locked
How to stop a WFP driver cleanly? RRS feed

  • Question

  • My WFP driver is based on the inspect sample, and it communicates with a Windows service via the worker thread. All works fine, except sometimes when I stop the service, I get a blue screen caused by the driver. I have kept all the gDriverUnloading code, so how can I stop the driver more cleanly?

    Thanks for your help,

    Olivier


    • Edited by OlivierMSDN Monday, November 18, 2013 10:25 PM
    Monday, November 18, 2013 10:24 PM

Answers

  • The simplest way is to unregister all of your callouts, then flush all of your outstanding injections. Unregistering will turn all of your callout filters into BLOCK filters (by default). This means you won't be queuing up any more data to inject. Then you need to finish any injections and outstanding pends before you unload.

    This is the method used by the WFPSampler (http://code.msdn.microsoft.com/windowshardware/Windows-Filtering-Platform-27553baa/view/SourceCode)

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Monday, November 18, 2013 10:47 PM
    Moderator

All replies

  • The simplest way is to unregister all of your callouts, then flush all of your outstanding injections. Unregistering will turn all of your callout filters into BLOCK filters (by default). This means you won't be queuing up any more data to inject. Then you need to finish any injections and outstanding pends before you unload.

    This is the method used by the WFPSampler (http://code.msdn.microsoft.com/windowshardware/Windows-Filtering-Platform-27553baa/view/SourceCode)

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Monday, November 18, 2013 10:47 PM
    Moderator
  • Thanks Dusty.
    Tuesday, November 26, 2013 8:36 PM