Hi all,
I am writing minifilter driver, let me how is it possible that nobody can stop driver.
Thanks
Don’t provide an Unload function for your driver or filter and you will be unstoppable!
Yes, who doesn’t love a shitty and poorly designed product.
-----Original Message-----
From: xxxxx@moka5.com
Sent: Monday, March 14, 2011 4:13 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Minifilter Unload
Don’t provide an Unload function for your driver or filter and you will be unstoppable!
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Another option is to have a FilterUnload function, and in that function you can return either:
- STATUS_SUCCESS - means you will allow unload
- STATUS_FLT_DO_NOT_DETACH - means you will NOT unload
Keep in mind, you should also control attach/detach of devices.
Define a FilterQueryTeardown function as well, and specify the same return values for when an volume may/may not be detached.
For instance in debug mode you may want to allow unload (easier debugging) and in release mode use some configuration to control the decision.
I don’t agree that stopping unload or detach is always bad, but it should be used carefully.
In security applications, it is often the case that you do not want to allow the standard unload or detach commands to be always active, but there should be some way for the end user to activate them, otherwise how do they uninstall?
In corporate environments, the computer belongs to the company, not the individual, thus the company should control what runs or doesn’t run on equipment they own. Allowing every person full administrative control of their machine is often unwise, and insecure.