OSR Open Systems Resources, Inc.

Last Update: 9 May 2024 TL;DR Starting sometime with Windows 11 Microsoft changed Windows Driver Verifier to no longer bug check or breakpoint when it encounters most issues. Instead, it (silently) writes an entry to the system event log. This change was neither announced nor documented by Microsoft. So, in short, we've all been testing our drivers using Windows Driver Verifier on Windows 11 for years, expecting it to actively tell us if we've made serious mistakes....

HUGE Change in Driver Verifier == HUGE Problem for the Community Last Update: 9 May 2024 TL;DR Starting sometime with Windows 11 Microsoft changed Windows Driver Verifier to no longer bug check or breakpoint when it encounters most issues. Instead, it (silently)…

Great! But did you know that even the "Driver Recommended" rule set leaves out a lot of useful tests? We are indeed extremely fortunate to have the tooling that is available to us for Windows driver development. Static tools such as Code Analysis (CA) and Static Driver Verifier (SDV), coupled with dynamic tools like Windows Driver Verifier and WDF Verifier make it much easier to avoid problems that aren't always evident during basic in-house testing....

It Passes Code Analysis Great! But did you know that even the “Driver Recommended” rule set leaves out a lot of useful tests? We are indeed extremely fortunate to have the tooling that is available to us for W…

It took "a while" but, without any fanfare, sometime in May of 2022, Microsoft released a version of the Windows Driver Kit (WDK) that supports Visual Studio (VS) 2022. This version is referred to as the Windows 11 Version 22H2 WDK. Support for VS 2022 is a good thing. Given that many (if not most) Windows driver developers these days often also write some sort of application code, having one tool chain that supports both jobs is both useful and most welcome....

The Windows Driver Kit and Visual Studio 2022 It took “a while” but, without any fanfare, sometime in May of 2022, Microsoft released a version of the Windows Driver Kit (WDK) that supports Visual Studio (VS) 2022. This version is …

Times change. People, even engineers, eventually "clue up." As people become sensitive to the negative impact that the names of things can have on those who don't share their own ethnic, racial, cultural, or social background, they get on board with the idea of changing those names. Sometimes the changes are simple; As easy as replacing one troublesome term with an equally good neutral term....

The Names, They Are a Changin’ Times change. People, even engineers, eventually “clue up.” As people become sensitive to the negative impact that the names of things can have on those who don’t share their own …

OSR's 2022 Public Seminar Schedule (Q1/Q2) -

OSR's 2022 Public Seminar Schedule (Q1/Q2)

Should I Set PnPLockdown=1?

What IS this INF directive, why is the WDK whining at me to provide is, and should I do as it suggests?

Should I Set PnPLockdown=1? At some point recently (“recently” being defined as “in the last year or so”) the WDK started whining at me with the following warning: warning 1324: [Version] section shoul…

Getting WinDbg to Work Over KDNet on a VM Hosted by QEMU-KVM

Using WinDbg Over KDNet on QEMU-KVM We spent several months working on a very intensive (and very interesting) project that required a writing a driver that was specifically intended to run on a Windows system running under QEMU-KVM …

OSR's File System Minifilter and WDF Seminar Schedule -

OSR's File System Minifilter and WDF Seminar Schedule

The results are in: Microsoft is definitely eliminating cross-signing, and won't be doing anything to facilitate our updating drivers on down-level versions of Windows. Score a loss for the driver development community.

Lost Cause: No Driver Updates Allowed, Except for Win 10 For months, the team here at OSR has been actively working with folks at Microsoft to find a solution to allow drivers on Windows 7, Windows 8, and Windows 8.1 systems, including Server 2012 R2, to…

We were surprised by a Tweet claiming that simply accessing a path caused NTFS to report the volume as corrupt: We met this with great skepticism (how could that possibly be??) but seems to have a strange knack for finding these sorts of things. After a bit of delay the magic path was revealed and, as advertised, triggered a very ugly warning:...

http://www.osr.com/blog/2021/01/21/mitigating-the-i30bitmap-ntfs-bug/

Mitigating the $I30:$Bitmap NTFS Bug We were surprised by a Tweet claiming that simply accessing a path caused NTFS to report the volume as corrupt: We met this with great skepticism (how could that possibly be??) but seems t…

The Windows 2004 WDK/EWDK have been updated to mitigate the previously reported ExAllocatePoolZero Security Vulnerabilities. Read about what you should do now.

http://www.osr.com/blog/2021/01/07/mitigations-exallocatepoolzero-security-vulnerability/

Mitigations and Best Practices for ExAllocatePoolZero Security Vulnerabilities tl;dr The Windows V2004 WDK/EWDK had a serious security vulnerability. It has been updated to mitigate that vulnerability, and you should update all of your machines that have the WDK/EWDK installe…

My article for The NT Insider on static analysis tools for driver developers included the following off-hand comment: We’re not going to discuss SDV in this article because (a) it provides a very different type of analysis from that provided by Code Analysis and Clang-Tidy, and (b) nobody at OSR has been able to get it to work – at all – in VS 2019....

http://www.osr.com/blog/2020/11/16/making-sdv-work-vs-2019-wdk-2004/

Making SDV Work with VS 2019 and WDK 2004 My article for The NT Insider on static analysis tools for driver developers included the following off-hand comment: We’re not going to discuss SDV in this article because (a) it provides a very d…

The Sept-Oct 2020 issue of The NT Insider is now available! - https://mailchi.mp/osr/dp3ddrrqgc

The NT Insider (OSR)

Upcoming Online Seminars from OSR - https://mailchi.mp/osr/upcoming-online-seminars-from-osr

Upcoming Online Seminars from OSR

Microsoft: No More Driver Updates Allowed for Win7 and Win8

http://www.osr.com/blog/2020/10/15/microsoft-driver-updates-allowed-win7-win8/

Microsoft: No Driver Updates Allowed for Win7 and Win8 Microsoft has announced that it is ending the ability to cross-sign drivers, effective 1 July 2021. This will effectively make it impossible to release new or updated drivers for Windows 7, Windows…

tl;dr Last week (week of 5 July 2020) OSR found and reported a bug to Microsoft that has both security and reliability implications for driver developer. New functions introduced in the Windows 2004 WDK that are designed to zero pool allocations before they are returned to the driver, do not zero those allocations when running on Windows 1909 systems (only). The functions work as intended on both older and newer systems. [ 1,974 more word ]
http://www.osr.com/blog/2020/07/14/bug-in-new-function-exallocatepoolzero-results-in-security-vulnerability-and-crashes/

Bug in New Function ExAllocatePoolZero Results in Security Vulnerability and Crashes tl;dr Last week (week of 5 July 2020) OSR found and reported a bug to Microsoft that has both security and reliability implications for driver developer. New functions introduced in the Windows 200…

What ever happened to KB article that had The Table mapping NTSTATUS to Win32 Error Codes? Well, it's gone. So, we created an up-to-date version to share with the community.
http://www.osr.com/blog/2020/04/23/ntstatus-to-win32-error-code-mappings/

NTSTATUS to Win32 Error Code Mappings Some time ago, for reasons known only to our friends in Redmond, the Microsoft Knowledge Base article that listed all the NTSTATUS values and what their equivalent Win32 ERROR mappings was disappea…

TL;DR DO NOT update VS 2019 beyond 16.4.0, or you risk breaking the WDK, to the point that it won't compile anything when Code Analysis is enabled (and you can't subsequently turn off Code Analysis). If you're like most people, when Visual Studio lights the little "there's an update available" icon, you the update installed as soon as convenient. After all, these updates (which seem to come out ever other week or so) often fix real problems in Visual Studio. [ 380 more words ]
http://www.osr.com/blog/2020/03/31/beware-vs-2019-v16-4-x-update-breaks-the-wdk/

Beware: VS 2019 V16.4.x Update Breaks the WDK TL;DR DO NOT update VS 2019 beyond 16.4.0, or you risk breaking the WDK, to the point that it won’t compile anything when Code Analysis is enabled (and you can’t subsequently turn off C…

Attend OSR's WDF or Minifilter Seminars Remotely - https://mailchi.mp/osr/attend-osrs-wdf-or-minifilter-seminars-remotely

Attend OSR's WDF or Minifilter Seminars Remotely

OSR Seminar Update (Feb2020) - https://mailchi.mp/osr/osr-seminar-update-feb2020

OSR Seminar Update (Feb2020)

OSR Seminar Update (New Dates + Remote Attendance!) - https://mailchi.mp/osr/osr-seminar-update-new-dates-remote-attendance

OSR Seminar Update (New Dates + Remote Attendance!)

One of the most common requests that we've received over the years about our seminars has been to allow people to attend remotely, online, via the Internet. But we waited, quite literally for years, until we had felt we could give attendees an experience that met our high standards. While nothing can be 100% as good as being in the same room with one of our engineering team members, we dreamed of providing an experience that would be… [ 628 more words ]
http://www.osr.com/blog/2019/09/10/finally-attend-osrs-driver-development-seminars-online/

Finally! Attend OSR’s Driver Development Seminars Online One of the most common requests that we’ve received over the years about our seminars has been to allow people to attend remotely, online, via the Internet. But we waited, quite literally for…

A couple of weeks ago I was teaching our Developing file System Minifilters for Windows seminar here in Manchester, NH. A student asked a question about a behavior they were seeing when calling FltGetFileNameInformation after a rename operation on the network. Much to their surprise, the name returned was the old name for the file and not the new name. This is contrary to how the API works when called on a local file system, making it even more confusing. [ 445 more words ]
http://www.osr.com/blog/2019/08/13/unexpected-fltgetfilenameinformation-behavior-for-network-renames-oh-and-tunnel-caching-too/

Unexpected FltGetFileNameInformation Behavior for Network Renames (oh, and Tunnel Caching too) A couple of weeks ago I was teaching our Developing file System Minifilters for Windows seminar here in Manchester, NH. A student asked a question about a behavior they were seeing when calling Flt…

I’ve been doing some research into the Windows Filtering Platform and the information available at each of the various filtering layers. In particular, I’ve been focusing on the information available in Windows 7 as that predates some ETW trace points that contain interesting network event data. After attaching a filter to the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer, I started poking around at the various values supplied to the classify function. [ 1,174 more word ]
http://www.osr.com/blog/2019/07/02/how-l1-terminal-fault-l1tf-mitigation-and-windbg-wasted-my-morning-a-k-a-yak-shaving-windbg-edition/

How L1 Terminal Fault (L1TF) Mitigation and WinDbg Wasted My Morning (a.k.a. Yak Shaving: WinDbg Edition) I’ve been doing some research into the Windows Filtering Platform and the information available at each of the various filtering layers. In particular, I’ve been focusing on the information availab…

OSR Seminar Schedule (May 2019 Update) - https://mailchi.mp/osr/osr-seminar-schedule-may-2019-update

Join us for one of our upcoming sessions on File System Minifilters (filling fast), WDF, Kernel Debugging & Crash Analysis or Internals & Software Drivers...

New blog post: Why OSR's PeterGV is withdrawing from Microsoft's Most Valuable Professional (MVP) program
http://www.osr.com/blog/2019/04/08/withdrawing-from-the-microsoft-mvp-program/

Withdrawing From the Microsoft MVP Program When I was first named a Microsoft Most Valuable Professional, back in the early 2000’s, I was very proud. Really, I was. There was a cohort of smart, generous, and engaged engineers who were…

Well, THIS one was a surprise...After triggering a memory leak in a driver, the system surprisingly crashed due to a call to FsRtlIsNameInExpression: # ChildEBP RetAddr 00 b7226d0c 816167b8 nt!RtlpBreakWithStatusInstruction 01 b7226d60 816161c1 nt!KiBugCheckDebugBreak+0x1f 02 b7227154 81575746 nt!KeBugCheck2+0x7b3 03 b7227178 8157567d nt!KiBugCheck2+0xc6 04 b7227198 816126ed nt!KeBugCheckEx+0x19 05 b72271b4 81590522 nt!KiFatalExceptionHandler+0x1a 06 b72271d8 815904f4 nt!ExecuteHandler2+0x26 07 b722729c 8159049b nt!ExecuteHandler+0x24 08 b72275cc 814c61fe nt!RtlRaiseStatus+0x47 09 b7227610 89a72012 nt!RtlIsNameInExpression+0x74 0a b7227630 89a71496 Osr!MatchNameAgainstExpression+0x42… [ 181 more words ]
http://www.osr.com/blog/2019/03/04/psa-fsrtlisnameinexpression-can-raise-exception/

PSA: FsRtlIsNameInExpression Can Raise an Exception Well, THIS one was a surprise…After triggering a memory leak in a driver, the system surprisingly crashed due to a call to FsRtlIsNameInExpression: [crayon-5c7d9c5239a46096342755/] As best we…

As a file system filter developer, one of the great pains in life is when a file system operation fails deep in the bowels of the file system. For example, say I'm trying to rename a file with FltSetInformationFile for FileRenameInformation and I get back STATUS_ACCESS_DENIED. How do I track that down? Sure, I could try single stepping through the function until I see a STATUS_ACCESS_DENIED, but that could take quite a while. [ 343 more words ]
https://www.osr.com/blog/2018/10/17/ntfs-status-debugging/

NTFS Status Debugging As a file system filter developer, one of the great pains in life is when a file system operation fails deep in the bowels of the file system. For example, say I’m trying to rename a file wit…

A big complaint I've always had about the HLKs is the overhead of getting a system provisioned as the HLK controller. This is made even worse now by the blistering speed with which Windows feature updates are coming, thus requiring the installation of yet another HLK controller for compliance testing every few months. I was pleasantly surprised then to see the release of the… [ 103 more words ]
https://www.osr.com/blog/2018/10/15/check-new-virtual-hardware-lab-kit-vhlk/

Check out the new Virtual Hardware Lab Kit (VHLK) A big complaint I’ve always had about the HLKs is the overhead of getting a system provisioned as the HLK controller. This is made even worse now by the blistering speed with which Windows fe…

Well, OK... It's not really 1809 anymore. It's actually 1810 when I'm writing this. But whatever. There's a new WDK among us. Before you can install WDK 1809, you'll need to be running Visual Studio 15.8 and you'll need to manually install the latest SDK (the version is Windows 10.0.17763.1, which is the 1809 SDK). Very helpfully, the 1809 WDK installer checks to see if the the proper SDK version is installed. [ 350 more words ]
https://www.osr.com/blog/2018/10/04/1809-new-wdk-dont-be-afraid/

It’s 1809… A New WDK Awaits You… Don’t Be Afraid! Well, OK… It’s not really 1809 anymore. It’s actually 1810 when I’m writing this. But whatever. There’s a new WDK among us. Before you can install WDK 1809, you& #821…