search

winsiderss / systeminformer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
https://systeminformer.sourceforge.io
MIT License
10.53k stars 1.36k forks source link

Support "SupportedFeatures" in KSystemInformer mini-filter #2117

Closed jxy-s closed 2 days ago

jxy-s commented 5 days ago

Description of the feature, modification, idea or suggestion

The KSystemInformer mini-filter should support BypassIO, described here: https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/bypassio

All the "SupportedFeatures" are from the following: https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-fsrtlgetsupportedfeatures

SUPPORTED_FS_FEATURES_OFFLOAD_READ 0x01     The volume supports offloaded read operations.
SUPPORTED_FS_FEATURES_OFFLOAD_WRITE 0x02    The volume supports offloaded write operations.
SUPPORTED_FS_FEATURES_QUERY_OPEN 0x04       The volume supports query open operations.
SUPPORTED_FS_FEATURES_BYPASS_IO 0x08        The volume supports BypassIO

Proposed implementation details (optional)

These options should be configurable via the settings: https://github.com/winsiderss/systeminformer/blob/7e6b3a6dd2cb0bea495dd468f4a5a8228864f308/SystemInformer/settings.c#L351-L364

The "SupportedFeatures" bits set in the advanced options should likely default to 0xf describing all the existing "SupportedFeatures". And be updated accordingly in the future. The option to configure this in the advanced settings means the user choose to turn off the "BypassIO" feature (or others) if they wish.

This value needs set in the KSystemInformer services registry key, this can be done by the various methods in which we install and load the driver in kph.c:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KSystemInformer]
"SupportedFeatures"=dword:0000000f
MagicAndre1981 commented 3 days ago

What about ReFs DevDrive since 23H2 22621.2338? I've added FileInfo and ProcMon24 as listed with fsutil devdrv setfiltersallowed. Do I also have to do this with Systeminformer driver?

jxy-s commented 2 days ago

Nothing special needs done on our side to support DevDrive. It's up to you if you want KSystemInformer to attach to those volumes. If this is what you want specify KSystemInformer just as you would for any filter.

All that tool does is set the following registry value:

\\Registry\\Machine\\System\\CurrentControlSet\\Control\\FilterManager
FltmgrDevDriveAttachPolicy    REG_MULTI_SZ

This is a property of the filter manager, not the filter driver, and requires re-mounting the volume(s) for the changes to apply. That's not something we should be doing on behalf of the user when installing and starting our driver. This property is different than SupportedFeatures which is something we can do when installing and starting the driver.

jxy-s commented 2 days ago

Done here: https://github.com/winsiderss/systeminformer/commit/781442168efdad9df04f89565a4034ea2bc495c9