EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Driver Altitude

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 12/23/2013 09:36:18
by Cedric Mamo (Standard support level)
Joined: 12/02/2013
Posts: 14

I would like to ask if there's any way to install the callbackfilter driver at a different altitude.

If I run fltmc in the command line I can see (will only list the ones relevant to this qustion) cbfltfs3 at altitude 429998.99, CsvNSFLT at 404900, csvflt at 404800 and procmon23 at 385200

of the 4 mentioned, the first is callbackfilter, the second and third are related to a cluster shared volume used by microsoft hyperv, and the last one is a driver installed by sysinternals process monitor.

When I run a virtual machine stored on a cluster shared volume, procmon23 (loaded below the csv minifilters) gets write events on the files being modified by hyper-v, but cbfltfs3 (loaded above the csv drivers) doesn't receive anything.

I was wondering if there is a way to install the callbackfilter driver at a lower altitude. Thanks
Posted: 12/23/2013 09:56:34
by Vladimir Cherniga (EldoS Corp.)

CallbackFilter driver is loaded into the "Filter" group. You can change target group manually by editing registry parameter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cbfltfs3\Group when cbfltfs3 driver installed.
Posted: 12/24/2013 04:16:13
by Cedric Mamo (Standard support level)
Joined: 12/02/2013
Posts: 14

ok thanks I did get it to load where I wanted by setting the group to "FSFilter Activity Monitor".

I have one other question, since this driver is not a minifilter, is there a chance this type of driver will stop being supported by Microsoft in the future, given that in the linked page Microsoft recommend porting legacy drivers to minifilters? If so, is a minifilter version planned?

Posted: 12/24/2013 06:30:44
by Cedric Mamo (Standard support level)
Joined: 12/02/2013
Posts: 14

And yet another question: If I install the driver, change that registry key and restart the system, what would happen if a dofferent product using your driver tries to use it, expecting it to be in the "Filter" group? The InstallDriver method doesn't give you the option to specify a group, the AttachFilter method doesn't give you the option either. Can the driver be installed twice in different groups? If so will I know which one I'm attaching to at runtime?
Posted: 12/24/2013 06:31:59
by Vladimir Cherniga (EldoS Corp.)

No, we don't planning minifilter version in the nearest future.
Posted: 12/24/2013 06:43:26
by Vladimir Cherniga (EldoS Corp.)

Group order affect only on drivers load sequence. It doesn't affect on driver functionality.
Posted: 12/24/2013 06:51:16
by Cedric Mamo (Standard support level)
Joined: 12/02/2013
Posts: 14

I know it affects load sequence. My question is if Product A installs the driver (in the filter group by default) and then manually changes the registry entry to a lower group, and later the user installs product B which installs the driver in the Filter group or maybe product B will detect the driver as already installed, but will malfunction because it assumes the driver is loaded in the Filter group.

In my case I am changing the group in order for your driver to load before a particular minifilter. My code absolutely depends on this. Likewise other people's code may assume (and depend on) the driver being loaded in the Filter group, meaning that either my code or theirs will malfunction.

What would happen in this case? Is it possible to gracefully handle this scenario?
Posted: 12/24/2013 07:01:11
by Vladimir Cherniga (EldoS Corp.)

It depends on other product functionality. For example, another product relies on filter default rules, that is prevents some files to be accessed from any other driver, that is loaded later. Then it should apply those rules on early stage of system start, when filter driver loaded.
Posted: 12/24/2013 07:07:33
by Cedric Mamo (Standard support level)
Joined: 12/02/2013
Posts: 14

So there would be two instances of the driver, one in each required group? It still doesn't seem like I would be able to choose which one I want to attach to from c#.

Basically in the scenario I mentioned the driver must be loaded twice. Once in the group I need, and another in the group the other product needs. Both instances would need to be running simultaneously for both our (unrelated) products to work as intended.

It's not a question of which files I will or will not get access to. It's simply two different products requiring the driver to be loaded at two different groups

Is this possible?
Posted: 12/24/2013 07:12:45
by Vladimir Cherniga (EldoS Corp.)

It is possible only if you rebuild a driver code with corresponding changes, that will prevent drivers conflict.
Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.



Topic viewed 7164 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!