Re[2]: Problem loading drivers in 64-bit Vista and a question...

NTFSD
1

What I see as weird here is the returned error code. You said it’s
0x800704fb, which means Win32 error 1275 (ERROR_DRIVER_BLOCKED).
When I was playing with it, Windows refused to load improperly
signed driver with error code 577 (ERROR_INVALID_IMAGE_HASH).

Not sure why the error code is different, but you can check
a few things:

  1. What does happen on 32-bit windows ? Does the driver load ?

  2. Try to enable test-signed drivers either using “bcdedit.exe”,
    “BCD Editor” (http://www.zezula.net/en/fstools/bcdeditor.html),
    or FileSpy’s tool. Be sure that you reboot, and that you see
    “Test Mode” strings on your desktop.

  3. Are you sure that the service is installed for the driver ?
    (i.e. is the appropriate registry item there ?)

  4. You are loading a mini-filter, are you sure the registry
    structure for it is proper, e.g. there is altitudes key, etc. ?

  5. Aren’t you, by any chance, loading minispy from WDK ? If yes,
    then there might be conflict with the FileTrace minifilter,
    which is part of Vista. This minifilter has been derived from
    WDK Minispy, but MS people somehow forgot to assign new altitude
    either for Minispy or for FileTrace.

L.

2

Lad,

Ladislav Zezula wrote:

What I see as weird here is the returned error code. You said it’s
0x800704fb, which means Win32 error 1275 (ERROR_DRIVER_BLOCKED).
When I was playing with it, Windows refused to load improperly
signed driver with error code 577 (ERROR_INVALID_IMAGE_HASH).

FLTMC command returns ERROR_DRIVER_BLOCKED. The boot process and event
viewer error log would display ERROR_INVALID_IMAGE_HASH.


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

3

(I’m not sure why this thread is splited into two parts, I’ll just continue here…)

Thanks for help everyone. I think I solved the problem - I can load the driver now and things *seem* to work (I hope I’m not saying this too fast, but it’s a progress), thanks mainly to point 5 of Ladislav’s post.

Indeed it seems that WDK minispy example is incompatible with other, already-running filters, and that’s why it won’t load. I tried to test-sign some other examples (like scanner) and they work without problems. I still don’t know why my own driver didn’t load, but I guess it has some problems similar to minispy example. I’ve rewritten the .ini, tried different altitudes etc., but nothing helped - I then created a clean project and the same code works (for now), so I think I’m on the right track here.

To answer other questions…

Ladislav:
“>1) What does happen on 32-bit windows ? Does the driver load ?”
I don’t have a copy of 32-bit vista around right now, but my bet is it loads with no problems, as long as there are no other conflicts (e.g. minispy).

“>2) Try to enable test-signed drivers either using “bcdedit.exe”…”
Did that and it works - at least for examples not named minispy…

">3) Are you sure that the service is installed for the driver ? (i.e. is the appropriate registry item there ?) "
I’m not 100% sure that I haven’t missed something, but yeah, considering that now only minifilter is problematic, I’m pretty sure.
Same for 4.)

“>5) Aren’t you, by any chance, loading minispy from WDK?..”
You just saved me a lot of time, thank you, that did it. I’m not sure why, but WDK examples other than minispy work.

Dejan: yes, I followed the instructions… thanks for the tip about filtering.

Ayush: none of these were problematic, I’d taken that into account before.

Again, thanks everyone, hopefully I’ll get things running now…