www.cswl.com
I/O File System Filter Driver For Windows NT
A Technical Report
Technical Expertise Level : Intermediate
Requires knowledge of : Device drivers and basic knowledge of Windows NT
architecture
Written by
J. Joseph Prabhu
D. Narayanan
January,1999
INDEX
INTRODUCTION..............................................................................................................3
WINDOWS NT DRIVER MODEL.................................................................................3
INTERMEDIATE DRIVERS...........................................................................................5
FILTER DRIVERS............................................................................................................5
WHEN CAN I USE A FILTER DRIVER?.....................................................................5
HOW ARE FILTER DRIVERS ATTACHED TO AN UNDERLYING DRIVER.....6
CONTROLLING THE DRIVER FROM AN APPLICATION....................................7
WHAT ARE FILE SYSTEM DRIVERS?.......................................................................9
HOW FILE SYSTEM DRIVERS DIFFER FROM OTHER WINDOWS NT
DRIVERS?..........................................................................................................................9
OUTLINE OF THE FILE SYSTEM DRIVER MODEL............................................10
CONTROL FLOW IN THE DRIVER MODEL..........................................................11
THREAD CONTEXT MANAGEMENT......................................................................13
WHY DO WE NEED GUARANTEED I/O?.................................................................15
COMPUTING DISK BANDWIDTH.............................................................................15
CHALLENGES IN PROVIDING GUARANTEED I/O..............................................16
IMPLEMENTED SOLUTION.......................................................................................18
HOW FILTER GETS CONTROL.................................................................................19
WHAT THE FILTER DOES?........................................................................................21
CSWL Inc, Irvine, California - 2 -
www.cswl.com
RESERVATION MANAGER:..............................................................................................22
COLLECTOR:...................................................................................................................23
SCHEDULER:...................................................................................................................23
DISPATCHER:..................................................................................................................24
SCHEDULING LOGIC OF THE FILTER USING TIME STAMPS........................24
INSTALLATION, TESTING AND DEBUGGING......................................................25
INSTALLATION:...............................................................................................................25
TESTING:.........................................................................................................................26
DEBUGGING:...................................................................................................................27
WHERE TO GO FROM HERE?...................................................................................28
REFERENCES.................................................................................................................28
Most of the modern world applications require high performance and are greatly
dependent on the transfer rate of data to and from the disk. But Windows NT, the
mostly widely used operating system in the industry does not provide any
semblance of disk guarantee to the applications. It would require a specially written
device driver to incorporate this feature on the Windows NT operating system.
INTRODUCTION
Most of the modern world applications require high performance and are greatly
dependent on the transfer rate of data to and from the disk. But Windows NT, the
mostly widely used operating system in the industry does not provide any
semblance of disk guarantee to the applications. It would require a specially written
device driver to incorporate this feature on the Windows NT operating system.
Windows NT Driver Model
As it is shown in the diagram, NT includes a number of kernel mode components
with well-defined functionality isolated in each component. The File System,
intermediate and other device drivers are shown integrated with the NT I/O
Manager. The NT I/O Manager presents a consistent interface to all the kernel-
mode drivers, including device, intermediate and file system drivers. The I/O
CSWL Inc, Irvine, California - 3 -
www.cswl.com
Manager exports system services, which user mode protected subsystems call to
carry out I/O operations on behalf of their applications. These system services
include the Configuration Manager, Memory Manager, Object Manager and the
Security Reference Monitor. All I/O requests to NT drivers are sent as I/O request
packets (IRPs). The I/O Manager intercepts these calls, sets up one or more Irps,
and routes them through to the respective drivers.
The Windows NT driver architecture uses an entry point model, in which the I/O
Manager calls a particular routine in a driver when it wants the driver to perform a
particular function. The I/O Manager passes a specific set of parameters to the
driver to enable it to perform the requested function. The function that is first called
when a driver is loaded is the DriverEntry. The driver performs initialization for
itself and any device it controls. The driver can have up to one Dispatch entry point
for each major I/O function that it supports. These Dispatch entry points are called
by the I/O Manager to request the driver to initiate a particular I/O operation. E.g.
The driver can have a Dispatch entry point for a read operation as DispatchRead (..)
which the I/O Manager calls when it needs to read from the particular device.
Windows NT allows several driver layers to exist between an application and a
piece of hardware. Thus drivers are grouped together in stacks that work together to
completely process a request targeted at a particular device object.
Windows NT uses a layered driver model to process I/O requests. In this model,
drivers are organized into stacks. Each driver in a stack is responsible for
processing the part of the request that it can handle, if any. If the request cannot be
completed, information for the lower driver in the stack is set up and the request is
passed along to that driver.
This layered driver model allows functionality to be dynamically added to a driver
stack. It also allows each driver to specialize in a particular type of function and
decouples it from having to know about other drivers.
CSWL Inc, Irvine, California - 4 -
www.cswl.com
Intermediate Drivers
Intermediate drivers form the middle layer of the driver hierarchy. Intermediate
drivers provide value-added feature or class processing for devices. Intermediate
drivers rely upon the device drivers below them in the NT driver hierarchy for
access to a physical device.
Filter Drivers
A Filter Driver is a special type of layered driver. What sets a filter driver apart
from the layered driver is that it is invisible. They attach themselves to any other
driver and intercept requests directed at the lower driver’s Device objects. It is
developed primarily to allow the addition of new functionality beyond what is
currently available. The filter driver may either use the services of the original
target of the I/O request, or use the services of other kernel-mode drivers to provide
value-added functionality.
When can I use a filter driver?
Filter Drivers are used to add features to a device without modifying the underlying
device driver or the programs that use the device. Filters allow us to modify some
aspects of an existing driver’s behavior without re-writing the underlying driver.
Let me explain the necessity of a filter driver with an example.
Consider a case where it is decided to design and implement on-line encryption /
decryption functionality on an existing Windows NT file system. At present, the
operating system does not provide any such functionality. In such a situation, it
would not be cost effective to design our own file system implementation to store
encrypted files. Besides, users would wish to continue using the existing native
Windows file system. This is one situation where a filter driver comes to the rescue
CSWL Inc, Irvine, California - 5 -
评论5