Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Kernel Debugging | 9-13 Sept 2024 | Live, Online |
Developing Minifilters | 15-19 July 2024 | Live, Online |
Internals & Software Drivers | 11-15 Mar 2024 | Live, Online |
Writing WDF Drivers | 20-24 May 2024 | Live, Online |
Comments
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/writing-preoperation-callback-routines
"Like a dispatch routine, a preoperation callback routine can be called at IRQL = PASSIVE_LEVEL or at IRQL = APC_LEVEL. Typically it is called at IRQL = PASSIVE_LEVEL, in the context of the thread that originated the I/O request. For fast I/O and file system filter (FsFilter) operations, the preoperation callback routine is always called at IRQL = PASSIVE_LEVEL. However, for an IRP-based operation, a minifilter driver's preoperation callback routine can be called in the context of a system worker thread if a higher filter or minifilter driver pends the operation for processing by the worker thread."
https://social.msdn.microsoft.com/Forums/en-US/acbdf5a7-f2db-45ff-a9ba-4a56a594cb50/minifitler-irql?forum=wdk
"In general assume the IRQL can be DISPATCH_LEVEL, except for PreCreate which is guaranteed to be PASSIVE_LEVEL."
Should I also mark functions PAGED when I call them inside functions with PASSIVE_LEVEL? For example I have function ReplaceCharacters that I use in preoperation. Should it be marked PAGED too?
>
> Should I always mark my functions as PAGED in mini-filter?
A function can be safely placed in the paged section only if
ALL the following conditions are true:
1. The function is never called at DISPATCH_LEVEL or higher.
2. The function is not raises IRQL to DISPATCH_LEVEL or higher,
directly or indirectly.
3. The function is not involved in the page fault handling
(i.e. is not called on paging I/O path).
4. The function is not calls other functions that may
violate the rules above.
Also, some type of drivers (for example, storage drivers)
must be in resident memory all of the time.
----
In my opinion, the 'paged code' was designed for very limited and
very specific cases. Today, it has no benefits except a little
(microscopic!) economy of system resources when code is paged out.
On other side, the paging of code may lead to phantom bugs that
are really hard to diagnose. And most of time you will try to
solve the big problem: "to page or not to page"
Instead of doing your business...
So, my answer is: you should not.
are things like support for WMI, and other non-operational (i.e. not
directly involved with storage I/O) functions.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Friday, December 29, 2017 4:24 PM
To: Windows File Systems Devs Interest List <[email protected]>
Subject: RE:[ntfsd] Should I always mark my functions as PAGED in
mini-filter?
James Danks wrote:
>
> Should I always mark my functions as PAGED in mini-filter?
A function can be safely placed in the paged section only if ALL the
following conditions are true:
1. The function is never called at DISPATCH_LEVEL or higher.
2. The function is not raises IRQL to DISPATCH_LEVEL or higher,
directly or indirectly.
3. The function is not involved in the page fault handling
(i.e. is not called on paging I/O path).
4. The function is not calls other functions that may
violate the rules above.
Also, some type of drivers (for example, storage drivers) must be in
resident memory all of the time.
----
In my opinion, the 'paged code' was designed for very limited and very
specific cases. Today, it has no benefits except a little
(microscopic!) economy of system resources when code is paged out.
On other side, the paging of code may lead to phantom bugs that are really
hard to diagnose. And most of time you will try to solve the big problem:
"to page or not to page" Instead of doing your business...
So, my answer is: you should not.
---
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at <http://www.osr.com/seminars>
To unsubscribe, visit the List Server section of OSR Online at
<http://www.osronline.com/page.cfm?name=ListServer>
Thanks.
mini-filter level. I have written a number of disk filters that have some
paged routines. I have also written storport drivers with some paged
routines.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Saturday, December 30, 2017 8:34 PM
To: Windows File Systems Devs Interest List <[email protected]>
Subject: RE:[ntfsd] Should I always mark my functions as PAGED in
mini-filter?
Don, is your statement "In general assume the IRQL can be DISPATCH_LEVEL,
except for PreCreate which is guaranteed to be PASSIVE_LEVEL" in regards to
the PreOperation for IRP_MJ_CREATE ? I assume so, but you know how
assumptions go.
Thanks.
---
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at <http://www.osr.com/seminars>
To unsubscribe, visit the List Server section of OSR Online at
<http://www.osronline.com/page.cfm?name=ListServer>
>
> It's easy to just say, forget it, everything is non-paged, but there must
> be some sort of standard?
Yes:
Dispatch Routine IRQL and Thread Context
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/dispatch-routine-irql-and-thread-context
Great!!
Now if MS would put back their little yellow printer icon on their website... The web browsers nowadays don't do a very good job.