Detecting driver load at boot time

Hello,

I have a kernel driver configured with SERVICE_BOOT_START. This driver can also be load/unloaded using sc start/stop commands.

Is there any built-in API that I can call from DriverEntry to detect if the driver is being automatically loaded during the boot sequence vs. someone explicitly starting it using sc or equivalent command.

The reason I need to do this is: When the driver is loaded at boot time, I need to defer my initialization to a reinit routine using IoRegisterBootDriverReinitialization (since file system symlinks are not ready at this point). However, when the driver is explicitly started, I can do all the initialization from DriverEntry itself. Further, using IoRegisterBootDriverReinitialization has no effect when the driver is explicitly started after booting the system.

Please advice.

Thanks.
-Prasad

> Is there any built-in API that I can call from DriverEntry to detect if the driver is being automatically

loaded during the boot sequence vs. someone explicitly starting it using sc or equivalent command.

IIRC there was a global called “InitializationPhase”.

BTW, you can always register IoRegisterDriverReinitialization


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

Hi Maxim,

Thanks for your response. I noticed InitializationPhase, however, it’s not exported.

I am not sure if using IoRegisterDriverReinitialization will call my reinit routine at same time as IoRegisterBootDriverReinitialization during the boot sequence.

Basically, I need to ensure that my reinit routine gets called as early as possible during the boot sequence. I am doing this to workaround a limitation where I am not able to access file systems from DriverEntry.

Thanks.
-Prasad

You can try to open \Registry\Machine\Software hive, if it fails, the hive
hasn’t been mounted yet => boot time.

Or you can look up some system processes (e.g. smss.exe, services.exe) with
undocumented ZwQuerySystemInformation/ SystemProcessInformation(5), if it’s
not running => boot time

Or you can query \SystemRoot symbolic link, if it doesn’t exist => boot time
(the link is created in post-boot phase)