on a previous OS.

Windows 7 is the 4th OS release (counting W2K, XP/W2K3, Vista/W2K8) that
supports the minifiter and legacy model side-by-side. This should be
sufficient overlap to phase out the old model and phase in the new.

We strongly encourage all of you to start moving to the minifilter model
as soon as possible if you have not already done so. I would not be
surprised if Windows 8 supported only the minifilter model. If any of
your customers require coaxing in this regard, I will be happy to do so.

Regards,
Sarosh.
File System Filter Lead
Microsoft Corp

This posting is provided “AS IS” with no warranties, and confers no Rights

Bercea Gabriel wrote:
> First of all I found the OACR to be pretty cool tool. I found 2 errors
> in my code with it that I would normally probably stay weeks to find,
> errors like ( if (list->Next = NULL), = instead of == ), good thing the
>
> function was not yet used in the code :D, but doesn’t matter, pretty
> nice tool. Nice to know you can fine tune any small deadly errors like this.
>
>
>
> Of course it threw me warnings like, you cannot access the NextDevice
> from DEVICE_OBJECT and any of the fast IO routines, but this could be
> useful for members that are not documented in structures like IRP or
> IO_STACK_LOCATION, maybe after this there won’t be any question about
> BSOD’s after initializing undocumented IRP fields (especially in WINDOWS 7).
>
>
>
> As far as could observe my driver runs faster on Windows 7 Beta x86 than
> on Windows 2008 Datacenter or Windows Vista Ultimate, so very nice
> resource management.
>
> As Sarosh said in previous posts the legacy samples will not be present,
> and so it was. It would have been nice to see some more legacy samples.
> The fastfat remains though.
>
>
>
> A question @Sarosh: What about the drivers that where started on legacy
> logics and architecture. Will MS still support those in future versions
> of Windows ?
>
>
>
> I really wanted to hear impressions from you guys, more about FileSys
> ofcourse.
>
> Please provide J
>
>
>
>
>
> With respect,
>
> Gabriel Bercea
>
>
>
> GaMiTech Software Development
>
> Mobile contact: (+40)0740049634
>
> eMail: xxxxx@gmail.com
>
>
>

---

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

How so, Dejan? I’m just curious, as I know very little about this
subject.

As a general driver problem, the thing I can’t seem to get around about
this policy is that it will require that some fsf’s be rewritten, which
seems likely to introduce bugs, especially considering the complexity of
fsf’s.

mm

Dejan Maksimovic wrote:

It would have been a great help if this was forced in Vista even. Having only
mini-filter AV software would have helped a LOT.

Sarosh Havewala wrote:

> Folks,
>
> Thank you for your feedback so far. I have requested folks from the WDK
> team to engage you folks on this thread to leverage your feedback and
> post any clarifications if necessary.
>
> Gabriel,
>
> We will not support legacy filters on newer OSes once we decide to make
> the switch. The legacies will continue to be supported on the older OSes
> that they were developed and shipped on. But there will be no exception
> on the new OS for legacy filters that were shipped on a previous OS.
>
> Windows 7 is the 4th OS release (counting W2K, XP/W2K3, Vista/W2K8) that
> supports the minifiter and legacy model side-by-side. This should be
> sufficient overlap to phase out the old model and phase in the new.
>
> We strongly encourage all of you to start moving to the minifilter model
> as soon as possible if you have not already done so. I would not be
> surprised if Windows 8 supported only the minifilter model. If any of
> your customers require coaxing in this regard, I will be happy to do so.
>
> Regards,
> Sarosh.
> File System Filter Lead
> Microsoft Corp
>
> This posting is provided “AS IS” with no warranties, and confers no Rights
>
> Bercea Gabriel wrote:
>> First of all I found the OACR to be pretty cool tool. I found 2 errors
>> in my code with it that I would normally probably stay weeks to find,
>> errors like ( if (list->Next = NULL), = instead of == ), good thing the
>>
>> function was not yet used in the code :D, but doesn’t matter, pretty
>> nice tool. Nice to know you can fine tune any small deadly errors like this.
>>
>>
>>
>> Of course it threw me warnings like, you cannot access the NextDevice
>> from DEVICE_OBJECT and any of the fast IO routines, but this could be
>> useful for members that are not documented in structures like IRP or
>> IO_STACK_LOCATION, maybe after this there won’t be any question about
>> BSOD’s after initializing undocumented IRP fields (especially in WINDOWS 7).
>>
>>
>>
>> As far as could observe my driver runs faster on Windows 7 Beta x86 than
>> on Windows 2008 Datacenter or Windows Vista Ultimate, so very nice
>> resource management.
>>
>> As Sarosh said in previous posts the legacy samples will not be present,
>> and so it was. It would have been nice to see some more legacy samples.
>> The fastfat remains though.
>>
>>
>>
>> A question @Sarosh: What about the drivers that where started on legacy
>> logics and architecture. Will MS still support those in future versions
>> of Windows ?
>>
>>
>>
>> I really wanted to hear impressions from you guys, more about FileSys
>> ofcourse.
>>
>> Please provide J
>>
>>
>>
>>
>>
>> With respect,
>>
>> Gabriel Bercea
>>
>>
>>
>> GaMiTech Software Development
>>
>> Mobile contact: (+40)0740049634
>>
>> eMail: xxxxx@gmail.com
>>
>>
>>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

Because then they wouldn’t use KeAttachProcess and similar API, they would not use
several hacks to achieve some goal…
And more to it, I would not have to make workarounds because “AV is required
software, make your software work with it, or…”. E.g. then latest McAfee caused a
blue screen when FltLockUserBuffer API is used during IRP_MJ_QUERY_DIRECTORY,
reproduced with a simple skeleton driver… but, I had to make a workaround for it

Martin O’Brien wrote:

How so, Dejan? I’m just curious, as I know very little about this
subject.

As a general driver problem, the thing I can’t seem to get around about
this policy is that it will require that some fsf’s be rewritten, which
seems likely to introduce bugs, especially considering the complexity of
fsf’s.

mm

Dejan Maksimovic wrote:
> It would have been a great help if this was forced in Vista even. Having only
> mini-filter AV software would have helped a LOT.
>
> Sarosh Havewala wrote:
>
>> Folks,
>>
>> Thank you for your feedback so far. I have requested folks from the WDK
>> team to engage you folks on this thread to leverage your feedback and
>> post any clarifications if necessary.
>>
>> Gabriel,
>>
>> We will not support legacy filters on newer OSes once we decide to make
>> the switch. The legacies will continue to be supported on the older OSes
>> that they were developed and shipped on. But there will be no exception
>> on the new OS for legacy filters that were shipped on a previous OS.
>>
>> Windows 7 is the 4th OS release (counting W2K, XP/W2K3, Vista/W2K8) that
>> supports the minifiter and legacy model side-by-side. This should be
>> sufficient overlap to phase out the old model and phase in the new.
>>
>> We strongly encourage all of you to start moving to the minifilter model
>> as soon as possible if you have not already done so. I would not be
>> surprised if Windows 8 supported only the minifilter model. If any of
>> your customers require coaxing in this regard, I will be happy to do so.
>>
>> Regards,
>> Sarosh.
>> File System Filter Lead
>> Microsoft Corp
>>
>> This posting is provided “AS IS” with no warranties, and confers no Rights
>>
>> Bercea Gabriel wrote:
>>> First of all I found the OACR to be pretty cool tool. I found 2 errors
>>> in my code with it that I would normally probably stay weeks to find,
>>> errors like ( if (list->Next = NULL), = instead of == ), good thing the
>>>
>>> function was not yet used in the code :D, but doesn’t matter, pretty
>>> nice tool. Nice to know you can fine tune any small deadly errors like this.
>>>
>>>
>>>
>>> Of course it threw me warnings like, you cannot access the NextDevice
>>> from DEVICE_OBJECT and any of the fast IO routines, but this could be
>>> useful for members that are not documented in structures like IRP or
>>> IO_STACK_LOCATION, maybe after this there won’t be any question about
>>> BSOD’s after initializing undocumented IRP fields (especially in WINDOWS 7).
>>>
>>>
>>>
>>> As far as could observe my driver runs faster on Windows 7 Beta x86 than
>>> on Windows 2008 Datacenter or Windows Vista Ultimate, so very nice
>>> resource management.
>>>
>>> As Sarosh said in previous posts the legacy samples will not be present,
>>> and so it was. It would have been nice to see some more legacy samples.
>>> The fastfat remains though.
>>>
>>>
>>>
>>> A question @Sarosh: What about the drivers that where started on legacy
>>> logics and architecture. Will MS still support those in future versions
>>> of Windows ?
>>>
>>>
>>>
>>> I really wanted to hear impressions from you guys, more about FileSys
>>> ofcourse.
>>>
>>> Please provide J
>>>
>>>
>>>
>>>
>>>
>>> With respect,
>>>
>>> Gabriel Bercea
>>>
>>>
>>>
>>> GaMiTech Software Development
>>>
>>> Mobile contact: (+40)0740049634
>>>
>>> eMail: xxxxx@gmail.com
>>>
>>>
>>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>

---

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

I can’t say that I know the cause, but as a recently forced user of
McAfee, I have plenty of experience with the BSOD.

Thanks,

mm

Dejan Maksimovic wrote:

Because then they wouldn’t use KeAttachProcess and similar API, they would not use
several hacks to achieve some goal…
And more to it, I would not have to make workarounds because “AV is required
software, make your software work with it, or…”. E.g. then latest McAfee caused a
blue screen when FltLockUserBuffer API is used during IRP_MJ_QUERY_DIRECTORY,
reproduced with a simple skeleton driver… but, I had to make a workaround for it

Martin O’Brien wrote:

> How so, Dejan? I’m just curious, as I know very little about this
> subject.
>
> As a general driver problem, the thing I can’t seem to get around about
> this policy is that it will require that some fsf’s be rewritten, which
> seems likely to introduce bugs, especially considering the complexity of
> fsf’s.
>
> mm
>
> Dejan Maksimovic wrote:
>> It would have been a great help if this was forced in Vista even. Having only
>> mini-filter AV software would have helped a LOT.
>>
>> Sarosh Havewala wrote:
>>
>>> Folks,
>>>
>>> Thank you for your feedback so far. I have requested folks from the WDK
>>> team to engage you folks on this thread to leverage your feedback and
>>> post any clarifications if necessary.
>>>
>>> Gabriel,
>>>
>>> We will not support legacy filters on newer OSes once we decide to make
>>> the switch. The legacies will continue to be supported on the older OSes
>>> that they were developed and shipped on. But there will be no exception
>>> on the new OS for legacy filters that were shipped on a previous OS.
>>>
>>> Windows 7 is the 4th OS release (counting W2K, XP/W2K3, Vista/W2K8) that
>>> supports the minifiter and legacy model side-by-side. This should be
>>> sufficient overlap to phase out the old model and phase in the new.
>>>
>>> We strongly encourage all of you to start moving to the minifilter model
>>> as soon as possible if you have not already done so. I would not be
>>> surprised if Windows 8 supported only the minifilter model. If any of
>>> your customers require coaxing in this regard, I will be happy to do so.
>>>
>>> Regards,
>>> Sarosh.
>>> File System Filter Lead
>>> Microsoft Corp
>>>
>>> This posting is provided “AS IS” with no warranties, and confers no Rights
>>>
>>> Bercea Gabriel wrote:
>>>> First of all I found the OACR to be pretty cool tool. I found 2 errors
>>>> in my code with it that I would normally probably stay weeks to find,
>>>> errors like ( if (list->Next = NULL), = instead of == ), good thing the
>>>>
>>>> function was not yet used in the code :D, but doesn’t matter, pretty
>>>> nice tool. Nice to know you can fine tune any small deadly errors like this.
>>>>
>>>>
>>>>
>>>> Of course it threw me warnings like, you cannot access the NextDevice
>>>> from DEVICE_OBJECT and any of the fast IO routines, but this could be
>>>> useful for members that are not documented in structures like IRP or
>>>> IO_STACK_LOCATION, maybe after this there won’t be any question about
>>>> BSOD’s after initializing undocumented IRP fields (especially in WINDOWS 7).
>>>>
>>>>
>>>>
>>>> As far as could observe my driver runs faster on Windows 7 Beta x86 than
>>>> on Windows 2008 Datacenter or Windows Vista Ultimate, so very nice
>>>> resource management.
>>>>
>>>> As Sarosh said in previous posts the legacy samples will not be present,
>>>> and so it was. It would have been nice to see some more legacy samples.
>>>> The fastfat remains though.
>>>>
>>>>
>>>>
>>>> A question @Sarosh: What about the drivers that where started on legacy
>>>> logics and architecture. Will MS still support those in future versions
>>>> of Windows ?
>>>>
>>>>
>>>>
>>>> I really wanted to hear impressions from you guys, more about FileSys
>>>> ofcourse.
>>>>
>>>> Please provide J
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> With respect,
>>>>
>>>> Gabriel Bercea
>>>>
>>>>
>>>>
>>>> GaMiTech Software Development
>>>>
>>>> Mobile contact: (+40)0740049634
>>>>
>>>> eMail: xxxxx@gmail.com
>>>>
>>>>
>>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> For our schedule debugging and file system seminars
>>> (including our new fs mini-filter seminar) visit:
>>> http://www.osr.com/seminars
>>>
>>> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>> –
>> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
>> http://www.alfasp.com
>> File system audit, security and encryption kits.
>>
>>
>>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

I have a lot of experience with some “never heard of them in the West” Asian AV
companies… there’s apparently a plethora of them, and each of them has small stupid,
beginner issues… I’ve wasted a lot of time showing them how to fix the issues. (if I
didn’t - “AV is more important, make it work, or…”)
Mini-filtesr would not even give them the possibility to make those mistakes. (ye,
they’d make mistakes of course but not so simple…)

Martin O’Brien wrote:

I can’t say that I know the cause, but as a recently forced user of
McAfee, I have plenty of experience with the BSOD.

Thanks,

mm

Dejan Maksimovic wrote:
> Because then they wouldn’t use KeAttachProcess and similar API, they would not use
> several hacks to achieve some goal…
> And more to it, I would not have to make workarounds because “AV is required
> software, make your software work with it, or…”. E.g. then latest McAfee caused a
> blue screen when FltLockUserBuffer API is used during IRP_MJ_QUERY_DIRECTORY,
> reproduced with a simple skeleton driver… but, I had to make a workaround for it
>
> Martin O’Brien wrote:
>
>> How so, Dejan? I’m just curious, as I know very little about this
>> subject.
>>
>> As a general driver problem, the thing I can’t seem to get around about
>> this policy is that it will require that some fsf’s be rewritten, which
>> seems likely to introduce bugs, especially considering the complexity of
>> fsf’s.
>>
>> mm
>>
>> Dejan Maksimovic wrote:
>>> It would have been a great help if this was forced in Vista even. Having only
>>> mini-filter AV software would have helped a LOT.
>>>
>>> Sarosh Havewala wrote:
>>>
>>>> Folks,
>>>>
>>>> Thank you for your feedback so far. I have requested folks from the WDK
>>>> team to engage you folks on this thread to leverage your feedback and
>>>> post any clarifications if necessary.
>>>>
>>>> Gabriel,
>>>>
>>>> We will not support legacy filters on newer OSes once we decide to make
>>>> the switch. The legacies will continue to be supported on the older OSes
>>>> that they were developed and shipped on. But there will be no exception
>>>> on the new OS for legacy filters that were shipped on a previous OS.
>>>>
>>>> Windows 7 is the 4th OS release (counting W2K, XP/W2K3, Vista/W2K8) that
>>>> supports the minifiter and legacy model side-by-side. This should be
>>>> sufficient overlap to phase out the old model and phase in the new.
>>>>
>>>> We strongly encourage all of you to start moving to the minifilter model
>>>> as soon as possible if you have not already done so. I would not be
>>>> surprised if Windows 8 supported only the minifilter model. If any of
>>>> your customers require coaxing in this regard, I will be happy to do so.
>>>>
>>>> Regards,
>>>> Sarosh.
>>>> File System Filter Lead
>>>> Microsoft Corp
>>>>
>>>> This posting is provided “AS IS” with no warranties, and confers no Rights
>>>>
>>>> Bercea Gabriel wrote:
>>>>> First of all I found the OACR to be pretty cool tool. I found 2 errors
>>>>> in my code with it that I would normally probably stay weeks to find,
>>>>> errors like ( if (list->Next = NULL), = instead of == ), good thing the
>>>>>
>>>>> function was not yet used in the code :D, but doesn’t matter, pretty
>>>>> nice tool. Nice to know you can fine tune any small deadly errors like this.
>>>>>
>>>>>
>>>>>
>>>>> Of course it threw me warnings like, you cannot access the NextDevice
>>>>> from DEVICE_OBJECT and any of the fast IO routines, but this could be
>>>>> useful for members that are not documented in structures like IRP or
>>>>> IO_STACK_LOCATION, maybe after this there won’t be any question about
>>>>> BSOD’s after initializing undocumented IRP fields (especially in WINDOWS 7).
>>>>>
>>>>>
>>>>>
>>>>> As far as could observe my driver runs faster on Windows 7 Beta x86 than
>>>>> on Windows 2008 Datacenter or Windows Vista Ultimate, so very nice
>>>>> resource management.
>>>>>
>>>>> As Sarosh said in previous posts the legacy samples will not be present,
>>>>> and so it was. It would have been nice to see some more legacy samples.
>>>>> The fastfat remains though.
>>>>>
>>>>>
>>>>>
>>>>> A question @Sarosh: What about the drivers that where started on legacy
>>>>> logics and architecture. Will MS still support those in future versions
>>>>> of Windows ?
>>>>>
>>>>>
>>>>>
>>>>> I really wanted to hear impressions from you guys, more about FileSys
>>>>> ofcourse.
>>>>>
>>>>> Please provide J
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> With respect,
>>>>>
>>>>> Gabriel Bercea
>>>>>
>>>>>
>>>>>
>>>>> GaMiTech Software Development
>>>>>
>>>>> Mobile contact: (+40)0740049634
>>>>>
>>>>> eMail: xxxxx@gmail.com
>>>>>
>>>>>
>>>>>
>>>> —
>>>> NTFSD is sponsored by OSR
>>>>
>>>> For our schedule debugging and file system seminars
>>>> (including our new fs mini-filter seminar) visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>> –
>>> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
>>> http://www.alfasp.com
>>> File system audit, security and encryption kits.
>>>
>>>
>>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>

---

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

>will be merged with the OS so that filter driver functions (like

IoAttachDevicetoDeviceStackSafe) will be removed from the OS?

Then how WDM will work? they are speaking about deprecating legacy FS filters, not WDM.

For me, deprecation of the legacy FS filters is a bad idea. This is like deprecating USER32 saying “you have MFC, please write everything using MFC”.

FltMgr is MFC for FS filters, like KMDF is for WDM drivers.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Sarosh Havewala” wrote in message
news:xxxxx@ntfsd…
>
> With respect to file system filters, I would like to believe that there is
> nothing in the category of “legacy filters that cannot be implemented as
> mini-filters”.
>
Well as long as supported OS’es include prior to Vista, then I think that
statement can be ruled completely false. So if we are talking the Windows
10 time frame I think you are ok. As far as removing API’s to make this
not happen, be very careful there, many of the API’s that have been in
ntifs.h have in many cases been used in drivers that have nothing to do with
file systems. And of course there are some of us who write file systems
not file system filters, who could be highly inconvienced (i.e. products
destroyed) by removing ntifs.h calls.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

> If there is something that prevents any of you from moving to the

minifilter model, I would like to know about it.

I remember that not all FSD IRPs could be sent by the minifilter using FltXxx APIs.

Is it still so?

What about sending the IOCTL or internal IOCTL to another driver of ours, which is not a FltMgr minifilter?

What about implementing both a WDM filer and an FS minifilter in the same .sys file?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

The following link summarizes the benefits of the Minifilter Model:

Windows Driver Kit: Installable File System Drivers
Advantages of the Filter Manager Model

http://msdn2.microsoft.com/en-us/library/aa488086.aspx

Regards,
Sarosh.
File System Filter Lead
Microsoft Corp

This posting is provided “AS IS” with no warranties, and confers no Rights

Dejan Maksimovic wrote:

I have a lot of experience with some “never heard of them in the West” Asian AV
companies… there’s apparently a plethora of them, and each of them has small stupid,
beginner issues… I’ve wasted a lot of time showing them how to fix the issues. (if I
didn’t - “AV is more important, make it work, or…”)
Mini-filtesr would not even give them the possibility to make those mistakes. (ye,
they’d make mistakes of course but not so simple…)

Martin O’Brien wrote:

> I can’t say that I know the cause, but as a recently forced user of
> McAfee, I have plenty of experience with the BSOD.
>
> Thanks,
>
> mm
>
> Dejan Maksimovic wrote:
>> Because then they wouldn’t use KeAttachProcess and similar API, they would not use
>> several hacks to achieve some goal…
>> And more to it, I would not have to make workarounds because “AV is required
>> software, make your software work with it, or…”. E.g. then latest McAfee caused a
>> blue screen when FltLockUserBuffer API is used during IRP_MJ_QUERY_DIRECTORY,
>> reproduced with a simple skeleton driver… but, I had to make a workaround for it
>>
>> Martin O’Brien wrote:
>>
>>> How so, Dejan? I’m just curious, as I know very little about this
>>> subject.
>>>
>>> As a general driver problem, the thing I can’t seem to get around about
>>> this policy is that it will require that some fsf’s be rewritten, which
>>> seems likely to introduce bugs, especially considering the complexity of
>>> fsf’s.
>>>
>>> mm
>>>
>>> Dejan Maksimovic wrote:
>>>> It would have been a great help if this was forced in Vista even. Having only
>>>> mini-filter AV software would have helped a LOT.
>>>>
>>>> Sarosh Havewala wrote:
>>>>
>>>>> Folks,
>>>>>
>>>>> Thank you for your feedback so far. I have requested folks from the WDK
>>>>> team to engage you folks on this thread to leverage your feedback and
>>>>> post any clarifications if necessary.
>>>>>
>>>>> Gabriel,
>>>>>
>>>>> We will not support legacy filters on newer OSes once we decide to make
>>>>> the switch. The legacies will continue to be supported on the older OSes
>>>>> that they were developed and shipped on. But there will be no exception
>>>>> on the new OS for legacy filters that were shipped on a previous OS.
>>>>>
>>>>> Windows 7 is the 4th OS release (counting W2K, XP/W2K3, Vista/W2K8) that
>>>>> supports the minifiter and legacy model side-by-side. This should be
>>>>> sufficient overlap to phase out the old model and phase in the new.
>>>>>
>>>>> We strongly encourage all of you to start moving to the minifilter model
>>>>> as soon as possible if you have not already done so. I would not be
>>>>> surprised if Windows 8 supported only the minifilter model. If any of
>>>>> your customers require coaxing in this regard, I will be happy to do so.
>>>>>
>>>>> Regards,
>>>>> Sarosh.
>>>>> File System Filter Lead
>>>>> Microsoft Corp
>>>>>
>>>>> This posting is provided “AS IS” with no warranties, and confers no Rights
>>>>>
>>>>> Bercea Gabriel wrote:
>>>>>> First of all I found the OACR to be pretty cool tool. I found 2 errors
>>>>>> in my code with it that I would normally probably stay weeks to find,
>>>>>> errors like ( if (list->Next = NULL), = instead of == ), good thing the
>>>>>>
>>>>>> function was not yet used in the code :D, but doesn’t matter, pretty
>>>>>> nice tool. Nice to know you can fine tune any small deadly errors like this.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Of course it threw me warnings like, you cannot access the NextDevice
>>>>>> from DEVICE_OBJECT and any of the fast IO routines, but this could be
>>>>>> useful for members that are not documented in structures like IRP or
>>>>>> IO_STACK_LOCATION, maybe after this there won’t be any question about
>>>>>> BSOD’s after initializing undocumented IRP fields (especially in WINDOWS 7).
>>>>>>
>>>>>>
>>>>>>
>>>>>> As far as could observe my driver runs faster on Windows 7 Beta x86 than
>>>>>> on Windows 2008 Datacenter or Windows Vista Ultimate, so very nice
>>>>>> resource management.
>>>>>>
>>>>>> As Sarosh said in previous posts the legacy samples will not be present,
>>>>>> and so it was. It would have been nice to see some more legacy samples.
>>>>>> The fastfat remains though.
>>>>>>
>>>>>>
>>>>>>
>>>>>> A question @Sarosh: What about the drivers that where started on legacy
>>>>>> logics and architecture. Will MS still support those in future versions
>>>>>> of Windows ?
>>>>>>
>>>>>>
>>>>>>
>>>>>> I really wanted to hear impressions from you guys, more about FileSys
>>>>>> ofcourse.
>>>>>>
>>>>>> Please provide J
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> With respect,
>>>>>>
>>>>>> Gabriel Bercea
>>>>>>
>>>>>>
>>>>>>
>>>>>> GaMiTech Software Development
>>>>>>
>>>>>> Mobile contact: (+40)0740049634
>>>>>>
>>>>>> eMail: xxxxx@gmail.com
>>>>>>
>>>>>>
>>>>>>
>>>>> —
>>>>> NTFSD is sponsored by OSR
>>>>>
>>>>> For our schedule debugging and file system seminars
>>>>> (including our new fs mini-filter seminar) visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
>>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>> –
>>>> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
>>>> http://www.alfasp.com
>>>> File system audit, security and encryption kits.
>>>>
>>>>
>>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> For our schedule debugging and file system seminars
>>> (including our new fs mini-filter seminar) visit:
>>> http://www.osr.com/seminars
>>>
>>> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>> –
>> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
>> http://www.alfasp.com
>> File system audit, security and encryption kits.
>>
>>
>>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.