OSRLogoOSRLogoOSRLogo x Subscribe to The NT Insider

Everything Windows Driver Development

GoToHomePage xLoginx

    Wed, 23 Jan 2019     118020 members


  Online Dump Analyzer
OSR Dev Blog
The NT Insider
ListServer / Forum
  Express Links
  · The NT Insider Digital Edition - May-June 2016 Now Available!
  · Windows 8.1 Update: VS Express Now Supported
  · HCK Client install on Windows N versions
  · There's a WDFSTRING?
  · When CAN You Call WdfIoQueueP...ously

OSR Dev Blog: Drivers, Storage, and Analysis

We're involved in many areas of OS internals here at OSR. ?We deal with drivers for unusual hardware, we extend OS policy in interesting ways for better system performance and reliability, we analyze difficult problems and sometimes even craft solutions for them. ?We also work with our friends at Microsoft to help shape and understand the device, driver, and file system developer experience.

As part of just about everything we do, we try to keep the community involved. ?Learning something for its own sake, or for our own use, is good. ?But learning something that you share with others? ?We think that's great.

We publish a lot of what we learn in our journal The NT Insider. ?But some things are shorter, are ideas that are still in the process of being developed, or maybe they're things that we don't want to wait until the next scheduled publication. ?In these cases, we post what we've learned and what we've been thinking about here.

The OSR Online site is maintained for historical/archive purposes only.

The OSR Developer's Blog has moved to OSR.COM at https://www.osr.com/developers-blog/

Please go there for all new Developer Blog content.

IMPORTANT NOTE: OSR Dev Blog posts are now being created and posted at http://www.osr.com/developers-blog/. Please check that location for future posts. We are listing posts from that site here, as a convenience.
NTFS Status Debugging
As a file system filter developer, one of the great pains in life is when Read more

Check out the new Virtual Hardware Lab Kit (VHLK)
A big complaint I’ve always had about the HLKs is the overhead of getting a Read more

It’s 1809… A New WDK Awaits You… Don’t Be Afraid!
Well, OK… It’s not really 1809 anymore. It’s actually 1810 when I’m writing this.  But Read more

Ready for the Community Move?
We’re ready… well, at least we think we’re ready.  Are YOU? New web site:  community.osr.com Read more

OSR Community Move: 19 September 2018
We have finally fixed on a date when the NTDEV, NTFSD, and WINDBG community site Read more

Content below is for archive purposes only
Windows 8.1 Update: VS Express Now Supported
PeterGV (Read 25965 times)
With the release of WDK 8.1 Update, the WDK now supports Visual Studio Express. Say "YAY" for the return of free tools for driver developers.
HCK Client install on Windows N versions
Scott Noone (Read 18857 times)
It took a day of trial and error before I finally figured out why I was getting a 1603 error when installing the HCK Client.
There's a WDFSTRING?
Peter Viscarola (Read 18876 times)
Surprise! WDF has a WDFSTRING Object. And it's actually useful!
When CAN You Call WdfIoQueuePurgeSynchronously
Peter Viscarola and Scott Noone (Read 18438 times)

We’re constantly learning the subtle details of how KMDF works.  We came across an interesting detail today that caused us to scratch our heads to the point we had to ask our friends on the WDF development team what was going on.  Maybe this will help you as some point, too.

UMDF V2 -- It's KMDF Compatible!
Peter Viscarola (Read 13333 times)

If you thought that big changes in the Windows driver arena were complete with the release of the Windows 8 WDK (which for the first time includes integration with Visual Studio)… you're WRONG.  The latest news, announced at the //Build conference, is UMDF V2.  Check it out...

WdfSend: Are There REALLY Three Useful Variants?
Peter Viscarola (Read 20046 times)

When you learn about WdfSend, you typically learn that there are three different ways that you can send a Request to an I/O Target.  It makes a nice story to describe these three options as equally viable for a driver writer.  Unfortunately, in the majority of cases the only practical option is to send a Request asynchronously and specify a Completion Routine Event Processing Callback.  This quick article describes why this is the case.

Turning a Breakpoint into a Busypoint
Scott Noone (Read 12765 times)

Breakpoints are great, but at some point you have to resume from them. What if you want to freeze a thread in place while allowing other threads to continue executing?

Investigating a NULL Pointer Dereference
Scott Noone (Read 17608 times)

A former student provided a crash dump for some analysis, here's what I found...

Understanding WDFMEMORY Objects
Peter Viscarola (Read 8524 times)

Confused about WDFMEMORY Objects? ?Wonder why they exist at all? ?Here, we try to help.

Using WinDbg to hunt for strings
Scott Noone (Read 18305 times)

Ever wanted to search a live system or crash dump for strings? In this post we'll show you how!

Spice up your debugger output with DML!
Scott Noone (Read 10744 times)

The Debugger Markup Language makes navigating the command window a breeze. Did you know that you can add links to the debugging output not only from your debugger extensions but also from your drivers? In this Developer Blog entry we'll show you how...

Test Signing Made Simple
Peter Viscarola (Read 9399 times)

The Win8 WDK makes test signing easy. ?No, really. ?It does. ?Read and see...

Can You NEVER Break the Rules?
Peter Viscarola (Read 7261 times)

Sometimes it's necessary as a developer to break the rules. ?Even?good?developers do it. ?Sometimes, to do something cool, you just?have?to do it. ?But where do you draw the line? ?Let's explore that question a bit.

Understanding EvtIoStop
Peter Viscarola (Read 8186 times)

SDV has a new rule and there's bugcheck 9F to deal with. ?It's about time we thought more about EvtIoStop

Getting DbgPrint Output To Appear In Vista and Later
OSR Staff (Read 180709 times)

You build the checked version of your driver and run it on any OS since Vista for the first time.  And, what happens?  You don't see any of your driver's DbgPrint messages displayed in WinDbg!  What happened?  Let me tell you (updated for Win7 and Win8)...

USB 2.0 Debugging
OSR Staff (Read 61448 times)

Did you know that debugging over USB 2.0 actually works?  Well, it does.  Sort of.

Where's The Checked Build?
Hector J. Rodriguez (Read 108485 times)
Lookin' to download Checked Builds for Windows 2000, Windows XP, or Windows Server 2003, or any of their service packs? Here are the pointers you need.
Server 2008 WDK Arrives
Hector J. Rodriguez (Read 26237 times)
The latest WDK has arrived.  Here's what you need to know about it.
x64 Driver Signing as of Vista RC1 (and later)
Hector J. Rodriguez (Read 31076 times)
The latest on x64 driver signing for Windows Vista.  The tools, how/if they work, what's changed in RC1 (and later).
Now Available for Download: Latest WDK Docs
OSR Staff (Read 22638 times)
The most recent, fully updated, WDK docs are now downloadable.
MmGetSystemRoutineAddress IS BROKEN!?
OSR Staff (Read 29142 times)

Yikes!  Can it be that the widely publicized and used function MmGetSystemRoutineAddress can blue screen on XP SP2??  Well...

LH Server Beta 3 WDK Available
Hector J. Rodriguez (Read 9685 times)
I just noticed: The latest Longhorn Server WDK is available.
DTM and WDK split
Hector J. Rodriguez (Read 17399 times)
Think it's ridiculous that you need to download 2.5GB worth of WTT-laden stuff just to be able to build drivers?  Apparently, you're not alone. Introducing the WLK.
Debugging WDK Build Environments
Hector J. Rodriguez (Read 22978 times)
Gotten frustrated yet that the WDK version of BUILD now hides the parameters it passes to the C compiler?  DDK MVP Don Burn has the solution...
No More x86 Only Submissions to WHQL
Hector J. Rodriguez (Read 27053 times)
Does your company submit a 32-bit driver to WHQL and presently ignore x64 "cuz there's no market"?  With Vista, that's gonna stop...
Disabling User Account Control on Vista
Hector J. Rodriguez (Read 29530 times)
Do you hate those pop-ups on Windows Vista that say "Windows needs your permission to continue" for every single thing you do?  Would you like to make them go away?  We've got the solution to your woe...
The WDK Build Environment -- Not Getting Better
Hector J. Rodriguez (Read 14604 times)
Have you tried to build a driver with the new Vista DDK, which is now called the Windows Driver Kit (WDK)?  If you have, I bet you're as annoyed as I am.
No Win2K Support for KMDF?
Hector J. Rodriguez (Read 17076 times)

Yikes!!  Is Microsoft really going to drop Win2K support from the pending release of the WDF Kernel Mode Driver Framework??

Only Signed Drivers To Run on Vista X64
Hector J. Rodriguez (Read 43353 times)
Oh, you're gonna love this.  Non-signed drivers won't be loadable on x64 machines running Vista.
Living With 64-Bit Windows
Hector J. Rodriguez (Read 52176 times)
One of the guys here at OSR took the bait and switched his development system over to 64-bit Windows (using the free Server 2003 Standard x64 Edition disk he got at the DDC).  I figured I'd chronicle his travails for the benefit of anybody else who'd like to follow in his footsteps.
Go to DevCon? Don't Throw Out That CD!
Hector J. Rodriguez (Read 17736 times)
If you were at the DDC, you got a surprisingly nice prize in your conference materials...
Relative opens and IoCreateFileSpecifyDeviceObjectHint
Hector J. Rodriguez (Read 16787 times)
Sometimes, even I have to be reminded about the bugs, er, rules.
Watch that return from IoSetCompletionRoutineEx
Hector J. Rodriguez (Read 15637 times)
There are two things to be careful of, here: Don't forget about the NTSTATUS value, and pass that IRP to another driver.
Why Is The IRQL Always 0xFF When I Do !PCR?
Hector J. Rodriguez (Read 27582 times)
When you're in the debugger, and you type !PCR, the IRQL that's shown is always 0xFF. Can you logically conclude from this that the system had interrupts disabled when it crashed? Microsoft's Jake Oshins gives us the story.
No Deadlock Verification on x64 UP Systems
Hector J. Rodriguez (Read 18020 times)

Deadlock verification is a feature of Driver Verifier that monitors the order in which your driver acquires various locks. It's a great feature. Just don't expect it to work on single processor x64 (i.e. Windows-64) systems.

Don't __try to Catch The DbgBreakPoint(...) Exception
Hector J. Rodriguez (Read 18905 times)
I've used it myself. Now, it seems, it hasn't worked the way I thought it worked for years. Community members Ralph Shnelvar and Jamey Kirby discovered a cool bug related to trying to catch the exception raised by DbgBreakPoint()
Need help with WPP tracing?
Hector J. Rodriguez (Read 21173 times)

WPP got you down? It seems like everyone wants to using WPP tracing, but not everyone is able to get it working. Here's a three pack of tips from the battlefront that might save you some time...

I Hooked Up The Debugger Using 1394, and NOW...
Hector J. Rodriguez (Read 28410 times)
If you've hooked up the debugger via 1394, you reboot, and your target system is running vvvveeeeeerrrryyyy sllooooowwww or you keep losing your debugger connection, here's why.
Hector J. Rodriguez (Read 30158 times)
"Hector... Which DDK and build environment do I use for drivers that are for Windows XP 64-Bit Edition for the X64?" I knew it had to be confusing, because this was a member of the OSR staff asking me this question. OK, let me explain it again...
Ever have to update a system but don't have a Floppy Drive
Hector J. Rodriquez (Read 11072 times)
You want to update the BIOS on a machine.  The BIOS update process requires a bootable DOS floppy (will these folks ever enter the 21st century??). But there's a problem:  The system you want to update doesn't have a floppy disk drive.  What's a mutha to do?
Device Manager Error Codes
Hector J. Rodriquez (Read 26644 times)
Have you ever wondered what the Device Manager Error Codes mean? A recent KB article explains each Error Code and provides solutions.
Pool and Memory Events
Hector J. Rodriguez (Read 19557 times)
In your driver, it's pretty easy to know if there's a serious shortage of paged or non-paged pool: Your allocation attempt fails. But how do you know when there's plenty of pool space and your driver should feel free to grab a big chunk? I'll tell you...
PCI Express, PCI-X and other mysteries
Hector J. Rodriguez (Read 87463 times)
"PCI-X," Dan asked, "is that just a short way of writing PCI Express?" I was embarrased to admit it, but I had no idea. I'd just been too busy, and -- to be perfectly honest -- the esoterica of bus designs don't exactly float my boat.  If you're similarly clueless, and you wanna impress your more hardware-oriented friends with the depth of your knowledge, I'll tell you most of what you need to know.
ExAllocatePoolWithQuota Raises Exceptions
Hector J. Rodriguez (Read 19058 times)
Quick answer this question: Is there any variant of ExAllocatePool that'll raise an exception by default if it fails. If you said "no!", like I did, you could be in for a surprise.
Inlining into SEH Filters Can Result in Invalid Code on AMD64
Hector J. Rodriquez (Read 20427 times)
It started out as a typical day for me at the office.  I came in, I got my double dose of French Roast coffee and settled down for a long day of, well...doing whatever is I get paid to do here.   Along the way I came across some documentation on Structured Exception Handling and found this interesting tidbit of information....
How to Determine if System Running in Safe Mode
Hector J. Rodriquez (Read 14816 times)
Ever wonder how one programmatically determines if a system is running in Safe Mode?This question has reared its head in the newsgroups a couple of times, so between daily internal debates on U.S. foreign policy and seeding/downloading music with BitTorrent, someone here found time to find out.
Duplicate Disk Writes
Hector J. Rodriguez (Read 23849 times)
Ever watch really carefully when a file's being written?  Ever notice that some chunks of the file get written twice?  Yeah, we noticed too. About 7 or 8 years ago.  The good news is that the Windows team has changed this behavior, and there's even a hot fix for it!
New Verifier Pool Checks In LH
Hector J. Rodriguez (Read 23046 times)
Verifier just gets more and more powerful as time goes by.  If you get a BAD_POOL_CALLER bugcheck when running on LH, with a violation type of 0x9D, here's what it means
Disabling Shutdown Query for Server 2003
Hector J. Rodriguez (Read 10821 times)
Windows Server 2003 Systems (and Windows XP for 64-bit) always prompts the user to ask the reason for shutting down.  For those of us developing using Windows Server 2003 this can be one more inconvenience when caught in the seemingly endless test/reboot sequences.  This article discusses how to disable this feature.
Querying the name of a file
Hector J. Rodriguez (Read 10148 times)
 Correct use of ObQueryNameString in a driver.
Permanent Pool Overrun Checking Starting With XP SP2
Hector J. Rodriguez (Read 26588 times)
We don't normally discuss features in unreleased products or service packs, but this issue is important enough to driver devs that we thought you'd appreciate some advance warning.  Read on to discover the new pool overrun checking feature that's will be enabled in Windows, starting with XP SP2!
No Pool Tagging for Special Pool
Hector J. Rodriguez (Read 20038 times)
Can it be?  During some testing here at OSR it sure seemed to us that when a driver is run under Driver Verifier, allocations that came from Special Pool were not tracked by pool tag.  Well, it is true.  Read on...
NTFS Does Not Support Query Operations on Stream File Objects
OSR Staff (Read 16762 times)
 In a recent discussion on NTFSD, Molly Brown (Microsoft) indicated that the NTFS file system does not support a query file information operation on internally created NTFS stream files.
Who Owns Which Pool Tag
Hector J. Rodriguez (Read 38237 times)
 A question came up in NTDEV asking something along the lines of, "the PoolTag utility shows that pool allocations for tag ‘WXYZ’ are out of control…Anyone know who owns it?"
Simplifying Time Interval Specification
Hector J. Rodriguez (Read 20930 times)
 Quick!  How many 100 nanosecond intervals in 5 minutes!  NTDEV member Rob Green provides a set of macros that'll keep you from ever having to figure this out.
Files Opened as a result of a Remote Request
Hector J. Rodriguez (Read 21997 times)
This article talks about the FO_REMOTE_ORIGIN flag in the File Object and how it gets set and tested.
No More Embedded Assembler or x87 FP
Hector J. Rodriguez (Read 21383 times)
It's time to enter the new millenium, friends.  Get rid of all that old, crusty, mostly useless assembler language that got stuffed into your drivers and forgotten years ago.  The newest compiler in the DDK doesn't support _asm...
New Spinlock Functions
Hector J. Rodriguez (Read 12506 times)
In case you guys don’t get as excited about a new DDK as I do, I took the pleasure of DIFFing the Server 2003 DDK’s WDM.H with the one from the XP SP1 DDK...
Oh that Hurts, How to use IoForwardIrpSynchronously
OSR Staff (Read 15154 times)
Have you ever seen a function in the DDK and used it without reading the documentation and thinking about what it means?   That's what happened when I used IoForwardIrpSynchronously.
IoValidateDeviceIoControlAccess() in XP SP1/.NET
Hector J. Rodriguez (Read 12631 times)
Suppose you want to implement more security in your driver, specifically on your IOCTLs...
Hector J. Rodriguez (Read 15279 times)
Recent security reviews in the Windows file systems team have pointed out that the FILE_DEVICE_SECURE_OPEN characteristic needs to be set for file system device objects that do not support naming...
Disabling Hard Error Pop-ups
Hector J. Rodriguez (Read 11512 times)
A number of times recently we’ve seen discussions about how to disable hard error popups in a kernel driver...
Undesired Debugger Behavior
Hector J. Rodriguez (Read 12298 times)
Since this might not be the behavior desired by someone debugging their own driver...
Definition of “CPU” Environment Variable Changed
Hector J. Rodriguez (Read 20385 times)
The definition of the build environment variable CPU has changed since release of the Windows XP® DDK...
Definition of DDKBUILDENV Changed in Windows XP®
Hector J. Rodriguez (Read 20063 times)
The definition of the build environment variable DDKBUILDENV has historically been used to define whether a driver is being built free (retail) or checked (debug)...
Beware of KeAcquireSpinLockRaiseToSynch(...)!
Hector J. Rodriguez (Read 13901 times)

Starting with Windows 2000®, the NTDDK.H included the definition of a function named
KeAcquireSpinLockRaiseToSynch(…). This function was never documented in the DDK documentation, and (quite frankly) was probably exposed unintentionally...

Identifying Unusual IOCTL Device Types
Hector J. Rodriguez (Read 14830 times)

You may have seen some strange IOCTLs pass through your driver, and tried to figure out where they're from...

Must Use New DDK Compiler
Hector J. Rodriguez (Read 28283 times)

When building drivers with the XP DDK, you must use (at least) the version of the compiler supplied with the DDK...

Building Within Visual Studio (IDE)
Hector J. Rodriguez (Read 28862 times)

There's nothing wrong with building drivers from within Visual Studio. But if you do this, do it right or don't do it at all...

Hector J. Rodriguez (Read 31838 times)

People are confused about which header file to use. I'm not surprised, because I used to be confused about this too...

Must Succeed Pool...DEAD!
Hector J. Rodriguez (Read 18504 times)

When allocating pool, do not specify pool type NonPagedPoolMustSucceed...

Change to Allow Page Mapping in XP
Hector J. Rodriguez (Read 14692 times)

There's a change in the memory manager -- including functions such as ZwMapViewOfSection and MmMapLockedPages, in Windows XP...

Changes to SOURCES in XP DDK
Hector J. Rodriguez (Read 13280 times)

It seems a couple (not too frequently used) parameters have changed in the SOURCES file, as of the Windows XP DDK...

Fast I/O for WDM Drivers NOT Called When Verifier's Enabled
Hector J. Rodriguez (Read 12703 times)

One thing that's never really been documented, but that you have always been able to do, is use Fast I/O for Device I/O Control to process these requests...

XP DDK Resets PATH Environment Variable
Hector J. Rodriguez (Read 25489 times)

No, you're not crazy! The DDK's setenv.bat file now REPLACES the PATH environment variable to point to the DDK's executables, instead of pre-pending the DDK executable path as it has done in the past...

Microsoft Symbol Server LIVE on the Internet
Hector J. Rodriguez (Read 23038 times)

Microsoft's symbol server up live on the Internet. This means that, if you have a reasonably decent Internet connection from your debugger system, you won't have to download and setup the o/s symbols...

Warning: Beware winioctl.h from Visual C/C++ Version 6.0
Hector J. Rodriguez (Read 24910 times)

The Visual C/C++ Version 6.0 (part of Visual Studio) includes a header file for winioctl.h that includes incorrect definitions...

DefineDosDevice Functionality Changes in Windows XP®
Hector J. Rodriguez (Read 16147 times)
A number of developers are discovering a change to the naming scheme in Windows XP®...
MmMapLockedPages(SpecifyCache) with AccessMode == UserMode
Hector J. Rodriguez (Read 17350 times)

It seems that there's been some info missing from the DDK documentation for quite a while...

Enabling Debugging on the Local Machine for Windows XP®
Hector J. Rodriguez (Read 32952 times)
If you want to allow debugging on the local machine with WinDBG and Windows XP® (or later) you must add the "/debug" flag in your boot.ini file...
Windows XP® IFS Kit Errata
Hector J. Rodriguez (Read 15087 times)
It's confirmed. Microsoft inadvertently left out IOCTL_REDIR_QUERY_PATH
from the Windows XP IFS Kit...

Don't Define NT_UP
Hector J. Rodriguez (Read 22619 times)

Defining NT_UP in your driver build environment can lead to trouble...

WINVER Incorrectly Defined in XP/.NET Beta DDK's Win2K Build Environment
Hector J. Rodriguez (Read 32187 times)
Checking the definition of "WINVER" at compile time is one method that driver writers use to conditionally compile their code depending on the target platform...
bottom nav links