Windows VSS service.

Hi,

I am a newbie and i am working on a driver that tracks creation/write/modification on files.
Now I have been told to work on Volume snapshot. I have seen the code of VSS that comes with Windows SDK.
But I have been informed to work on VSS at the kernel level, means I have to find out how I can use or communicate Windows Volume snapshot service through my driver.
Please can someone give some inputs on this and try to help me because i googled a lot for Volume snapshot but did not get much help from there. Should I implement VSS Writer at the kernel level or something else to use the feature of Windows VSS service.

Thanks in advance.

> Hi,

I am a newbie and i am working on a driver that tracks
creation/write/modification on files.
Now I have been told to work on Volume snapshot. I have seen the code of
VSS that comes with Windows SDK.
But I have been informed to work on VSS at the kernel level, means I have to
find out how I can use or communicate Windows Volume snapshot service
through my driver.
Please can someone give some inputs on this and try to help me because i
googled a lot for Volume snapshot but did not get much help from there.
Should I implement VSS Writer at the kernel level or something else to use
the feature of Windows VSS service.

I think VSS providers are (or can be) in kernel space, but the readers and writers are userspace. I’m also pretty sure that VSS snapshots are read-only so create/write/modify will not happen. This makes your job pretty simple

I am taking a guess that your driver keeps track of what has been modified on the disk for the purpose of then taking a block level backup of the disk, and I’ll guess further that the VSS requirement is so that you can synchronise a point in time with your change-tracking driver that matches the point in time the VSS snapshot was taken. From the way you asked the question I’m also taking a guess that the requirements of your project haven’t been properly explained to you, which is probably the first problem you should solve.

James

On Mon, Oct 8, 2012 at 1:15 AM, wrote:
> Hi,
>
> I am a newbie and i am working on a driver that tracks creation/write/modification on files.
> Now I have been told to work on Volume snapshot. I have seen the code of VSS that comes with Windows SDK.
> But I have been informed to work on VSS at the kernel level, means I have to find out how I can use or communicate Windows Volume snapshot service through my driver.
> Please can someone give some inputs on this and try to help me because i googled a lot for Volume snapshot but did not get much help from there. Should I implement VSS Writer at the kernel level or something else to use the feature of Windows VSS service.
>
> Thanks in advance.
>

Hello, the kernel aspect of VSS involves the volsnap driver which is
the FDO in the volume device stack (which sits roughly below the File
System stack and above the Disk stack). The volsnap driver implements
something called flush-and-hold semantics across multiple volumes. The
VSS service in usermode interacts with it via
IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES (along with several other private,
undocumented IOCTLs).

In a regular vanilla system (including most clients SKUs) with volumes
hosted on a regular direct-attached disks, the implementation of
copy-on-write based snapshots is implemented by volsnap. Thus volsnap
(besides being a core part of the VSS infrastructure implementing
multi-volume flush-and-hold semantics) acts as the “VSS Provider”.

In a server system that interacts with a SAN for storage (i.e. there
are LUNs exposed by the SAN to the Windows system as disks), the SAN
vendor often ships a VSS Hardware Provider that the VSS service
interacts with. Note that all this interaction happens completely in
user mode using documented VSS -> Provider APIs as you have found in
the SDK. The SAN vendor, on top of the VSS Provider DLL, may also have
a driver that may interact with the provider DLL and LUNs for snapshot
purposes.

Having said all this, for tracking creation/write/modifications of
files in the file-system level, maybe just a file system filter should
be good enough with appropriate handling of the volsnap IOCTLs as MSDN
calls them out.

Thanks!

Hi,

Thanks for replying. Basically the driver that tracks modification is an upper volume filter driver.
@James Harper: My requirements are almost same as you mentioned, I want to take block level backup, so I require a copy on write snapshot for this purpose.
Should I go for mine own VSS driver implementation or the VSS service at the user space that comes with Microsoft will do?
If I need to develop the VSS driver then can I get any help from anywhere or are there any samples or documentation that I can refer? Should I develop a VSS writer or VSS provider?
Can I hold the write request and later allow the write request on a particular block?

>Should I go for mine own VSS driver implementation or the VSS service at
the user space that comes with Microsoft will do?

That depends on whether you want to take full volume backup everytime
(which will take considerable time depending on the volume size), or you
want to provide teh facility to take one full backup followed by
n-incremental backups, in these incrementals you will only store the
difference in the volume blocks from the time the base was taken.

If you want to give only full backup feature, you do not need any kernel
components, the user mode VSS api is good enough for you.

If you want to give incremental backup, then you might consider writing a
kernel mode WDM/KMDF driver (though that is not the only way to do it).
This kernel mode driver can be a volume filter which attaches itself above
or below the volume (depending on what level of fine tuning you want to
achieve) and will help you track writes to the volume below.

Again, this is not a trivial task, and as mentioned by folks before,
depending on what type of disk configurations you support (simple volume,
snapped volume, CSV, dynamic disks, storage pools etc) your dirver design
might change.

If I need to develop the VSS driver then can I get any help from anywhere
or are there any samples or documentation that I can refer?

If I know correctly, there are no samples available in the WDK for a volume
filter. WDK’s diskperf sample is the closest you can get, but it is a disk
upper filter, and you will need to modify it to attach to the volume stack.
There is an open source project called trucrypt (http://www.truecrypt.org/)
which as a working volume filter driver, you might want to use it as a
reference too, however, the purpose of trucrypt is volume encryption, and
not backup.

AB

On Tue, Oct 9, 2012 at 1:26 PM, wrote:

> Hi,
>
> Thanks for replying. Basically the driver that tracks modification is an
> upper volume filter driver.
> @James Harper: My requirements are almost same as you mentioned, I want to
> take block level backup, so I require a copy on write snapshot for this
> purpose.
> Should I go for mine own VSS driver implementation or the VSS service at
> the user space that comes with Microsoft will do?
> If I need to develop the VSS driver then can I get any help from anywhere
> or are there any samples or documentation that I can refer? Should I
> develop a VSS writer or VSS provider?
> Can I hold the write request and later allow the write request on a
> particular block?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–

- ab

Hi,

Thanks amitr0 for replying and for your good explanation.
I know how to make the upper volume filter driver, I have modified the diskperf driver to work as upper volume filter driver, but I want to know any sample or documentation for kernel mode VSS so that it can help me to start working on VSS driver.
Also should I implement kernel mode VSS writer or VSS provider?

>I want to know any sample or documentation for kernel mode VSS so that it
can help me to start working on VSS driver.

As I said before I am not aware of any such sample. Also, what I explained
are a volume filter, it was NOT a VSS driver. It is possible to give
incremental backup facility without understanding any of the VSS IOCTLS
(even the flush and hold one).

Also should I implement kernel mode VSS writer or VSS provider?

You said you are working on backup, if you use the VSS provider you do not
need to implement your own. Same with a writer. All you need is a requestor
which is a user mode component.

A writer is required when you want to make changes in the snapshot, one
doesnt need it for a backup. The provider is required when you want to
provide your own snapshot/COW facility, I dont know whether you need that
or not. Depends on what your needs are, the default VSS provider is a good
enough provider for backups in my opinion.

We at NTDEV, can’t help you much unless you reveal the purpose and the
objectives in detail.

Hope this helps.

AB

On Tue, Oct 9, 2012 at 2:06 PM, wrote:

> Hi,
>
> Thanks amitr0 for replying and for your good explanation.
> I know how to make the upper volume filter driver, I have modified the
> diskperf driver to work as upper volume filter driver, but I want to know
> any sample or documentation for kernel mode VSS so that it can help me to
> start working on VSS driver.
> Also should I implement kernel mode VSS writer or VSS provider?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–

- ab