Sending IOCTL from minifilter to legacy driver above it

Hi there,

I’ve a legacy FS filter driver and a minifilter driver. The minifilter is at a lower altitude and is in a different frame from the legacy driver. I intend to have the minifilter send an IOCTL to the other driver via FltDeviceIoControlFile.

Unfortunately, I was unsuccessful as I found that FltDeviceIoControlFile is directed downwards along the driver stack. I also found that functions such as FltEnumerateInstances and FltGetTopInstance only returns instances from the current frame - therefore I was unable to get any minifilter instance located above the legacy driver.

Thus would ZwDeviceIoControlFile be my only solution, or are there any others? Thanks for looking!

Turns out ZwDeviceIoControlFile does not work too. It returns STATUS_INVALID_PARAMETER just like FltDeviceIoControlFile. Seems like there’s no way to send IOCTLs to drivers above my own. Guess the only solution would be to change minifilter’s altitude…

What about using IoGetDeviceObjectPointer taking the symbolic link your legacy driver creates, IoBuildDeviceIoControlRequest to create an IRP and then IoCallDriver to send it?

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

Unfortunately the device object is unnamed…

Well, if your device has no name and it’s attached to a volume, you cannot send an IOCTL specifically to your device, but you can send an IOCTL to the volume it’s attached to. This IOCTL will go through the device stack starting from the top, reaching you legacy filter and your minifilter is expected to see your own IOCTL recursively. I hope this is what you have in mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

That’s not true, you can send an IOCTL directly to a lower device even if your device object is not named as long as your driver is named. Use ObReferenceObjectByName(), obtain a ref to your driver object, then you can enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the specific device object that sits below your FS stack, but it’s definitely possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the underlying disk pdo. AFAIK, there is no direct correlation from the FS layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot send an IOCTL specifically to your device, but you can send an IOCTL to the volume it’s attached to. This IOCTL will go through the device stack starting from the top, reaching you legacy filter and your minifilter is expected to see your own IOCTL recursively. I hope this is what you have in mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Walking the list via the DeviceExtension->DeviceObject list. Not all scenarios require a lock on the list; even if that device is removed after you found it, IoDeviceControl() should just return an error. This should not be a catastrophic failure. I suppose this depends on what the intended purpose of the final device object reference is, but for sending an IOCTL to a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

How do you enumerate the devices of the driver object? I know of people who walk the list in the DRIVER_OBJECT but sooner or later that catches up with them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

You do need the lock, since I have debugged crashes where the OS is removing
the device from the list as you are traversing the list. It will crash,
this is one of those don’t do that ever things in Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:31 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Walking the list via the DeviceExtension->DeviceObject list. Not all
scenarios require a lock on the list; even if that device is removed after
you found it, IoDeviceControl() should just return an error. This should
not be a catastrophic failure. I suppose this depends on what the intended
purpose of the final device object reference is, but for sending an IOCTL to
a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Hi Kenny,

I meant, if you must send a request that is specific for your device (and not a regular file I/O request), you should have an extra named device that is able to deal with your own IOCTLs, instead of just sending your own IOCLTs to the same device stack every filter participates on.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

While I agree with the “don’t do that ever” I would add, “under normal circumstances”. This scenario is specifically walking the list from a mini-filter. Even if PNP modifies the list while you’re walking it, I don’t see where the BSOD could come from if the mini-filter is simply walking the list.

I would like to test and validate your concern (and fix this issue), I just haven’t seen this issue occur.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:33 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

You do need the lock, since I have debugged crashes where the OS is removing the device from the list as you are traversing the list. It will crash, this is one of those don’t do that ever things in Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:31 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Walking the list via the DeviceExtension->DeviceObject list. Not all
scenarios require a lock on the list; even if that device is removed after
you found it, IoDeviceControl() should just return an error. This should
not be a catastrophic failure. I suppose this depends on what the intended
purpose of the final device object reference is, but for sending an IOCTL to
a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

That is why it is such a nasty bug, it only occurs in rare instances. I
found it in a driver (not even from the firm I was working with) that had
been in use for years, but started misbehaving on stress testing on a
system. Check the archives of the OSR lists, this is one of those fields
the Microsoft guys say do not touch.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:42 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

While I agree with the “don’t do that ever” I would add, “under normal
circumstances”. This scenario is specifically walking the list from a
mini-filter. Even if PNP modifies the list while you’re walking it, I don’t
see where the BSOD could come from if the mini-filter is simply walking the
list.

I would like to test and validate your concern (and fix this issue), I just
haven’t seen this issue occur.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:33 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

You do need the lock, since I have debugged crashes where the OS is removing
the device from the list as you are traversing the list. It will crash,
this is one of those don’t do that ever things in Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:31 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Walking the list via the DeviceExtension->DeviceObject list. Not all
scenarios require a lock on the list; even if that device is removed after
you found it, IoDeviceControl() should just return an error. This should
not be a catastrophic failure. I suppose this depends on what the intended
purpose of the final device object reference is, but for sending an IOCTL to
a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks Don, I’ll investigate this case in my drivers.

To the OP, be safe, don’t do what I suggested

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:49 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

That is why it is such a nasty bug, it only occurs in rare instances. I found it in a driver (not even from the firm I was working with) that had been in use for years, but started misbehaving on stress testing on a
system. Check the archives of the OSR lists, this is one of those fields
the Microsoft guys say do not touch.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:42 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

While I agree with the “don’t do that ever” I would add, “under normal
circumstances”. This scenario is specifically walking the list from a
mini-filter. Even if PNP modifies the list while you’re walking it, I don’t
see where the BSOD could come from if the mini-filter is simply walking the
list.

I would like to test and validate your concern (and fix this issue), I just
haven’t seen this issue occur.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:33 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

You do need the lock, since I have debugged crashes where the OS is removing
the device from the list as you are traversing the list. It will crash,
this is one of those don’t do that ever things in Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:31 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Walking the list via the DeviceExtension->DeviceObject list. Not all
scenarios require a lock on the list; even if that device is removed after
you found it, IoDeviceControl() should just return an error. This should
not be a catastrophic failure. I suppose this depends on what the intended
purpose of the final device object reference is, but for sending an IOCTL to
a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I think we’re off topic from the OP’s problem, which was to send a request
to another device *above* the current device (which Fernando’s response
should take care of).

With respect to enumerating a driver’s device objects, while in general you
can’t do this manually due to potential race conditions there’s an API for
it: IoEnumerateDeviceObjectList. Win2K SP4 and later only, but hopefully by
now that’s OK

There could, in fact, be multiple disk PDOs (think RAID). It is possible to
make this connection by querying the volume manager, but again I think we’re
OT.

-scott
OSR

“Speer, Kenny” wrote in message news:xxxxx@ntfsd…

Thanks Don, I’ll investigate this case in my drivers.

To the OP, be safe, don’t do what I suggested

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:49 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That is why it is such a nasty bug, it only occurs in rare instances. I
found it in a driver (not even from the firm I was working with) that had
been in use for years, but started misbehaving on stress testing on a
system. Check the archives of the OSR lists, this is one of those fields
the Microsoft guys say do not touch.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:42 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

While I agree with the “don’t do that ever” I would add, “under normal
circumstances”. This scenario is specifically walking the list from a
mini-filter. Even if PNP modifies the list while you’re walking it, I don’t
see where the BSOD could come from if the mini-filter is simply walking the
list.

I would like to test and validate your concern (and fix this issue), I just
haven’t seen this issue occur.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:33 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

You do need the lock, since I have debugged crashes where the OS is removing
the device from the list as you are traversing the list. It will crash,
this is one of those don’t do that ever things in Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:31 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Walking the list via the DeviceExtension->DeviceObject list. Not all
scenarios require a lock on the list; even if that device is removed after
you found it, IoDeviceControl() should just return an error. This should
not be a catastrophic failure. I suppose this depends on what the intended
purpose of the final device object reference is, but for sending an IOCTL to
a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

As Scott points out there is an API, that should be safe. I keep forgetting
it since I run into folks walking the list themselves.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:55 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Thanks Don, I’ll investigate this case in my drivers.

To the OP, be safe, don’t do what I suggested

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:49 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That is why it is such a nasty bug, it only occurs in rare instances. I
found it in a driver (not even from the firm I was working with) that had
been in use for years, but started misbehaving on stress testing on a
system. Check the archives of the OSR lists, this is one of those fields
the Microsoft guys say do not touch.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:42 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

While I agree with the “don’t do that ever” I would add, “under normal
circumstances”. This scenario is specifically walking the list from a
mini-filter. Even if PNP modifies the list while you’re walking it, I don’t
see where the BSOD could come from if the mini-filter is simply walking the
list.

I would like to test and validate your concern (and fix this issue), I just
haven’t seen this issue occur.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:33 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

You do need the lock, since I have debugged crashes where the OS is removing
the device from the list as you are traversing the list. It will crash,
this is one of those don’t do that ever things in Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:31 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Walking the list via the DeviceExtension->DeviceObject list. Not all
scenarios require a lock on the list; even if that device is removed after
you found it, IoDeviceControl() should just return an error. This should
not be a catastrophic failure. I suppose this depends on what the intended
purpose of the final device object reference is, but for sending an IOCTL to
a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I had always thought that API was for use by minifilters to enumerate a minifilter driver only. Good info and will be helpful in those rare situations.

Thanks

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 10:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

As Scott points out there is an API, that should be safe. I keep forgetting it since I run into folks walking the list themselves.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:55 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Thanks Don, I’ll investigate this case in my drivers.

To the OP, be safe, don’t do what I suggested

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:49 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That is why it is such a nasty bug, it only occurs in rare instances. I
found it in a driver (not even from the firm I was working with) that had
been in use for years, but started misbehaving on stress testing on a
system. Check the archives of the OSR lists, this is one of those fields
the Microsoft guys say do not touch.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:42 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

While I agree with the “don’t do that ever” I would add, “under normal
circumstances”. This scenario is specifically walking the list from a
mini-filter. Even if PNP modifies the list while you’re walking it, I don’t
see where the BSOD could come from if the mini-filter is simply walking the
list.

I would like to test and validate your concern (and fix this issue), I just
haven’t seen this issue occur.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:33 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

You do need the lock, since I have debugged crashes where the OS is removing
the device from the list as you are traversing the list. It will crash,
this is one of those don’t do that ever things in Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:31 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Walking the list via the DeviceExtension->DeviceObject list. Not all
scenarios require a lock on the list; even if that device is removed after
you found it, IoDeviceControl() should just return an error. This should
not be a catastrophic failure. I suppose this depends on what the intended
purpose of the final device object reference is, but for sending an IOCTL to
a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

It was one of several APIs added for use by Filter Manager as *it* needed a
safe way to do this. Now we all get to benefit from it

-scott
OSR

“Speer, Kenny” wrote in message news:xxxxx@ntfsd…

I had always thought that API was for use by minifilters to enumerate a
minifilter driver only. Good info and will be helpful in those rare
situations.

Thanks

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 10:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

As Scott points out there is an API, that should be safe. I keep forgetting
it since I run into folks walking the list themselves.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:55 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Thanks Don, I’ll investigate this case in my drivers.

To the OP, be safe, don’t do what I suggested

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:49 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That is why it is such a nasty bug, it only occurs in rare instances. I
found it in a driver (not even from the firm I was working with) that had
been in use for years, but started misbehaving on stress testing on a
system. Check the archives of the OSR lists, this is one of those fields
the Microsoft guys say do not touch.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:42 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

While I agree with the “don’t do that ever” I would add, “under normal
circumstances”. This scenario is specifically walking the list from a
mini-filter. Even if PNP modifies the list while you’re walking it, I don’t
see where the BSOD could come from if the mini-filter is simply walking the
list.

I would like to test and validate your concern (and fix this issue), I just
haven’t seen this issue occur.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:33 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

You do need the lock, since I have debugged crashes where the OS is removing
the device from the list as you are traversing the list. It will crash,
this is one of those don’t do that ever things in Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:31 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Walking the list via the DeviceExtension->DeviceObject list. Not all
scenarios require a lock on the list; even if that device is removed after
you found it, IoDeviceControl() should just return an error. This should
not be a catastrophic failure. I suppose this depends on what the intended
purpose of the final device object reference is, but for sending an IOCTL to
a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1. Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2. Get the top highest-level device by calling IoGetAttachedDevice().
3. Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

IIRC even tcpip.sys uses some APIs from fltmgr.sys

“Speer, Kenny” wrote in message news:xxxxx@ntfsd…
I had always thought that API was for use by minifilters to enumerate a minifilter driver only. Good info and will be helpful in those rare situations.

Thanks

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 10:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

As Scott points out there is an API, that should be safe. I keep forgetting it since I run into folks walking the list themselves.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:55 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Thanks Don, I’ll investigate this case in my drivers.

To the OP, be safe, don’t do what I suggested

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:49 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That is why it is such a nasty bug, it only occurs in rare instances. I
found it in a driver (not even from the firm I was working with) that had
been in use for years, but started misbehaving on stress testing on a
system. Check the archives of the OSR lists, this is one of those fields
the Microsoft guys say do not touch.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:42 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

While I agree with the “don’t do that ever” I would add, “under normal
circumstances”. This scenario is specifically walking the list from a
mini-filter. Even if PNP modifies the list while you’re walking it, I don’t
see where the BSOD could come from if the mini-filter is simply walking the
list.

I would like to test and validate your concern (and fix this issue), I just
haven’t seen this issue occur.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:33 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

You do need the lock, since I have debugged crashes where the OS is removing
the device from the list as you are traversing the list. It will crash,
this is one of those don’t do that ever things in Windows.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:31 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

Walking the list via the DeviceExtension->DeviceObject list. Not all
scenarios require a lock on the list; even if that device is removed after
you found it, IoDeviceControl() should just return an error. This should
not be a catastrophic failure. I suppose this depends on what the intended
purpose of the final device object reference is, but for sending an IOCTL to
a specific device, do you see issues with this approach?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, August 22, 2013 7:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

How do you enumerate the devices of the driver object? I know of people who
walk the list in the DRIVER_OBJECT but sooner or later that catches up with
them since they don’t have control of the lock for that list.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Speer, Kenny
Sent: Thursday, August 22, 2013 10:17 AM
To: Windows File Systems Devs Interest List
Subject: RE: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above
it

That’s not true, you can send an IOCTL directly to a lower device even if
your device object is not named as long as your driver is named. Use
ObReferenceObjectByName(), obtain a ref to your driver object, then you can
enumerate your driver objects device object list.

It can be complicated, since you’ll need to know how to identify the
specific device object that sits below your FS stack, but it’s definitely
possible and has been done before.

The issue with using IoGetAttachedDevice() is that you cannot obtain the
underlying disk pdo. AFAIK, there is no direct correlation from the FS
layer to the disk class and below.

~kenny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@driverentry.com.br
Sent: Thursday, August 22, 2013 6:28 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Sending IOCTL from minifilter to legacy driver above it

Well, if your device has no name and it’s attached to a volume, you cannot
send an IOCTL specifically to your device, but you can send an IOCTL to the
volume it’s attached to. This IOCTL will go through the device stack
starting from the top, reaching you legacy filter and your minifilter is
expected to see your own IOCTL recursively. I hope this is what you have in
mind.

As far as I know, you should be able to that by using Zw routines.

Have you tried this?

1) Get the current device by calling FltGetDeviceObject(pFltObjects->Volume)
2) Get the top highest-level device by calling IoGetAttachedDevice().
3) Then call IoBuildDeviceIoControlRequest and IoCallDriver.

Regards,
–
Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Oh sweet Jesus Fernando I love you. It WORKS! I had tried your method before, except that I used FltObjects->FileObject->DeviceObject directly when trying to get the top device. Don’t know why it didn’t work then.

And thanks to the rest for the enlightening discussion!