IRP_MJ_SHUTDOWN in minifilter

NTFSD
1

Ladies and Gentlemen,

I am trying to write a registry value upon receiving IRP_MJ_SHUTDOWN within
my minifilter.

  1. ZwSetValueKey fails (0xC000009A)

  2. RtlWriteRegistryValue fails (mumbling something about calling this API
    after shutdown is an unwise idea)

  3. When I tried to use device objects and IoRegisterShutdownNotification()
    API setting

DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] in my DriverEntry(), the
dispatch routine was not even called and

I think it’s somehow overridden by the Filter Manager.

I’ve been running through the forum, but still the refusal of the OS to
write the registry upon shutdown is rather enigmatic.

Any help would be appreciated,

Dmitry.

2

BTW, FltCreateFile() and FltWriteFile() both work correctly under these
conditions…

“Dmitry G” wrote in message news:xxxxx@ntfsd…
> Ladies and Gentlemen,
>
> I am trying to write a registry value upon receiving IRP_MJ_SHUTDOWN
> within my minifilter.
>
>
>
> 1. ZwSetValueKey fails (0xC000009A)
>
> 2. RtlWriteRegistryValue fails (mumbling something about calling this API
> after shutdown is an unwise idea)
>
> 3. When I tried to use device objects and IoRegisterShutdownNotification()
> API setting
>
> DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] in my DriverEntry(), the
> dispatch routine was not even called and
>
> I think it’s somehow overridden by the Filter Manager.
>
>
>
> I’ve been running through the forum, but still the refusal of the OS to
> write the registry upon shutdown is rather enigmatic.
>
> Any help would be appreciated,
>
> Dmitry.
>
>
>
>
>
>
>

3

One thing that i can say is that the registry calls have to be made at PASSIVE_LEVEL and IRP_MJ_SHUTDOWN comes at APC_LEVEL. So, anyways it is incorrect to call registry functions in IRP_MJ_SHUTDOWN’s callback.

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

— On Sun, 19/4/09, Dmitry G wrote:

> From: Dmitry G
> Subject: [ntfsd] IRP_MJ_SHUTDOWN in minifilter
> To: “Windows File Systems Devs Interest List”
> Date: Sunday, 19 April, 2009, 7:09 PM
> Ladies and Gentlemen,
>
> I am trying to write a registry value upon receiving
> IRP_MJ_SHUTDOWN within
> my minifilter.
>
>
>
> 1. ZwSetValueKey fails (0xC000009A)
>
> 2. RtlWriteRegistryValue fails (mumbling something about
> calling this API
> after shutdown is an unwise idea)
>
> 3. When I tried to use device objects and
> IoRegisterShutdownNotification()
> API setting
>
> ? ?
> DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] in my
> DriverEntry(), the
> dispatch routine was not even called and
>
> ? ? I think it’s somehow overridden by the Filter
> Manager.
>
>
>
> I’ve been running through the forum, but still the refusal
> of the OS to
> write the registry upon shutdown is rather enigmatic.
>
> Any help would be appreciated,
>
> Dmitry.
>
>
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer
>

Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo! Edition http://downloads.yahoo.com/in/firefox/

4

Ayush, thanks for a quick reply. A couple of misunderstandings though:

  1. http://msdn.microsoft.com/en-us/library/ms810029.aspx#irql_sched_topic3
    states Shutdown is called at PASSIVE for legacy FS drivers. But WDK states
    Shutdown is called at APC for minifilters. Why are minifilters more limited
    in that case?

  2. KeGetCurrentIrql() states IRQL == PASSIVE always in my IRP_MJ_SHUTDOWN
    callback, but still the code for writing registry doesn’t work and returns
    0xc000009a.

  3. FltCreateFile() and FltWriteFile() are supposed to work at PASSIVE but
    both miraculously work in the aforesaid callback.

  4. FltQueueGenericWorkItem() issued from IRP_MJ_SHUTDOWN callback, which is
    guaranteed to run at PASSIVE still fails to write the registry.

Am I completely lost here?
Regards,
Dmitry.

wrote in message news:xxxxx@ntfsd…

One thing that i can say is that the registry calls have to be made at
PASSIVE_LEVEL and IRP_MJ_SHUTDOWN comes at APC_LEVEL. So, anyways it is
incorrect to call registry functions in IRP_MJ_SHUTDOWN’s callback.

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

— On Sun, 19/4/09, Dmitry G wrote:

> From: Dmitry G
> Subject: [ntfsd] IRP_MJ_SHUTDOWN in minifilter
> To: “Windows File Systems Devs Interest List”
> Date: Sunday, 19 April, 2009, 7:09 PM
> Ladies and Gentlemen,
>
> I am trying to write a registry value upon receiving
> IRP_MJ_SHUTDOWN within
> my minifilter.
>
>
>
> 1. ZwSetValueKey fails (0xC000009A)
>
> 2. RtlWriteRegistryValue fails (mumbling something about
> calling this API
> after shutdown is an unwise idea)
>
> 3. When I tried to use device objects and
> IoRegisterShutdownNotification()
> API setting
>
>
> DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] in my
> DriverEntry(), the
> dispatch routine was not even called and
>
> I think it’s somehow overridden by the Filter
> Manager.
>
>
>
> I’ve been running through the forum, but still the refusal
> of the OS to
> write the registry upon shutdown is rather enigmatic.
>
> Any help would be appreciated,
>
> Dmitry.
>
>
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer
>

Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo!
Edition http://downloads.yahoo.com/in/firefox/

5

> 1. http://msdn.microsoft.com/en-us/library/ms810029.aspx#irql_sched_topic3

states Shutdown is called at PASSIVE for legacy FS drivers.
But WDK states
Shutdown is called at APC for minifilters. Why are
minifilters more limited
in that case?

I had seen it in the WDK documentation.

Well… http://msdn.microsoft.com/en-us/library/ms790762.aspx also states that it is called at APC_LEVEL. However, as per the link you mentioned, it is PASSIVE_LEVEL.

  1. KeGetCurrentIrql() states IRQL == PASSIVE always in my
    IRP_MJ_SHUTDOWN
    callback, but still the code for writing registry doesn’t
    work and returns
    0xc000009a.

If KeGetCurrentIrql returns PASSIVE_LEVEL then IT SHOULD at PASSIVE_LEVEL. :slight_smile:

The disassembly of NtSetValueKey shows that it uses ExAllocatePoolWithQuotaTag. Maybe this is failing. Can you try calling ExAllocatePoolWithQuotaTag in your IRP_MJ_SHUTDOWN dispatch routine and see whether it is succeeding or not?

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo! Edition http://downloads.yahoo.com/in/firefox/

6

PVOID pool0 = ExAllocatePoolWithQuotaTag(NonPagedPool, PAGE_SIZE, ‘abcd’);
PVOID pool1 = ExAllocatePoolWithQuotaTag(PagedPool, PAGE_SIZE, ‘abcd’);

Both worked.

“Ayush Gupta” wrote in message news:xxxxx@ntfsd…

> 1. http://msdn.microsoft.com/en-us/library/ms810029.aspx#irql_sched_topic3
>
> states Shutdown is called at PASSIVE for legacy FS drivers.
> But WDK states
> Shutdown is called at APC for minifilters. Why are
> minifilters more limited
> in that case?

I had seen it in the WDK documentation.

Well… http://msdn.microsoft.com/en-us/library/ms790762.aspx also states
that it is called at APC_LEVEL. However, as per the link you mentioned, it
is PASSIVE_LEVEL.

>
> 2. KeGetCurrentIrql() states IRQL == PASSIVE always in my
> IRP_MJ_SHUTDOWN
> callback, but still the code for writing registry doesn’t
> work and returns
> 0xc000009a.
>

If KeGetCurrentIrql returns PASSIVE_LEVEL then IT SHOULD at PASSIVE_LEVEL.
:slight_smile:

The disassembly of NtSetValueKey shows that it uses
ExAllocatePoolWithQuotaTag. Maybe this is failing. Can you try calling
ExAllocatePoolWithQuotaTag in your IRP_MJ_SHUTDOWN dispatch routine and see
whether it is succeeding or not?

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo!
Edition http://downloads.yahoo.com/in/firefox/

7

This means that there is no problem allocating memory as such.

Can you put a break point at CmSetValueKey and try to debug what it does when it gets called?

Do this when you are in IRP_MJ_SHUTDOWN callback and you call ZwSetValueKey.
Try to get to CmSetValueKey in that call and see what it is trying to do.

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

— On Mon, 20/4/09, Dmitry G wrote:

> From: Dmitry G
> Subject: Re:[ntfsd] Re:IRP_MJ_SHUTDOWN in minifilter
> To: “Windows File Systems Devs Interest List”
> Date: Monday, 20 April, 2009, 3:09 PM
> PVOID pool0 =
> ExAllocatePoolWithQuotaTag(NonPagedPool, PAGE_SIZE,
> ‘abcd’);
> PVOID pool1 = ExAllocatePoolWithQuotaTag(PagedPool,
> PAGE_SIZE, ‘abcd’);
>
> Both worked.
>
> “Ayush Gupta”
> wrote in message news:xxxxx@ntfsd…
>
>
> > 1. http://msdn.microsoft.com/en-us/library/ms810029.aspx#irql_sched_topic3
> >
> > states Shutdown is called at PASSIVE for legacy FS
> drivers.
> > But WDK states
> > Shutdown is called at APC for minifilters. Why are
> > minifilters more limited
> > in that case?
>
> I had seen it in the WDK documentation.
>
> Well… http://msdn.microsoft.com/en-us/library/ms790762.aspx
> also states
> that it is called at APC_LEVEL. However, as per the link
> you mentioned, it
> is PASSIVE_LEVEL.
>
> >
> > 2. KeGetCurrentIrql() states IRQL == PASSIVE always in
> my
> > IRP_MJ_SHUTDOWN
> > callback, but still the code for writing registry
> doesn’t
> > work and returns
> > 0xc000009a.
> >
>
> If KeGetCurrentIrql returns PASSIVE_LEVEL then IT SHOULD at
> PASSIVE_LEVEL.
> :slight_smile:
>
> The disassembly of NtSetValueKey shows that it uses
> ExAllocatePoolWithQuotaTag. Maybe this is failing. Can you
> try calling
> ExAllocatePoolWithQuotaTag in your IRP_MJ_SHUTDOWN dispatch
> routine and see
> whether it is succeeding or not?
>
> Regards,
> Ayush Gupta
> http://windows-internals.blogspot.com/
>
>
>
>
> ? ? ? Now surf faster and smarter ! Check
> out the new Firefox 3 - Yahoo!
> Edition http://downloads.yahoo.com/in/firefox/
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer
>

Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo! Edition http://downloads.yahoo.com/in/firefox/

8

The problem you’re having is a design problem. Attempting to write to the
registry at this
point in shutdown will seldom ‘IF’ ever work. The Configuration Manager has
its own caching rules.

It has a long delay on its flush, and there isn’t much I know of you can do
about it.

The return codes you’re seeing are correct, however, those are for
operations on paged memory
and as you have seen never get flushed to the file system.

The “mumbling something about calling this API after shutdown is an unwise
idea” is a legitimate
message, research it a little.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dmitry G
Sent: Sunday, April 19, 2009 8:39 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] IRP_MJ_SHUTDOWN in minifilter

Ladies and Gentlemen,

I am trying to write a registry value upon receiving IRP_MJ_SHUTDOWN within
my minifilter.

  1. ZwSetValueKey fails (0xC000009A)

  2. RtlWriteRegistryValue fails (mumbling something about calling this API
    after shutdown is an unwise idea)

  3. When I tried to use device objects and IoRegisterShutdownNotification()
    API setting

DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] in my DriverEntry(), the
dispatch routine was not even called and

I think it’s somehow overridden by the Filter Manager.

I’ve been running through the forum, but still the refusal of the OS to
write the registry upon shutdown is rather enigmatic.

Any help would be appreciated,

Dmitry.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

9

Hi Matt,

It has a long delay on its flush, and there isn’t much I
know of you can do
about it.

The return codes you’re seeing are correct, however, those
are for
operations on paged memory
and as you have seen never get flushed to the file system.

IIRC, The restrictions related to pageable memory are applicable incase the shutdown notification was registered using IoRegisterLastChanceShutdownNotification.

The “mumbling something about calling this API after
shutdown is an unwise
idea” is a legitimate
message, research it a little.

But the STATUS_INSUFFICIENT_RESOURCES error returned by ZwSetValueKey is peculiar. :frowning:

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo! Edition http://downloads.yahoo.com/in/firefox/

10

Ayush,

This is one of the threads I was remembering from several years ago.

http://www.osronline.com/showThread.cfm?link=86315

" If you mean to process IRP_MJ_SHUTDOWN, this will not work.
IIRC it is too late to write to the registry when IRP_MJ_SHUTDOWN
arrives to the driver."

I remember a handful of other threads that stated the same,
however, those and I could be wrong…

However, I do seem to recall reading about this behavior in some
book or article also - but then again that could just be my
imagination.

Matt

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ayush Gupta
Sent: Monday, April 20, 2009 6:01 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] IRP_MJ_SHUTDOWN in minifilter

Hi Matt,

It has a long delay on its flush, and there isn’t much I
know of you can do
about it.

The return codes you’re seeing are correct, however, those
are for
operations on paged memory
and as you have seen never get flushed to the file system.

IIRC, The restrictions related to pageable memory are applicable incase the shutdown notification was registered using IoRegisterLastChanceShutdownNotification.

The “mumbling something about calling this API after
shutdown is an unwise
idea” is a legitimate
message, research it a little.

But the STATUS_INSUFFICIENT_RESOURCES error returned by ZwSetValueKey is peculiar. :frowning:

Regards,
Ayush Gupta
http://windows-internals.blogspot.com/

Now surf faster and smarter ! Check out the new Firefox 3 - Yahoo! Edition http://downloads.yahoo.com/in/firefox/

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

11

I think that, at this moment, the FSD is already partially shut down and cannot execute the page flushes to the hive file.

This causes the Cm’s registry code to be already half-dead at this moment.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Dmitry G” wrote in message news:xxxxx@ntfsd…
> Ladies and Gentlemen,
>
> I am trying to write a registry value upon receiving IRP_MJ_SHUTDOWN within
> my minifilter.
>
>
>
> 1. ZwSetValueKey fails (0xC000009A)
>
> 2. RtlWriteRegistryValue fails (mumbling something about calling this API
> after shutdown is an unwise idea)
>
> 3. When I tried to use device objects and IoRegisterShutdownNotification()
> API setting
>
> DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] in my DriverEntry(), the
> dispatch routine was not even called and
>
> I think it’s somehow overridden by the Filter Manager.
>
>
>
> I’ve been running through the forum, but still the refusal of the OS to
> write the registry upon shutdown is rather enigmatic.
>
> Any help would be appreciated,
>
> Dmitry.
>
>
>
>
>
>
>

12

Thanks for your inputs, I am saving my data using files instead of registry
now,
though it still seems rather strange there is no reliable way to update
registry upon shutdown…

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntfsd…
I think that, at this moment, the FSD is already partially shut down and
cannot execute the page flushes to the hive file.

This causes the Cm’s registry code to be already half-dead at this
moment.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Dmitry G” wrote in message news:xxxxx@ntfsd…
> Ladies and Gentlemen,
>
> I am trying to write a registry value upon receiving IRP_MJ_SHUTDOWN
> within
> my minifilter.
>
>
>
> 1. ZwSetValueKey fails (0xC000009A)
>
> 2. RtlWriteRegistryValue fails (mumbling something about calling this API
> after shutdown is an unwise idea)
>
> 3. When I tried to use device objects and IoRegisterShutdownNotification()
> API setting
>
> DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] in my DriverEntry(), the
> dispatch routine was not even called and
>
> I think it’s somehow overridden by the Filter Manager.
>
>
>
> I’ve been running through the forum, but still the refusal of the OS to
> write the registry upon shutdown is rather enigmatic.
>
> Any help would be appreciated,
>
> Dmitry.
>
>
>
>
>
>
>