winapidriverminifilterfilefilterfilter-driver

"FltStartFiltering has not been called" Error of trying to attach a volume in DriverEntry

I have tried to attach a volume while the driver service starts, but I got "The filter is not ready for attachment to volumes because it has not finished initialize (FltStartFiltering has not been called)." and immediately I got blue screen. I have already called the FltStartFiltering but I don't know why it didn't work.

Below is my code:

status = FltRegisterFilter(DriverObject,
        &FilterRegistration,
        &MiniSpyData.Filter);

    if (!NT_SUCCESS(status)) {

        leave;
    }




    status = FltBuildDefaultSecurityDescriptor(&sd,
        FLT_PORT_ALL_ACCESS);

    if (!NT_SUCCESS(status)) {
        leave;
    }

    RtlInitUnicodeString(&uniString, WOODY_PORT_NAME);

    InitializeObjectAttributes(&oa,
        &uniString,
        OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
        NULL,
        sd);

    status = FltCreateCommunicationPort(MiniSpyData.Filter,
        &MiniSpyData.ServerPort,
        &oa,
        NULL,
        SpyConnect,
        SpyDisconnect,
        SpyMessage,
        1);

    FltFreeSecurityDescriptor(sd);



    if (!NT_SUCCESS(status)) {
        leave;
    }

    //
    //  We are now ready to start filtering
    //

    status = FltStartFiltering(MiniSpyData.Filter);

    if (!NT_SUCCESS(status)) {

        FltUnregisterFilter(MiniSpyData.Filter);
    }
    else {
     //Here is what I want to attach
        RtlInitUnicodeString(&uniString, L"\\Device\\HarddiskVolume1");
        PFLT_VOLUME vol;
        FltGetVolumeFromName(&MiniSpyData.Filter, &uniString, &vol);
        status = FltAttachVolume(&MiniSpyData.Filter, vol, NULL, NULL);
    }
Solution 
  • RtlInitUnicodeString(&uniString, L"\\Device\\HarddiskVolume1");
PFLT_VOLUME vol;
FltGetVolumeFromName(&MiniSpyData.Filter, &uniString, &vol);
status = FltAttachVolume(&MiniSpyData.Filter, vol, NULL, NULL);

    The part above is simply not needed and wrong as well. Let me explain:

    1. The FltGetVolumeFromName routine take a PFLT_FILTER as the first parameter and from what I see in your code you are giving it a PFLT_FILTER*
    2. You don't need to manually attach to volumes since you will automatically attach and be called in your instance context unless you set the FLTFL_INSTANCE_SETUP_MANUAL_ATTACHMENT in your instance context registration flags. See this for more details.
    3. You don't want to do this during boot because the volume might not be there yet and thus your potential BSOD.

    Good luck.