User mode vs. Kernel mode driver

User mode vs. Kernel mode driver

Post by Ry4gWWFtbW » Sat, 19 Aug 2006 00:01:02


Hi,

I need to write a driver that can intercept a certain set of files. This
driver will need to read/write locally and across the network - say a TCP
connection.

I know it can be done in Kernel mode (FS Filter Driver). I was wondering if
it is doable via a user-mode driver. The literature seems to suggest that it
is possible. But I would like a definitive answer :-)

Generally, I was thinking:
1) Create a virtual storage device name
2) Attach a drive letter to it
3) File ops within the "drive" are then reflected to the user mode driver
However, I am unsure how to launch/invoke the user-mode driver since it is
done via a PnP event.

Thanks a lot

G. Yammine
 
 
 

User mode vs. Kernel mode driver

Post by Don Bur » Sat, 19 Aug 2006 00:05:58

This has to be kernel code, and file system filters are some of the most
complex kernel code to do correctly.

--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.yqcomputer.com/
Remove StopSpam from the email to reply

 
 
 

User mode vs. Kernel mode driver

Post by Ry4gWWFtbW » Sat, 19 Aug 2006 01:01:03

Thanks for the reply. Have you heard of Galen Hunt's "Proxy Driver"?

https://db.usenix.org/publications/library/proceedings/usenix-nt97/full_papers/hunt/hunt.pdf#search=%22galen%20hunt%20proxy%20driver%22

(google search: galen hunt proxy driver)

The paper seems to suggest that it is possible. Also, it looks to me that
the Proxy Driver is now called the UMDF Reflector.

Although I have quite a bit of FS/DD experience, I really don't want to
build a FS Filter Driver :-)

Thanks for keeping the conversation going.

--
gy
 
 
 

User mode vs. Kernel mode driver

Post by Don Bur » Sat, 19 Aug 2006 01:13:34

es, I know Galen (he has been at Microsoft for years). The problem is that
you need to sit in the middle of a kernel mode stack, unless you want to
create your own storage device that is totally seperate. This causes lots
of problems, for instance if your application causes any I/O to the storage
stack you are filtering (including paging and other non-obvious areas)
things get very messy! UMDF is for simple non-storage devices that live on
busses such as USB and ethernet.

There was a user mode file system product (note file system not filter!)
that was available from StorageCraft but it appears to be no longer
available. This was based on using the file system redirector and sending
the requests to user space.

Give a little more detail on what you are attempting to do, for instance can
the files all be on a "special filesystem" that nothing else resides on, or
do they need to live in normal places? Can these "files" be on a device
that is not identified as a file system, for instanmce a device namespace?


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply



"G. Yammine" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

User mode vs. Kernel mode driver

Post by Ry4gWWFtbW » Sat, 19 Aug 2006 03:32:52

oo bad!

The driver is supposed to intercept file operations against certain,
pre-defined, files. The files reside remotely, across a network. The driver
maintains a local cache of file blocks, and retrieves blocks that are not
locally cached. Very much like the CIFS client except that the driver does
things to the blocks in terms of storage, tagging, recycling, etc. My
initial idea was to build an FS Filter driver that would use the CIFS
redirector for network access with the goal of eventually replacing the
redirector.

Any input would be appreciated.

--
gy


"Don Burn" wrote:

 
 
 

User mode vs. Kernel mode driver

Post by Maxim S. S » Sun, 20 Aug 2006 17:19:59

> initial idea was to build an FS Filter driver that would use the CIFS

Yes, an FS filter. Do you have the TCP protocol already designed to access the
missing blocks of the files?

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
XXXX@XXXXX.COM
http://www.yqcomputer.com/