none
Using NetCfg.exe to deploy NDIS6 filter driver is not replacing the binary RRS feed

  • Question

  • Hello,

    I'm developing a NDIS6 filter driver based on the Ndislwf sample. And thanks to the Win10 WDK and VS2015 integration the development/test/debug cycle is really convenient :-)

    But up to now I couldn't get the deployment to work 100%.
    I've set up my targetmachine and VS copies the driver files correctly to the target, removes and adds it to the driver store. That's all working.
    I know you cannot use the integrated driver install feature for filters, so I use the Custom Command Line feature and call netcfg.exe to install my driver. Netcfg reports success when uninstalling/installing the driver. But when I debug the driver the driver binary I'm debugging is sill the old, previous version. In the debugger I can see that DriverUnload gets called correctly. So the OS is telling my driver it is going to be unloaded.

    The only way to actually replace the driver binary is to first uninstall using netcfg, reboot and then install the new binary using netcfg. I can reproduce this behavior also by doing these steps from the commandline and not letting the VS deployment task do it. If I don't do a reboot after uninstalling the driver binary won't get updated.

    Is this a general limitation, that you cannot uninstall, reinstall a filter without a reboot?
    Or am I doing something wrong?

    Thanks

    Jan

    Tuesday, November 24, 2015 5:42 PM

Answers

  • The driver not necessarily will be unloaded after DriverUnload. Pending references can block unload.

    Tuesday, November 24, 2015 10:16 PM
  • Yes, fix your driver. As Pavel wrote, outstanding references will prevent a driver from being unloaded. The reason for this restriction is to prevent crashes, and as such, there is no way to force the unload in this situation

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, November 27, 2015 7:21 PM
    Moderator

All replies

  • So is there anything I can do to replace the filter driver binary without a reboot?

    Friday, November 27, 2015 9:49 AM
  • Yes, fix your driver. As Pavel wrote, outstanding references will prevent a driver from being unloaded. The reason for this restriction is to prevent crashes, and as such, there is no way to force the unload in this situation

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, November 27, 2015 7:21 PM
    Moderator