I was trying to test this File System Minifilter Driver sample. I'm having a problem with the deployment because this is not an actual device driver (non-PnP driver).
In Visual Studio, in the property page of the project: Driver Install -> Deployment, If I select "Hardware ID Update", I don't know what is the hardware ID for the driver and I cannot see in the .INF file either.
If I select "Install/Reinstall and Verify" -> "Default Driver Package Installation Task (possible reboot)", I get Driver Deployment Task Failed: Default Driver Package Installation Task error.
Deployment settings in VS
I checked this and this page but I couldn't find anything beside how to prepare the .INF file.
How can I deploy this driver to my target machine? Thank you.
Actually you don't need an INF file to install your mini filter driver.
First, create a kernel driver service with either "sc create" from command line or call "CreateService" from your installation program if you want to automate the deployment.
Then, add some registry modification as below (from Norton 360) with Registry Editor or again with Win32 registry APIs in your installation program:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEFASI\Instances]
"DefaultInstance"="SymEFASI"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEFASI\Instances\SymEFASI]
"Flags"=dword:00000000
"Altitude"="260610"
Replace "SymEFASI" with your driver service name when running "sc create" or calling "CreateService". The most important part is "Altitude". It needs to be unique in your system, otherwise Filter Manager won't load your driver due to conflicts. For a formal product deployed in the real world to end-users, you need to apply for a unique number assigned by Microsoft. This is also critical because mini filter drivers are classified by layers. Each layer has its own functionalities. If your driver sits on the wrong layer, you might not see the correct data or behavior as you want.
Once the above is done, the last thing is to run "sc start" or call "StartService".
Related
I am developing a kernel mode driver for Windows 10 and I am stuck on the service start it always gave me this error:
"0x2 The system cannot find the path specified"
to install it I have tried by the following ways:
Using "sc create svname binpath="pathtodriver" type=kernel".
Creating a service from my c++ a`` with CreateService API and Kernel Mode flag.
Both return the same error for me, but here's the most stranger thing looks I have a desktop (from I am writing this and I develop my apps, study etc) in this desktop I can install the driver without any problem using both ways, Now on my laptop what I use to test some of my software it installed the first time and after that I couldn't start anymore the driver service, the path is correct
I have checked it a lot of times and tried almost everything.
Also I have other Kernel Mode driver which loads on both computers anytime without any problem its stranger really i have been trying all...
What I have tried to solve this problem:
Deleting the service from sc using "sc delete svname".
Deleting the service directly from registry.
Restoring registry.
Repairing windows.
Installing almost every Visual C++ Runtimes.
Install the driver with another service name, file name and different path.
Nothing of the list solves my problem.
(I am on Test Signing to test my driver without DSE)
EDIT: Solved was my DriverEntry it was returning 0x2 cause it was not compatible with all optical devices.
I know that this problem has been stated multiple times, but I cannot seem to find any solution. The issue is that I compiled in release mode the kmdf hello world example from Microsoft's website, but I am not able to run it. The reason is that when I try to launch the service, I get the following error: "The driver has been blocked from loading". I Obviously get this error because I have not signed the driver, but even though I have disabled signature enforcement on my updated Windows 10 machine (as stated here) I still cannot launch the driver, and I get exact the same message. So basically the option for temporarily deactivating signature enforcement, seems to serve a completely decorative purpose. So, is there any other way to launch my unsigned driver on my Windows 10 Virtual Machine, or I need to pay $100 to run my code on my own computer ?
The tutorial that you're using mentions that you need to provision your target machine for driver deployment, and leads to the "Provision a computer for driver deployment and testing" page which (among other things) has the following instructions:
On the target computer, run the WDK Test Target Setup MSI that matches
the platform of the target computer. You can find the MSI in the
Windows Driver Kit (WDK) installation directory under Remote.
Example: C:\Program Files (x86)\Windows Kits\10\Remote\x64\WDK Test
Target Setup x64-x64_en-us.msi
If you want to deploy your driver manually (for example, if you're testing your driver on your development machine or in a VM), instead of running the aforementioned MSI you can manually enable test signing mode by running bcdedit -set TESTSIGNING ON from the elevated command prompt. You would need to reboot the machine for the changes to take effect.
See "The TESTSIGNING Boot Configuration Option" on MSDN for additional details.
This is probably a pretty easy question to answer for someone that is experienced with FS minifilters. I am trying to script the removal of a filter driver and device.
Some background... this driver is running on Windows 8/10 x64. The vendor that created the driver has not been helpful in fulfilling my request for a removal tool. Unfortunately their MSI uninstall is buggy and only works about half the time you run it... They want us to upgrade to their newest version that doesn't have the bug we are encountering during uninstallation. We aren't interested in continuing use of this software so a paid upgrade seems frivolous... Their only suggestion has been to reimage the computers without the software that includes the FS minifilter device... That's out of the questions because it is on 1000+ computers...
Basically, their official uninstaller does an API callback to one of their servers and verifies the machines eligibility to uninstall:
Does the MAC address of the primary network adapter exist in their
database?
Does the password you entered for uninstallation match
what is set in their database?
If you are eligible, it runs an MSI uninstallation and disables the FS filter, removes the driver file, service files, configuration, and restarts... The bug that is keeping us from doing a normal bulk removal (their way) is that the MSI freezes during the removal process (after checking eligibility) and requires us to restart a client computer up to 3 times to finish the uninstall.
I have been able to successfully remove the software and device/driver by externally mounting the Windows file system and manually removing the driver file under System32/Drivers and also removing all of the actual program files/services. I have not been able to do this booted onto the same partition where the minifilter is loaded. The minifilter driver that is running is protecting those program files, a registry key, and the actual .sys file under System32...
I've done some basic reverse engineering of their MSI... They are using custom actions to perform the removal... First step is the removal of the service, second step is the removal of the minifilter. Both actions are done via an executable that is packaged in the MSI... I've extracted that and attempted to use it by running the same commands that they do during the MSI... I haven't had any luck. The minifilter just doesn't want to die.
They have some other custom actions that are loaded via DLL. Initial investigation makes me think its all of their custom uninstall eligibility craziness.
It looks like their minifilter doesn't have an unload routine built in. Using FLTMC I get this error attempting to detach and/or unload:
0x801f0010 Do not detach the filter from the volume at this time.
0x801f0014 Do not detach the filter from the volume at this time.
Does anyone know of a good way to unload a minifilter that is throwing those errors?
Try to kick out FltMgr.sys of the kernel by:
Renaming %SystemRoot%\sytem32\drivers\FltMgr.sys
Or changing HKLM\SYSTEM\CurrentControlSet\Services\FltMgr\Type to 0x4 (Disabled)
Reboot
Minifilters can't work without Filter Manager.
If you are desperate enough, look into Windows PE, available as part of the Windows Assessment and Deployment Kit.
A Windows PE image can be remotely installed onto a machine's hard disk and configured to perform whatever task you need done and then automatically reboot back into the original operating system. Doing it this way gives you the same access as externally mounting the infected file system, but can be automated. I've used this approach in the past to automate offline maintenance tasks on several hundred machines (e.g., changing a registry setting that Symantec Endpoint Protection was "protecting") and while getting it working is fiddly, once it is working it works well.
My email address is in my profile, you're welcome to contact me if you decide on this approach and have questions about implementing it.
Alternatively, depending on your jurisdiction and circumstances, you might want to consider threatening the vendor with a lawsuit if they refuse to provide a proper solution. They broke your computers, it should be their job to fix it. From the sounds of it, they wouldn't even need to do any work, just let you have the upgraded version for a few weeks free of charge.
We have a usb device and the drivers (.inf, libusb.dll, libusb.sys) and can install it using Windows' Device Installation Wizard (by pointing to the .inf file). However, we need to install the drivers without using the wizard (passively, so the user doesn't need to do anything). Does anyone know how this can be achieved?
You added the "installer" tag, so I'm assuming you're talking about some kind of installation package, like Windows Installer, InstallShield InstallScript, etc.
If that's the case, you should probably use Microsoft's DIFx framework.
DIFx makes it easier for you to create
high-quality driver packages,
customize the installation of driver
packages, allow the installation of
driver packages in combination with
application software, and use the
standard Windows APIs and installation
tools. DIFx also makes it easier for
end users to diagnose device and
driver problems. End users can be
confident that, if necessary, drivers
can be uninstalled or rolled back.
I've used DIFx from both Windows Installer-based installs and InstallScript installs. Very user-friendly, easy to debug, and effective.
My colleague came up with an answer that is working very well. It appears that, unless you hardware/driver combination is WHQL signed, the Add New Hardware Wizard will always appear in Win XP. However, with the following method it is possible to have the "Search" button in the wizard find your driver automatically. In Windows 7, there is no prompt and the device installs just fine. You'll need to watch out on 64-bit machines, though, as they have much stricter signing enforcement.
So here is the relevant excerpt from the whole document:
Use the DIFxAPi merge module. (Read a good introduction to drivers in Windows, the use of INF files, and DIFxAPP.) The DIFxAPI merge module is included in the WDK in the ‘WDDK//redist\DIFx\DIFxApp\MergeModule\’ directory. The merge module can be included in an MSI package and can be set to install multiple device drivers. Here are the steps to create an MSI with the DIFxAPP merge module:
In the setup folder, create a separate directory in the Application Folder for the driver package and add the driver files to the folder.
Add the DIFxApp.msm to the setup project.
Build the setup
Use Orca to edit the MSI database table and add the INF component to the DIFxAPP merge modules table.
The Orca installation is included in the Windows SDK in the ‘C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin’ directory. (The Windows SDK can be downloaded from Microsoft)
Run Orca and select the MSI package that needs to be modified.
Read part 5 for automation.
In the ‘File’ table, locate the INF file of the driver package you would like to install and copy the Component value.
Create a new row in the MsiDriverPackages table. Add the Component value into Component field. The following flags can be used (although some are ignored by Windows 7):
0 - Not set (default)
1 – Force installation of driver, even if it the currently installed drivers is
a better match than the driver being installed
2 – Suppress message box telling user to plug in devices after the driver
has been installed.
4 – Suppress adding an entry in Add/Remove Programs for driver.
Driver will be uninstalled when main application is uninstalled.
8 – Install unsigned driver packages
16 – Remove driver binaries during uninstall.
Save the MSI. In order to automate the process, the editing of the MSI database can be recorded to a Transform and then the Transform can be applied in a post build process.
Open the MSI in Orca.
Select Transform->New Transform
Complete steps 3 and 4 in the above directions.
Select Tranform->Generate transform and save the transform.
Add the following line to the post build of the Setup Project
MsiDb.exe -t transform.mst -d $(TargetDir)\DriverInstall.msi
Note: MsiDB.exe comes with the Microsoft SDK and is located in
C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin
If you get an error installing from the MSI (e.g. I got error code 2356 which ended up being due to an invalid Flag value), use Orca's Validate function to see if there are any errors. EDIT: Fixing these errors still has not gotten rid of the error. I remember reading that inf files should be in their own sub-directory, but that didn't fix my problem either.
I have a VB6 Service that uses the standard NTSVC.ocx file to help manage all the NT service functions. The application has been running on Windows 2003 Server RC1 with no troubles. Our sales team asked if we could put this same application on a notebook that could be used as a live site demo. The only issue I am having is that the notebook is brand new, running Windows 7 and the manufacturer only has Windows 7 drivers for the devices.
There is no installer for this service. I manually load the ocx and supporting other dll's into the various Windows and System32 folder and then run regsvr32 from the command prompt to load the OCX. The service has a command line set of parameters to install and uninstall the service itself.
When I try to REGSVR32 the OCX I get the following error:
The module "C:\Windows\System32\ntsvc.ocx" failed to load. Make sure the binary is stored at the specified path or debug to check for problems with the binary or dependent .DLL files. The specified module could not be found.
One potential reason that might lead to your problem, is that the NTSVC.OCX is built with a fixed Base Address (in other words, the Image has been bound by the Linker with the /FIXED switch). Starting with Vista, the Windows Loader uses Address Space Layour Randomization (ASLR) mechanism.
Based on this ASLR feature the Windows Loader attempts to load the OCX component at another Base Address than the predefined one (the one hardcoded in the OCX image file). Since your OCX Address Base is hardcoded, the Loader will fail to load your OCX (which is technically just a DLL!).
See Snapshot below showing these fields of the NTSVC.OCX image using PeStudio:
I would first try Dependency walker. If that doesn't give you a clue as to what you need you may be SOL. Also you will have to run regsvr32 as an administrator so you should get the little UAC popup.
this ocx (an also other ocx such as vbwheelscollfix.dll) to register ist very easy.
First Step:
copy this OCX into the Folder C:\Windows\SYSWOW64 (on 32 bit, i suspect its SYSWOW32).
Second Step:
Open a CMD with administrative rights.
Last Step:
Now you can register / unregister the file from the SYSWOW path.
As ich said:
in an administrative shell:
regsvr32 C:\Windows\SYSWOW64\NTSVC.ocx did work for me. Note that \System32 did not work, as it gave me an error. It might work in a x86 environment, though.
I now have no errors in my project but did not try if it works properly.