What you’re proposing is a fairly common, supported scenario. Driver
talks to service via file handles, apps talk to service via X, where X
varies.
There are many, many ways to communicate between user-mode processes.
If your application protocol consists of mostly request/reply
transactions, then DCE RPC is well-suited for this, and in fact many
Windows services are implemented this way. DCOM is roughly the same
thing, but more objecty. It’s clearly got *enterprise*, as the folks
over at thedailywtf.com would say. If your application protocol is more
complex, then you can always pick and choose which Win32 communication
primitives make the most sense – shared memory, events, semaphores,
named pipes, mailslots, sockets… so many mechanisms.
Before you go down that route, though, consider whether it’s really
necessary. You’ll be adding another component to your design, which
makes testing more difficult, and generates a lot more combinations of
failure modes at run-time. I’m not saying “bad!” – I’m saying the
choice is a non-trivial design trade-off.
App->service->driver tends to be a good design when the service is
adding a lot of value to the system. Often the service is managing some
persistent information, or making policy decisions that cannot be made
in the untrusted client process, or needs to allow remote clients to
access the device as well as local ones. Since services have full
access to the Win32 API, they can do lots of things that are
excruciatingly painful or impossible in drivers, such as communicating
with databases, invoking other Win32 DLLs, etc. This is also a good
design when you need to define and enforce rather elaborate security
controls over what can be done with the device – i.e. you’ve got more
going on that just read/write and a few I/O controls.
App->driver tends to be a good design when, well, the above conditions
aren’t true. Only local apps need to talk to the device. The driver is
capable of defining and enforcing its own security policy and, hence,
can be trusted to talk directly to untrusted user-mode apps. The device
is relatively stateless – that is, little or no information needs to be
retained between device start/stop, usually just some configuration
parameters.
There’s a lot more to it than that, of course. Just keep in mind that
both choices are valid, and the best choice depends on what you’re
doing, and why. My preference leans toward app->driver, unless there’s
a demonstrable need for a service to mediate access to the device.
– arlie
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mike Kemp
Sent: Wednesday, June 28, 2006 7:10 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] windows services
Hi Dave
Thanks for the informative reply. Actually I realise it is relevant to
driver development because I suppose services are possibly the missing
link between the user app and the kernel driver. Basically I have
untrusted apps that link with my DLL to share a lot of realtime data
with my kernel driver and I’m considering a “fairly trusted” service to
sit between the two to administer the system. The need for shared memory
is so they can all see realtime buffers at once, but something like RPC
with the service may be possible if the administrating service does not
need to see the actual realtime data…
I suppose its an issue in system design (as usual after most of it is
written - sigh)… Mike