Neal Christiansen - Inside File System Filter, part I
- Posted: Jan 21, 2005 at 12:04 PM
- 124,689 Views
- 35 Comments
File System Filters are kernel-mode non-device drivers that monitor inbound and outbound FileSystem IO.
A prime example of an FSM is anti-virus software (the primary function of an AV app is to monitor IO stream content looking for virus patterns, after all).
Anyway, we were introduced to Neal by Dana Epp (he's working with the filter driver team to build a new security system and helped us during this interview) and we were impressed with Neal.
Why? Well, he's built two operating systems himself. More on that later, but hope you enjoy the first part of this, second part to come Monday.
Here, he takes you on a tour of the depths of Windows. Inside the kernel and the world of so-called kernel-mode drivers.
A prime example of an FSM is anti-virus software (the primary function of an AV app is to monitor IO stream content looking for virus patterns, after all).
Anyway, we were introduced to Neal by Dana Epp (he's working with the filter driver team to build a new security system and helped us during this interview) and we were impressed with Neal.
Why? Well, he's built two operating systems himself. More on that later, but hope you enjoy the first part of this, second part to come Monday.
Here, he takes you on a tour of the depths of Windows. Inside the kernel and the world of so-called kernel-mode drivers.
Comments Closed
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation,
please create a new thread in our Forums,
or
Contact Us and let us know.
More episodes in this show
-
Neal Christiansen - Inside File System Filter,…
-
Neal Christiansen - Inside File System Filter,…
-
Windows, Part I - Dave Probert
Follow the Discussion
Oops, something didn't work.
What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in. You need to be signed in to Channel 9 to use this feature.What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in and view them all on your notifications page.sign up for email notifications?
It might be a good idea to have a video with someone from the kernel team explaining how the NT kernel works. Not everybody here has read books on that, and I'm sure many people would be interested. Even better, get someone who can really tell us why certain things are designed the way they are, and what the benefits or disadvantages of that design have turned out to be since the conception of NT. This video already does some of that, but it focuses on one area of the kernel. Not that that's really a bad thing, but I just think it'd be a good idea to try and paint the big picture too.
Excellent video!
Some of the videos don't have much useful content, but this is very educational.
Neal mentions the Crash Analysis reports. Is there any chance of Channel 9 finding-out what happens to those automated reports, and why sometimes stuff is uploaded and other times not?
Funny you should mention this, Sven.
I am going to introduce a new series on Channel 9 in the relatively near future which I'm calling Deep Windows (but that may change). This video is in fact a precursor and your reply gives me even more incentive to make Deep Windows a reality. Also, I will be starting a more speculative and theoretical "interview" series that will include roundtable discussion among very big thinkers here at Microsoft.
It's going to be a deep year on Channel 9.
Going deep,
Charles
EDIT: I'm leaning towards calling the series Going Deep. Yes. That's it.
Glad you liked the video. There are more Neal vids coming soon.
Perhaps we should interview some of the CA people.
If these Filters can now be unloaded at any time, what prevents someone from writing a virus that will unload the antivirus filter?
PS - Will we ever see Bill here?
I'd like to second that. I wish my professors were as clear.
By the way, who works on the kernel team at Microsoft? Is Dave Cutler still doing work on the NT kernel?
Question One:
Neal said they could not monitor all locks and such that a Mini-Filter may have, so the FM can not undu all that - makes sense. However, could you try/catch around the callback for each MiniFilter and if an exception or bad return code, then unload that filter, post an Event log, and keep going? Or would that still leave a bunch of locks and memory leaks out there?
Question Two:
Speaking theoretically. Someone mentioned C#. How might they allow something like a MF to be written in C#? Thinking outside the box now. I realize Kernel mode and no clr in Kernel mode. But could a compiler and a special IO library be written, such that a c# program would compile into something that would run in kernel mode? Thinking about computers getting faster. Maybe some day, you could have a special Kernel Level-CLR that would allow a special version of the framework to be used to develop Kernel drivers. Then drivers could be run in Kernel Managed code (KMC).
Question Three:
No mention of Dave Cutler on NT design. Is he still around? What is he working on now?
Cheers and hats off to Neal and C9!
--
William Stacey [MVP]
His blog btw. is wonderful to read.
Damn, that sounds nice. This is very surprising news indeed!
You have to have administrator privilege to unload a minifilter.
The developers of minifilters can decide if they want to support unload (we encourage it due to JimAl's "no reboot" initiative). They can also do additional authentication themselves to make sure a minifilter is being unloaded by someone appropriate.
It is better to provide tools such that 3rd party developers can create quality drivers that don't have crashing bugs. One of the things we are working on for longhorn is a comprehensive driver verifier for minifilters like we have for other drivers in the system.
As far as C# goes in the kernel, you should talk to the device driver guys; they are thinking about this for the future.
Raymond does not want to be interviewed on camera and we respect that. Sorry. We tried.
Charles
Several people work on the kernel team (Neal is one of them) and you are going to meet more KernelPeople in the near future. Stay tuned.
Charles
Also, I read somewhere that the SDK for writing new file system driver or for directly working with NTFS costs $1000. Is that correct? And if yes why?
If you want to access a foreign filesystem just for light use (such as reading ext2 formatted floppies) it would be easier and safer to run the filesystem code as a library is usermode and interface it to the NT filesystem using re-parse points (roughly equivalent to the loopback device in Linux). I'm sure there's code out there that does this already, or at least there's code for running ext2 in user-mode so it wouldn't take long to put together.
--
wjs
Brilliant
Is there going to be an interview or a video with him?
That's terrible. Thank you for the try.
Probably not, sorry. We tried... However, there WILL be some other kernel heavyweights coming to theatre near you
Please stay tuned.
Charles
...
Okay, two words and an acronym.
Uh, now I do not get it. Wasn't channel9 pretty much bumping to people around the places without asking ahead? Just go to where the big shots are and run into them. They won't get the chance to say no =)
It's more a matter of not wanting to be interviewed than a matter of not wanting to be on video. We respect people's right to not take part in this. After all, not everybody likes to be asked questions and have their answers shared with the world, be it on streaming video or audio-only. Maybe they are shy or simply just don't want to do it. It really doesn't matter what the reason is. Channel 9 is all about respect.
Note that we seldom if ever just tape random people, though it does happen rarely, especially when we tour around product teams. For example, we interviewed Herb Sutter recently (VC ++ Architect and ISO C++ luminary) and ran into somebody in the hall that told us all about the experimental compiler framework called Phoenix.
We always set up interviews ahead of time.
Charles
"At Digital, he had given no interviews, and he insisted Microsoft never asked him to speak with the press. He even warned Gates: "If you bring the press in to see me, I'll do something that will make you never bring them in again." "
Still its a fascinating book, I am glad I was able to get a copy second hand.
I've also just got a copy of "Windows Internals 4th Edition" which has a short piece by Cutler as an introduction, including a photograph of him and the authors.
Also, beware that Yahoo! filters that registration e-mail as junk and keep up the good job.
Dear All,
I am trying to see the video, but guess there is some problem could please suggest were i could get access to it now.
Thank You.
Prasanna.K
Remove this comment
Remove this thread
close