During restart the ndis driver sometimes does not read values from the registry

NTDEV
1

Hello,

I have a problem with my ndis filter driver by reading values from the registry.

A user application is writing values into the registry and after that it calls an IOControl request. In this request the function “NdisFRestartFilter” is called and the driver interface will be restarted.
During the restart the driver is reading values from the registry by calling ZwOpenKey routine.
The path in the registry for the values to read and write are “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ndisDriver\CONF”.

The problem is that the driver sometimes does not read/get any values from the registry, although those registry keys have been written before by the user land application.
If I build the driver with log messages, which is written into a file, the problem does not occur so often as without logging.
I think it can be a timing problem.

The operation system in which the driver is running is windows 7 64bit.

I hope anyone can help me to solve this issue?

2

> The problem is that the driver sometimes does not read/get any values from the registry, although

those registry keys have been written before by the user land application.

Wow32 registry redirection for a user app?


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

3

Driver and user land application are both build as 64bit.

4

Addition information:

Driver and user application are running on the same pc.
The problem is occured only on “real” hardware, not by testing in VMWare (os also Windows 7 64bit).

Code extract for write key in user land application:


wchar_t wRegPathComp[2048];
DWORD dwReturn = 0;
ULONG key1 = 5;
char Guid= “{8F3A08E7-2912-4041-8776-FE32C62EE548}-{A114D25F-FE31-41EE-AF0E-E4CBE3799DCD}-0000”;
wchar_t wcGuid[512];
DWORD GuidLength = 0;
DWORD dwBufLength = 512;

swprintf(wRegPathComp,
2048,
L"%hs%hs",
“SYSTEM\ControlSet001\services\bsptreiber\CONF”,
“TestKey”);
/* Src_IP */
if((dwReturn = RegSetKeyValue(USERLAND_HKEY,
wRegPathComp,
“Key1”,
REG_DWORD,
(void*)&(key1),
sizeof(key1))) == 0)
{
swprintf(wcGuid, 512, L"%hs", Guid);
GuidLength = (DWORD)wcslen(wcGuid)* sizeof(WCHAR);
bResult = DeviceIoControl(hTreiber,
IOCTL_FILTER_RESTART_ONE_INSTANCE,
wcGuid,
GuidLength,
NULL,
0,
&dwBufLength,
NULL);
}

}

Code extract for reading key in ndis filter driver:

Use_decl_annotations
NTSTATUS
bsptreiberDeviceIoControl(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{

case IOCTL_FILTER_RESTART_ONE_INSTANCE:
InputBuffer = OutputBuffer = (PUCHAR)Irp->AssociatedIrp.SystemBuffer;
InputBufferLength = IrpSp->Parameters.DeviceIoControl.InputBufferLength;

pFilter = filterFindFilterModule (InputBuffer, InputBufferLength);
if (pFilter == NULL)
{
break;
}
Status = NdisFRestartFilter(pFilter->FilterHandle);
break;

}

IRQL_requires_max(DISPATCH_LEVEL)
PMS_FILTER
filterFindFilterModule(
In_reads_bytes(BufferLength)
PUCHAR Buffer,
In ULONG BufferLength
)
{

PMS_FILTER pFilter;
PLIST_ENTRY Link;
BOOLEAN bFalse = FALSE;

FILTER_ACQUIRE_LOCK(&FilterListLock, bFalse);

Link = FilterModuleList.Flink;

while (Link != &FilterModuleList)
{
pFilter = CONTAINING_RECORD(Link, MS_FILTER, FilterModuleLink);

if (BufferLength >= pFilter->FilterModuleName.Length)
{
if (NdisEqualMemory(Buffer, pFilter->FilterModuleName.Buffer, pFilter->FilterModuleName.Length))
{
FILTER_RELEASE_LOCK(&FilterListLock, bFalse);
return pFilter;
}
}
Link = Link->Flink;
}
FILTER_RELEASE_LOCK(&FilterListLock, bFalse);
return NULL;
}

Use_decl_annotations
NDIS_STATUS
FilterRestart(
NDIS_HANDLE FilterModuleContext,
PNDIS_FILTER_RESTART_PARAMETERS RestartParameters
)
{
wchar_t keyDest[2048];
HANDLE pHandleRegKey;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING RegistryKeyName;
ULONG ulResult = 0;
PKEY_VALUE_PARTIAL_INFORMATION regValBuffer = NULL;

ntStatus = RtlStringCbPrintfW(keyDest,
2048,
L"%hs%hs",
“SYSTEM\ControlSet001\services\bsptreiber\CONF”,
“TestKey”);
if (ntStatus == STATUS_SUCCESS)
{
ntStatus = ZwOpenKey(&HandleRegKey,
KEY_READ,
&ObjectAttributes);
RtlInitUnicodeString(&RegistryKeyName,
keyDest);
InitializeObjectAttributes(&ObjectAttributes,
&RegistryKeyName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL, // handle
NULL);
RtlInitUnicodeString(&RegistryKeyName, L"Key1");
ntStatus = ZwQueryValueKey(handleRegKey,
&RegistryKeyName,
KeyValuePartialInformation,
NULL,
0,
&ulResult);
if ((ntStatus != STATUS_BUFFER_TOO_SMALL) && (ntStatus != STATUS_BUFFER_OVERFLOW))
{
DEBUGP(DL_TRACE, “ZwQueryValueKey failed %x\n”, ntStatus);
}
else
{
regValBuffer = (PKEY_VALUE_PARTIAL_INFORMATION)FILTER_ALLOC_MEM(FilterModuleContext, ulResult);
if (regValBuffer != NULL)
{
ntStatus = ZwQueryValueKey(handleRegKey,
&RegistryKeyName,
KeyValuePartialInformation,
regValBuffer,
ulResult,
&ulResult);
}
}

}

5

Your application updates the registry and then restarts the driver?

I suspect you may be falling foul of Registry lazy flushing, where the probability of hitting the problem you describe depends on where you are in the regular flush cycle.

See the description of RegFlushKey function at https://msdn.microsoft.com/en-us/library/windows/desktop/ms724867.aspx
for more information.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-596699-
xxxxx@lists.osr.com] On Behalf Of xxxxx@siemens.com
Sent: 27 November 2015 09:07
To: Windows System Software Devs Interest List
Subject: [ntdev] During restart the ndis driver sometimes does not read
values from the registry

Hello,

I have a problem with my ndis filter driver by reading values from the
registry.

A user application is writing values into the registry and after that
it calls an IOControl request. In this request the function
“NdisFRestartFilter” is called and the driver interface will be
restarted.
During the restart the driver is reading values from the registry by
calling ZwOpenKey routine.
The path in the registry for the values to read and write are
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ndisDriver\CONF”.

The problem is that the driver sometimes does not read/get any values
from the registry, although those registry keys have been written
before by the user land application.
If I build the driver with log messages, which is written into a file,
the problem does not occur so often as without logging.
I think it can be a timing problem.

The operation system in which the driver is running is windows 7 64bit.

I hope anyone can help me to solve this issue?

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
This email message has been delivered safely and archived online by Mimecast.

For more information please visit http://www.mimecast.com

6

Why do you think that lazy flushing would cause this for a *driver* unload/reload (versus non-graceful whole machine restart)?

Flushing only has to do with making changes persisted to disk rather than publishing them to other applications that may query the registry.

  • S (Msft)

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of David Boyce
Sent: Friday, November 27, 2015 7:34 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] During restart the ndis driver sometimes does not read values from the registry

Your application updates the registry and then restarts the driver?

I suspect you may be falling foul of Registry lazy flushing, where the probability of hitting the problem you describe depends on where you are in the regular flush cycle.

See the description of RegFlushKey function at https://msdn.microsoft.com/en-us/library/windows/desktop/ms724867.aspx
for more information.

> -----Original Message-----
> From: xxxxx@lists.osr.commailto:xxxxx [mailto:bounce-596699-
> xxxxx@lists.osr.commailto:xxxxx] On Behalf Of xxxxx@siemens.commailto:xxxxx
> Sent: 27 November 2015 09:07
> To: Windows System Software Devs Interest List
> Subject: [ntdev] During restart the ndis driver sometimes does not read
> values from the registry
>
> Hello,
>
> I have a problem with my ndis filter driver by reading values from the
> registry.
>
> A user application is writing values into the registry and after that
> it calls an IOControl request. In this request the function
> “NdisFRestartFilter” is called and the driver interface will be
> restarted.
> During the restart the driver is reading values from the registry by
> calling ZwOpenKey routine.
> The path in the registry for the values to read and write are
> “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ndisDriver\CONF”.
>
> The problem is that the driver sometimes does not read/get any values
> from the registry, although those registry keys have been written
> before by the user land application.
> If I build the driver with log messages, which is written into a file,
> the problem does not occur so often as without logging.
> I think it can be a timing problem.
>
> The operation system in which the driver is running is windows 7 64bit.
>
> I hope anyone can help me to solve this issue?
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer


This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.com


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

7

It’s my speculation only (hence the ‘suspect’ and may’); I felt that the documentation left sufficient doubt about whether the ‘visible to other processes’ statement applied to only to user-land processes or also to kernel processes to make it worth offering the suggestion. If the OP find it helps, then good. If it doesn’t then undo it. It’s a simple thing to test.

I *have* encountered difficulties in the past with persisting registry changes (and file content changes) in the context of a non-graceful whole machine restart (zealous QA wanting to ensure that the driver really was installed when the installing software said it was) which were only adequately addressed by flushing.

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: 27 November 2015 18:17
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] During restart the ndis driver sometimes does not read values from the registry

Why do you think that lazy flushing would cause this for a *driver* unload/reload (versus non-graceful whole machine restart)?

Flushing only has to do with making changes persisted to disk rather than publishing them to other applications that may query the registry.

  • S (Msft)

From: xxxxx@lists.osr.commailto:xxxxx [mailto:xxxxx@lists.osr.com] On Behalf Of David Boyce
Sent: Friday, November 27, 2015 7:34 AM
To: Windows System Software Devs Interest List >
Subject: RE: [ntdev] During restart the ndis driver sometimes does not read values from the registry

Your application updates the registry and then restarts the driver?

I suspect you may be falling foul of Registry lazy flushing, where the probability of hitting the problem you describe depends on where you are in the regular flush cycle.

See the description of RegFlushKey function at https://msdn.microsoft.com/en-us/library/windows/desktop/ms724867.aspx
for more information.

> -----Original Message-----
> From: xxxxx@lists.osr.commailto:xxxxx [mailto:bounce-596699-
> xxxxx@lists.osr.commailto:xxxxx] On Behalf Of xxxxx@siemens.commailto:xxxxx
> Sent: 27 November 2015 09:07
> To: Windows System Software Devs Interest List
> Subject: [ntdev] During restart the ndis driver sometimes does not read
> values from the registry
>
> Hello,
>
> I have a problem with my ndis filter driver by reading values from the
> registry.
>
> A user application is writing values into the registry and after that
> it calls an IOControl request. In this request the function
> “NdisFRestartFilter” is called and the driver interface will be
> restarted.
> During the restart the driver is reading values from the registry by
> calling ZwOpenKey routine.
> The path in the registry for the values to read and write are
> “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ndisDriver\CONF”.
>
> The problem is that the driver sometimes does not read/get any values
> from the registry, although those registry keys have been written
> before by the user land application.
> If I build the driver with log messages, which is written into a file,
> the problem does not occur so often as without logging.
> I think it can be a timing problem.
>
> The operation system in which the driver is running is windows 7 64bit.
>
> I hope anyone can help me to solve this issue?
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.com


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
This email message has been delivered safely and archived online by Mimecast.

For more information please visit http://www.mimecast.com</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

8

Isn’t there be a consistent view of the registry (above the lazy writer) for both drivers and apps?


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
“David Boyce” wrote in message news:xxxxx@ntdev…
Your application updates the registry and then restarts the driver?

I suspect you may be falling foul of Registry lazy flushing, where the probability of hitting the problem you describe depends on where you are in the regular flush cycle.

See the description of RegFlushKey function at https://msdn.microsoft.com/en-us/library/windows/desktop/ms724867.aspx
for more information.

> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-596699-
> xxxxx@lists.osr.com] On Behalf Of xxxxx@siemens.com
> Sent: 27 November 2015 09:07
> To: Windows System Software Devs Interest List
> Subject: [ntdev] During restart the ndis driver sometimes does not read
> values from the registry
>
> Hello,
>
> I have a problem with my ndis filter driver by reading values from the
> registry.
>
> A user application is writing values into the registry and after that
> it calls an IOControl request. In this request the function
> “NdisFRestartFilter” is called and the driver interface will be
> restarted.
> During the restart the driver is reading values from the registry by
> calling ZwOpenKey routine.
> The path in the registry for the values to read and write are
> “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ndisDriver\CONF”.
>
> The problem is that the driver sometimes does not read/get any values
> from the registry, although those registry keys have been written
> before by the user land application.
> If I build the driver with log messages, which is written into a file,
> the problem does not occur so often as without logging.
> I think it can be a timing problem.
>
> The operation system in which the driver is running is windows 7 64bit.
>
> I hope anyone can help me to solve this issue?
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

------------------------------------------------------------------------------
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.com
------------------------------------------------------------------------------