none
Suspended User Mode Program RRS feed

  • Question

  • I have a filter driver that communicates with a user-mode program.  I try to control for system-level events, such as paging IO, but most IO calls will result in a round-trip between the filter driver and the UM program.  If the UM program crashes or is otherwise stopped, the filter driver notices the communication port is down and the system continues more or less as normal.  However, I noticed that when the UM program is suspended, such as when I try to create a DMP file from taskmgr or procexp, the system becomes unresponsive.  This makes sense, since the communication port is still technically open, and the filter driver, being none the wiser, will keep sending events through it and expecting a response.  I suspect the events time out, but due to the nature of some of the events, I need a fairly high timeout (I use ~30 seconds currently).  Because of the unresponsiveness of the system, the situation is pretty difficult to trouble-shoot.

    I must not have been the first to encounter this problem.  Are there some known ways to deal with this situation?  I tried to find a kernel-mode equivalent to CheckRemoteDebuggerPresent, which would not be a silver bullet, especially right around the time the UM program is being suspended, but might lead to eventual recovery.  I could not find an equivalent, though.

    Thursday, March 19, 2015 9:40 PM

Answers

  • Well this is the reason a lot of the filter driver user space code is put into a Windows service.  There is not a good way to check, there are some undocumented stuff in ZwQueryInformationProcess, but that is about all.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Thursday, March 19, 2015 10:09 PM

All replies

  • Well this is the reason a lot of the filter driver user space code is put into a Windows service.  There is not a good way to check, there are some undocumented stuff in ZwQueryInformationProcess, but that is about all.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Thursday, March 19, 2015 10:09 PM
  • OK, thanks Don.

    Friday, March 20, 2015 7:00 PM