NDIS LWF INF file - LowerExclude

NTDEV
1

Hello.

We have a LWF driver which, based on WDK NDIS LWF driver, intercepts NDIS packets.

The associated INF file is configured as follows:

  • FilterClass -> compression
  • FilterType -> 0x00010001,0x00000002
  • UpperRange -> “noupper”
  • LowerRange -> “nolower”
  • FilterMediaTypes -> “ethernet, tokenring, fddi, wan”
  • FilterRunType -> 0x00010001, 2 ; OPTIONAL Filter | This is an optional filter module

We would like to avoid attaching to certain types of adapters. This means FilterAttach of our LWF would not be called for them. The first question is: Is this possible?

Investigating we have bumped into what seems to be an alternative. Several ndis filter drivers inf files include the following line:

HKR, Ndi\Interfaces, LowerExclude, , “ndisatm, ndiscowan, ndiswan, ndiswanasync, ndiswanipx, ndiswannbf”

Unfortunately we have not found detailed documentation about how this technique works. We would like to know:

1- What is LowerExclude, how does it work, and how must it be configured?

2- What are the outcomes of including those types of adapters in the LowerExclude line?

3- What do the values included in the parameter list refer to? For example, are they “MatchingDeviceId” entries from the adapters registry keys?

We would be grateful if you could help us with this issue.
Thank you in advance,

2

> We would like to avoid attaching to certain types of adapters. This means
FilterAttach of our LWF would not be called for them. The first question is:
Is this possible?

Yes. But then again, your filter *could* just go into bypass mode if it
does not like the MAC it is bound too. It could also include NotifyObject
which figures this out at install/config time and disables the binding path.

Investigating we have bumped into what seems to be an alternative. Several
ndis filter drivers inf files include the following line:
HKR, Ndi\Interfaces, LowerExclude, , “ndisatm, ndiscowan, ndiswan,
ndiswanasync, ndiswanipx, ndiswannbf”
Unfortunately we have not found detailed documentation about how this
technique works.

Yeah, that is unfortunate. Mostly black majik IIRC that might have been
documented ‘sort-of’ in the NT 3.5/4.0 DDK timeframe.

We would like to know:
1- What is LowerExclude, how does it work, and how must it be configured?

It is a directive to the binding engine to filter out from binding
consideration otherwise matching lower binding partners that declare
themselves to have that upper edge. What I cannot remember is if that
‘declaration’ is the value specified in UpperRange or in BindForm.

2- What are the outcomes of including those types of adapters in the
LowerExclude line?

The outcome is that the binding engine will not bind your filter (NetService
in this case) to those MACs.

3- What do the values included in the parameter list refer to? For
example, are they “MatchingDeviceId” entries from the adapters registry
keys?

They refer to the HKR,Ndi\Intefaces,UpperRange value or the
HKR,Ndi,BindForm value. I just don’t recall which.

And just so this all clear as mud, the “binding engine” is part of the class
installer that runs to install network components. It decides and
calculates the binding policy expressed in the registry in a form that NDIS
reads and then effects those bindings at runtime. So when talking about
the binding engine we are talking about an install/configure time operation
that is *not* the same as the NDIS runtime “binding” operation.

Good Luck,
Dave Cattley

3

I wrote a bit about the LowerExclude flag, in case you’re curious exactly what it does and what it’s good for. Spoiler: not much.

https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/d5aef64d-8af6-4a1e-a8ec-0f4c7de0b9cc/ndis-lightweight-filter-inf-file-how-does-lowerexclude-work?forum=wdk

the “binding engine” is part of the class installer that runs to install network components.

Hmm… class installers are deprecated. I’ll have to see what I can do about this.