DRV360 - Windows File System Minifilter Drivers

In this seminar you will learn how to design and write a Windows file system minifilter driver. 

Level: Advanced
Audience:

Developers who need to write or maintain Windows File System Minifilter Drivers.

Description:

In the past, if one wanted to write a filter driver for file systems, one had to write a "full file system filter". The required interfaces for full file system filters were not completely documented, and samples did not cover the gamut of possible filter drivers. Reliability suffered: a significant number of crashes reported to Microsoft were found to be associated with full file system filters.

To address these issues, Windows now supports file system minifilters. A full file system filter driver called the filter manager lives in the Windows I/O path and redirects requests to registered file system minifilters. The job of the minifilter driver writer is much smaller and much less complex than that of the developer of full file system filters (now called legacy file system filters).

Unlike full file system filter drivers, though, the file system minifilter doesn't contain much that's familiar to most driver writers. It does have a DriverEntry routine, but doesn't create nor deal directly with device objects; there are no dispatch routines or I/O completion callback routines, and it does not deal directly with I/O request packets (IRPs). The prior knowledge of the experienced Windows driver developer, even the experienced Windows file system developer, will therefore only be helpful in understanding the environment in which the minifilter runs, not its specific coding details.

Accordingly, this seminar will show you how to write Windows file system minifilters. We will begin with a short review of the operating system architecture, the implementation of I/O requests, the functions of file system drivers, and the functions of legacy file system filters. We will then present a "skeleton" file system minifilter and walk through its code. We will then describe the various capabilities provided to minifilters by the filter manager, discuss the problems each such capability can solve, and show how to use each such capability in the minifilter.

Topics:
  • File system driver architecture and environment
  • Minifilter concepts
  • Installing, loading and unloading Minifilters
  • Debugging minifilters
  • Processing I/O operations
  • Serialization mechanisms
  • Accessing user buffers
  • Modifying parameters
  • Contexts
  • Generating I/O requests
  • File name management
  • Byte range locks and oplocks
  • User mode interfaces
  • Rules, guidelines, and recommendations
Prerequisites:

DRV150, Windows Internals for Driver Developers, or INT201, Windows Internals, or equivalent knowledge and experience. Attendees should understand the basic principles of demand-paged, virtual memory, multitasking operating systems. Attendees should also be familiar with the concepts of I/O device programming (in other words, driver coding on any other operating system or environment) and must have at least a reading knowledge of the C programming language. Previous experience with Windows drivers under either the NTDDK or WDM driver models will be extremely helpful, but is not required.

Operating systems supported: Windows 2000 through Windows 10/Windows Server 2012 R2
Durations and formats: 5 days with labs
3 days lecture only