| Home | Register | Members | Search | Windows Vista Tips | File Database | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
I see you're creating the event from kernel mode. Following the advice of Mr
Oney et al, I tend to get the AP to create the event, and then pass that to the driver through an ioctl. This gets around various nastys with process space etc. AP::init() { HANDLE hEvent = CreateEvent(...); int result = DeviceIoControl( hDevice, custom_IOCTL_code, &hEvent, sizeof(hEvent), ...); AfxBeginThread( EventWaitingThread, hEvent, THREAD_PRIORITY_NORMAL); } Driver:  ispatchControl( ...){ switch() { case custom_IOCTL_code: hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer; if( pDevExt->pKEvent) { ObDereferenceObject( pDevExt->pKEvent); pDevExt->hEvent = NULL; } if( hEvent) { status = ObReferenceObjectByHandle( hEvent, 0, NULL, KernelMode, &pDevExt->pKEvent, NULL); ... } ... } } and then Driver:AckAP stays the same. Because you maintain a reference on the object, it won't get destroyed when the AP exits, so technically it doesn't matter if you don't cleanup when the AP exits. However, for completeness and tidy code, you should still do that. Matt "wschung" <> wrote in message news:... > Dear Alexander Grigoriev, > thank for your reply, How I keep traceing event notification in my driver? > the follow is > my code in my AP and Driver > > Drievr::inint > { ..... > devExt->Event = IoCreateNotificationEvent(&eventPath, &devExt->Handle); > ..... > } > Driver::AckAP > { > ..... > if (devExt->Handle != NULL) { > if (KeReadStateEvent(devExt->Event)) { > KeClearEvent(devExt->Event); > } > KeSetEvent(devExt->Event, 0, FALSE); > KeClearEvent(devExt->Event); > } > ..... > } > AP::init() > {..... > AfxBeginThread(EvenWaitingThread, (LPVOID)0, THREAD_PRIORITY_NORMAL); > ..... > } > > AP::UINT EvenWaitingThread(LPVOID pParam) > { > keep = 1; > hEvent = OpenEvent(SYNCHRONIZE, FALSE, eventPath); > while (keep) { > dwEvent = WaitForMultipleObjects( nCount, &hEvent, FALSE, INFINITE); > if (dwEvent != WAIT_TIMEOUT) { > if (dwEvent == 0) Do_something_AP() > } > } > CloseHandle(hEvent); > } > > > > > > "Alexander Grigoriev" <> ¼¶¼g©ó¶l¥ó > news:ek7pe#... > > When an application terminates, either by itself or is killed, all the > open > > handles are closed. When a handle is closed, the driver receives > > IRP_MJ_CLEANUP for that file object, then IRP_MJ_CLOSE. You need to use > > those functions to release the resources. > > > > If your KeSetEvent fails, it means the event object is closed. You should > > keep a reference on the object in your driver and release the reference > when > > the file handle is closed. > > > > "wschung" <> wrote in message > > news:... > > > > > > The problem is that AP not been acked when AP is unloaded by user. > > > [ "CTRL+ALT +DEL" --> Ending AP ]. Because AP can't catch any > unloaded > > > message, like WM_CLOSE,WM_QUERYENDSESSION, I can't send any IOCTL_ to > > filter > > > to info that AP is unloading. Therefore. The point is how to detect AP > is > > > or isn't loading into system on Kernel mode. > > > > > > Thanks, William Ingle > > > > > > > > > "William Ingle" <> ¼¶¼g©ó¶l¥ó > > > news:fZRLa.63922$3d.30733@sccrnsc02... > > > > Are you not getting a close irp when the AP is shut down? Are you > > > > associating events with the file object owned by the calling > application > > > so > > > > you can cancel event notification when the hand is closed? > > > > > > > > "wschung" <> wrote in message > > > > news:... > > > > > **thank for your reply, Skywing** > > > > > > > > > > Some different as you said. In my AP, I create a thread to get > > events > > > > that > > > > > signed by Filter driver. And my filter driver will use KeSetEvent() > to > > > > singe > > > > > AP to do something. But when the AP was unloaded form W2k/XP, > > > KeSetEvent() > > > > > would let system "BULE Screen"!!.For this reason, how I detect the > AP > > > was > > > > > unloaded before driver use KeSetEvent()..? This is my problem. > > > > > > > > > > > > > > > "Skywing" <skywing_nspam_@valhallalegends.com> ¼¶¼g©ó¶l¥ó > > > > > news:wHzIa.39680$hz1.110496@sccrnsc01... > > > > > > Are you trying to detect whether the filter driver or the > user-mode > > > > > > application called some other driver? If so, you can check > > > PreviousMode > > > > > in > > > > > > the IRP structure for I/O requests. It should be KernelMode if > the > > > > filter > > > > > > driver called it, and UserMode if the user-mode application called > > it. > > > > > > > > > > > > Can you explain exactly what you want to do? > > > > > > > > > > > > "wschung" <> wrote in message > > > > > > news:%... > > > > > > > Hi There, > > > > > > > There are two programs in my system (Win2000/XP). One is > > an > > > > > > > application, one is > > > > > > > a filter driver. How can I detect the application is > running > > > > form > > > > > > > driver. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Ah, just found this link in another thread:
http://support.microsoft.com/default...;EN-US;Q228785 "Matt Vinall" <> wrote in message news:... > I see you're creating the event from kernel mode. Following the advice of Mr > Oney et al, I tend to get the AP to create the event, and then pass that to > the driver through an ioctl. This gets around various nastys with process > space etc. > > AP::init() > { > HANDLE hEvent = CreateEvent(...); > > int result = DeviceIoControl( hDevice, custom_IOCTL_code, &hEvent, > sizeof(hEvent), ...); > > AfxBeginThread( EventWaitingThread, hEvent, THREAD_PRIORITY_NORMAL); > } > > Driver: ispatchControl( ...)> { > switch() > { > case custom_IOCTL_code: > > hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer; > > if( pDevExt->pKEvent) > { > ObDereferenceObject( pDevExt->pKEvent); > pDevExt->hEvent = NULL; > } > > if( hEvent) > { > status = ObReferenceObjectByHandle( hEvent, 0, NULL, KernelMode, > &pDevExt->pKEvent, NULL); > > ... > } > > ... > } > } > > and then Driver:AckAP stays the same. Because you maintain a reference on > the object, it won't get destroyed when the AP exits, so technically it > doesn't matter if you don't cleanup when the AP exits. However, for > completeness and tidy code, you should still do that. > > Matt > > "wschung" <> wrote in message > news:... > > Dear Alexander Grigoriev, > > thank for your reply, How I keep traceing event notification in my > driver? > > the follow is > > my code in my AP and Driver > > > > Drievr::inint > > { ..... > > devExt->Event = IoCreateNotificationEvent(&eventPath, &devExt->Handle); > > ..... > > } > > Driver::AckAP > > { > > ..... > > if (devExt->Handle != NULL) { > > if (KeReadStateEvent(devExt->Event)) { > > KeClearEvent(devExt->Event); > > } > > KeSetEvent(devExt->Event, 0, FALSE); > > KeClearEvent(devExt->Event); > > } > > ..... > > } > > AP::init() > > {..... > > AfxBeginThread(EvenWaitingThread, (LPVOID)0, THREAD_PRIORITY_NORMAL); > > ..... > > } > > > > AP::UINT EvenWaitingThread(LPVOID pParam) > > { > > keep = 1; > > hEvent = OpenEvent(SYNCHRONIZE, FALSE, eventPath); > > while (keep) { > > dwEvent = WaitForMultipleObjects( nCount, &hEvent, FALSE, > INFINITE); > > if (dwEvent != WAIT_TIMEOUT) { > > if (dwEvent == 0) Do_something_AP() > > } > > } > > CloseHandle(hEvent); > > } > > > > > > > > > > > > "Alexander Grigoriev" <> ¼¶¼g©ó¶l¥ó > > news:ek7pe#... > > > When an application terminates, either by itself or is killed, all the > > open > > > handles are closed. When a handle is closed, the driver receives > > > IRP_MJ_CLEANUP for that file object, then IRP_MJ_CLOSE. You need to use > > > those functions to release the resources. > > > > > > If your KeSetEvent fails, it means the event object is closed. You > should > > > keep a reference on the object in your driver and release the reference > > when > > > the file handle is closed. > > > > > > "wschung" <> wrote in message > > > news:... > > > > > > > > The problem is that AP not been acked when AP is unloaded by user. > > > > [ "CTRL+ALT +DEL" --> Ending AP ]. Because AP can't catch any > > unloaded > > > > message, like WM_CLOSE,WM_QUERYENDSESSION, I can't send any IOCTL_ to > > > filter > > > > to info that AP is unloading. Therefore. The point is how to detect > AP > > is > > > > or isn't loading into system on Kernel mode. > > > > > > > > Thanks, William Ingle > > > > > > > > > > > > "William Ingle" <> ¼¶¼g©ó¶l¥ó > > > > news:fZRLa.63922$3d.30733@sccrnsc02... > > > > > Are you not getting a close irp when the AP is shut down? Are you > > > > > associating events with the file object owned by the calling > > application > > > > so > > > > > you can cancel event notification when the hand is closed? > > > > > > > > > > "wschung" <> wrote in message > > > > > news:... > > > > > > **thank for your reply, Skywing** > > > > > > > > > > > > Some different as you said. In my AP, I create a thread to get > > > events > > > > > that > > > > > > signed by Filter driver. And my filter driver will use > KeSetEvent() > > to > > > > > singe > > > > > > AP to do something. But when the AP was unloaded form W2k/XP, > > > > KeSetEvent() > > > > > > would let system "BULE Screen"!!.For this reason, how I detect the > > AP > > > > was > > > > > > unloaded before driver use KeSetEvent()..? This is my > problem. > > > > > > > > > > > > > > > > > > "Skywing" <skywing_nspam_@valhallalegends.com> ¼¶¼g©ó¶l¥ó > > > > > > news:wHzIa.39680$hz1.110496@sccrnsc01... > > > > > > > Are you trying to detect whether the filter driver or the > > user-mode > > > > > > > application called some other driver? If so, you can check > > > > PreviousMode > > > > > > in > > > > > > > the IRP structure for I/O requests. It should be KernelMode if > > the > > > > > filter > > > > > > > driver called it, and UserMode if the user-mode application > called > > > it. > > > > > > > > > > > > > > Can you explain exactly what you want to do? > > > > > > > > > > > > > > "wschung" <> wrote in message > > > > > > > news:%... > > > > > > > > Hi There, > > > > > > > > There are two programs in my system (Win2000/XP). One > is > > > an > > > > > > > > application, one is > > > > > > > > a filter driver. How can I detect the application is > > running > > > > > form > > > > > > > > driver. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
The proper procedure would be:
case custom_IOCTL_code: PIO_STACK_LOCATION pIo=IoGetCurrentIrpStackLocation(pIrp); //++ if (pIo->InputBufferLength < sizeof (HANDLE)) //++ { pIrp->IoStatus.Status = STATUS_INVALID_BUFFER_LENGTH; //++ IoCompleteRequest(pIrp, IO_NO_INCREMENT); //++ return STATUS_INVALID_BUFFER_LENGTH; //++ } hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer; PVOID pNewEvent = NULL; //++ if( hEvent) { status = ObReferenceObjectByHandle( hEvent, EVENT_MODIFY_STATE, //++ ExEventObjectType, //++ UserMode, //++ &pNewEvent, NULL); } PVOID pOldEvent = InterlockedExchangePointer( & pDevExt->pKEvent, pNewEvent); //++ if(NULL != pOldEvent) { ObDereferenceObject( pOldEvent); } Make sure also to release the event object in IRP_MJ_CLOSE handler. "Matt Vinall" <> wrote in message news:... > I see you're creating the event from kernel mode. Following the advice of Mr > Oney et al, I tend to get the AP to create the event, and then pass that to > the driver through an ioctl. This gets around various nastys with process > space etc. > > AP::init() > { > HANDLE hEvent = CreateEvent(...); > > int result = DeviceIoControl( hDevice, custom_IOCTL_code, &hEvent, > sizeof(hEvent), ...); > > AfxBeginThread( EventWaitingThread, hEvent, THREAD_PRIORITY_NORMAL); > } > > Driver: ispatchControl( ...)> { > switch() > { > case custom_IOCTL_code: > > hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer; > > if( pDevExt->pKEvent) > { > ObDereferenceObject( pDevExt->pKEvent); > pDevExt->hEvent = NULL; > } > > if( hEvent) > { > status = ObReferenceObjectByHandle( hEvent, 0, NULL, KernelMode, > &pDevExt->pKEvent, NULL); > > ... > } > > ... > } > } > > and then Driver:AckAP stays the same. Because you maintain a reference on > the object, it won't get destroyed when the AP exits, so technically it > doesn't matter if you don't cleanup when the AP exits. However, for > completeness and tidy code, you should still do that. > > Matt > > "wschung" <> wrote in message > news:... > > Dear Alexander Grigoriev, > > thank for your reply, How I keep traceing event notification in my > driver? > > the follow is > > my code in my AP and Driver > > > > Drievr::inint > > { ..... > > devExt->Event = IoCreateNotificationEvent(&eventPath, &devExt->Handle); > > ..... > > } > > Driver::AckAP > > { > > ..... > > if (devExt->Handle != NULL) { > > if (KeReadStateEvent(devExt->Event)) { > > KeClearEvent(devExt->Event); > > } > > KeSetEvent(devExt->Event, 0, FALSE); > > KeClearEvent(devExt->Event); > > } > > ..... > > } > > AP::init() > > {..... > > AfxBeginThread(EvenWaitingThread, (LPVOID)0, THREAD_PRIORITY_NORMAL); > > ..... > > } > > > > AP::UINT EvenWaitingThread(LPVOID pParam) > > { > > keep = 1; > > hEvent = OpenEvent(SYNCHRONIZE, FALSE, eventPath); > > while (keep) { > > dwEvent = WaitForMultipleObjects( nCount, &hEvent, FALSE, > INFINITE); > > if (dwEvent != WAIT_TIMEOUT) { > > if (dwEvent == 0) Do_something_AP() > > } > > } > > CloseHandle(hEvent); > > } > > > > > > > > > > > > "Alexander Grigoriev" <> ¼¶¼g©ó¶l¥ó > > news:ek7pe#... > > > When an application terminates, either by itself or is killed, all the > > open > > > handles are closed. When a handle is closed, the driver receives > > > IRP_MJ_CLEANUP for that file object, then IRP_MJ_CLOSE. You need to use > > > those functions to release the resources. > > > > > > If your KeSetEvent fails, it means the event object is closed. You > should > > > keep a reference on the object in your driver and release the reference > > when > > > the file handle is closed. > > > > > > "wschung" <> wrote in message > > > news:... > > > > > > > > The problem is that AP not been acked when AP is unloaded by user. > > > > [ "CTRL+ALT +DEL" --> Ending AP ]. Because AP can't catch any > > unloaded > > > > message, like WM_CLOSE,WM_QUERYENDSESSION, I can't send any IOCTL_ to > > > filter > > > > to info that AP is unloading. Therefore. The point is how to detect > AP > > is > > > > or isn't loading into system on Kernel mode. > > > > > > > > Thanks, William Ingle > > > > > > > > > > > > "William Ingle" <> ¼¶¼g©ó¶l¥ó > > > > news:fZRLa.63922$3d.30733@sccrnsc02... > > > > > Are you not getting a close irp when the AP is shut down? Are you > > > > > associating events with the file object owned by the calling > > application > > > > so > > > > > you can cancel event notification when the hand is closed? > > > > > > > > > > "wschung" <> wrote in message > > > > > news:... > > > > > > **thank for your reply, Skywing** > > > > > > > > > > > > Some different as you said. In my AP, I create a thread to get > > > events > > > > > that > > > > > > signed by Filter driver. And my filter driver will use > KeSetEvent() > > to > > > > > singe > > > > > > AP to do something. But when the AP was unloaded form W2k/XP, > > > > KeSetEvent() > > > > > > would let system "BULE Screen"!!.For this reason, how I detect the > > AP > > > > was > > > > > > unloaded before driver use KeSetEvent()..? This is my > problem. > > > > > > > > > > > > > > > > > > "Skywing" <skywing_nspam_@valhallalegends.com> ¼¶¼g©ó¶l¥ó > > > > > > news:wHzIa.39680$hz1.110496@sccrnsc01... > > > > > > > Are you trying to detect whether the filter driver or the > > user-mode > > > > > > > application called some other driver? If so, you can check > > > > PreviousMode > > > > > > in > > > > > > > the IRP structure for I/O requests. It should be KernelMode if > > the > > > > > filter > > > > > > > driver called it, and UserMode if the user-mode application > called > > > it. > > > > > > > > > > > > > > Can you explain exactly what you want to do? > > > > > > > > > > > > > > "wschung" <> wrote in message > > > > > > > news:%... > > > > > > > > Hi There, > > > > > > > > There are two programs in my system (Win2000/XP). One > is > > > an > > > > > > > > application, one is > > > > > > > > a filter driver. How can I detect the application is > > running > > > > > form > > > > > > > > driver. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Thank to Mr. Alexander Grigoriev and Mr. Matt Vinall.
I get a way to solute my problem with your help.. Thank more.. Best Regards WS.Chung "Alexander Grigoriev" <> ¼¶¼g©ó¶l¥ó news:#... > The proper procedure would be: > > case custom_IOCTL_code: > > PIO_STACK_LOCATION pIo=IoGetCurrentIrpStackLocation(pIrp); //++ > if (pIo->InputBufferLength < sizeof (HANDLE)) //++ > { > pIrp->IoStatus.Status = STATUS_INVALID_BUFFER_LENGTH; //++ > IoCompleteRequest(pIrp, IO_NO_INCREMENT); //++ > return STATUS_INVALID_BUFFER_LENGTH; //++ > } > > hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer; > > PVOID pNewEvent = NULL; //++ > if( hEvent) > { > status = ObReferenceObjectByHandle( > hEvent, EVENT_MODIFY_STATE, //++ > ExEventObjectType, //++ > UserMode, //++ > &pNewEvent, NULL); > > } > PVOID pOldEvent = InterlockedExchangePointer( & pDevExt->pKEvent, > pNewEvent); //++ > if(NULL != pOldEvent) > { > ObDereferenceObject( pOldEvent); > } > > > Make sure also to release the event object in IRP_MJ_CLOSE handler. > > "Matt Vinall" <> wrote in message > news:... > > I see you're creating the event from kernel mode. Following the advice of > Mr > > Oney et al, I tend to get the AP to create the event, and then pass that > to > > the driver through an ioctl. This gets around various nastys with process > > space etc. > > > > AP::init() > > { > > HANDLE hEvent = CreateEvent(...); > > > > int result = DeviceIoControl( hDevice, custom_IOCTL_code, &hEvent, > > sizeof(hEvent), ...); > > > > AfxBeginThread( EventWaitingThread, hEvent, THREAD_PRIORITY_NORMAL); > > } > > > > Driver: ispatchControl( ...)> > { > > switch() > > { > > case custom_IOCTL_code: > > > > hEvent = *(HANDLE*)pIrp->AssociatedIrp->SystemBuffer; > > > > if( pDevExt->pKEvent) > > { > > ObDereferenceObject( pDevExt->pKEvent); > > pDevExt->hEvent = NULL; > > } > > > > if( hEvent) > > { > > status = ObReferenceObjectByHandle( hEvent, 0, NULL, > KernelMode, > > &pDevExt->pKEvent, NULL); > > > > ... > > } > > > > ... > > } > > } > > > > and then Driver:AckAP stays the same. Because you maintain a reference on > > the object, it won't get destroyed when the AP exits, so technically it > > doesn't matter if you don't cleanup when the AP exits. However, for > > completeness and tidy code, you should still do that. > > > > Matt > > > > "wschung" <> wrote in message > > news:... > > > Dear Alexander Grigoriev, > > > thank for your reply, How I keep traceing event notification in my > > driver? > > > the follow is > > > my code in my AP and Driver > > > > > > Drievr::inint > > > { ..... > > > devExt->Event = IoCreateNotificationEvent(&eventPath, > &devExt->Handle); > > > ..... > > > } > > > Driver::AckAP > > > { > > > ..... > > > if (devExt->Handle != NULL) { > > > if (KeReadStateEvent(devExt->Event)) { > > > KeClearEvent(devExt->Event); > > > } > > > KeSetEvent(devExt->Event, 0, FALSE); > > > KeClearEvent(devExt->Event); > > > } > > > ..... > > > } > > > AP::init() > > > {..... > > > AfxBeginThread(EvenWaitingThread, (LPVOID)0, THREAD_PRIORITY_NORMAL); > > > ..... > > > } > > > > > > AP::UINT EvenWaitingThread(LPVOID pParam) > > > { > > > keep = 1; > > > hEvent = OpenEvent(SYNCHRONIZE, FALSE, eventPath); > > > while (keep) { > > > dwEvent = WaitForMultipleObjects( nCount, &hEvent, FALSE, > > INFINITE); > > > if (dwEvent != WAIT_TIMEOUT) { > > > if (dwEvent == 0) Do_something_AP() > > > } > > > } > > > CloseHandle(hEvent); > > > } > > > > > > > > > > > > > > > > > > "Alexander Grigoriev" <> ¼¶¼g©ó¶l¥ó > > > news:ek7pe#... > > > > When an application terminates, either by itself or is killed, all the > > > open > > > > handles are closed. When a handle is closed, the driver receives > > > > IRP_MJ_CLEANUP for that file object, then IRP_MJ_CLOSE. You need to > use > > > > those functions to release the resources. > > > > > > > > If your KeSetEvent fails, it means the event object is closed. You > > should > > > > keep a reference on the object in your driver and release the > reference > > > when > > > > the file handle is closed. > > > > > > > > "wschung" <> wrote in message > > > > news:... > > > > > > > > > > The problem is that AP not been acked when AP is unloaded by user. > > > > > [ "CTRL+ALT +DEL" --> Ending AP ]. Because AP can't catch any > > > unloaded > > > > > message, like WM_CLOSE,WM_QUERYENDSESSION, I can't send any IOCTL_ > to > > > > filter > > > > > to info that AP is unloading. Therefore. The point is how to detect > > AP > > > is > > > > > or isn't loading into system on Kernel mode. > > > > > > > > > > Thanks, William Ingle > > > > > > > > > > > > > > > "William Ingle" <> ¼¶¼g©ó¶l¥ó > > > > > news:fZRLa.63922$3d.30733@sccrnsc02... > > > > > > Are you not getting a close irp when the AP is shut down? Are you > > > > > > associating events with the file object owned by the calling > > > application > > > > > so > > > > > > you can cancel event notification when the hand is closed? > > > > > > > > > > > > "wschung" <> wrote in message > > > > > > news:... > > > > > > > **thank for your reply, Skywing** > > > > > > > > > > > > > > Some different as you said. In my AP, I create a thread to get > > > > events > > > > > > that > > > > > > > signed by Filter driver. And my filter driver will use > > KeSetEvent() > > > to > > > > > > singe > > > > > > > AP to do something. But when the AP was unloaded form W2k/XP, > > > > > KeSetEvent() > > > > > > > would let system "BULE Screen"!!.For this reason, how I detect > the > > > AP > > > > > was > > > > > > > unloaded before driver use KeSetEvent()..? This is my > > problem. > > > > > > > > > > > > > > > > > > > > > "Skywing" <skywing_nspam_@valhallalegends.com> ¼¶¼g©ó¶l¥ó > > > > > > > news:wHzIa.39680$hz1.110496@sccrnsc01... > > > > > > > > Are you trying to detect whether the filter driver or the > > > user-mode > > > > > > > > application called some other driver? If so, you can check > > > > > PreviousMode > > > > > > > in > > > > > > > > the IRP structure for I/O requests. It should be KernelMode > if > > > the > > > > > > filter > > > > > > > > driver called it, and UserMode if the user-mode application > > called > > > > it. > > > > > > > > > > > > > > > > Can you explain exactly what you want to do? > > > > > > > > > > > > > > > > "wschung" <> wrote in message > > > > > > > > news:%... > > > > > > > > > Hi There, > > > > > > > > > There are two programs in my system (Win2000/XP). > One > > is > > > > an > > > > > > > > > application, one is > > > > > > > > > a filter driver. How can I detect the application is > > > running > > > > > > form > > > > > > > > > driver. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Kernel-mode driver error message | Randy | Windows Vista General Discussion | 0 | 03-11-2009 07:46 PM |
| User mode to Kernel mode | novice | Windows Vista General Discussion | 1 | 10-09-2007 10:51 PM |
| Unable to install kernel-mode print driver | BkStCrawler | Windows Vista General Discussion | 2 | 07-30-2007 06:39 PM |
| "can't Open kernel mode driver service" error please help! | Adam4x4x | Windows Vista Hardware | 3 | 04-19-2007 11:42 AM |
| new user mode device driver spec | beginthreadex | Windows Vista Hardware | 0 | 02-22-2007 09:16 PM |
Linear Mode
