Storage Device Stacks, Storage Volumes, and File System Stacks

For optimal reliability and performance, use file system minifilter drivers with Filter Manager support instead of legacy file system filter drivers. To port your legacy driver to a minifilter driver, see Guidelines for Porting Legacy Filter Drivers.

Before exploring how file system legacy filter drivers attach to file systems and volumes, it is necessary to understand the relationship between storage device stacks, storage volumes, and file system stacks.

Storage Device Stacks

Most storage drivers are PnP device drivers, which are loaded and managed by the PnP Manager. Storage devices are represented in the PnP device tree, which contains a device node, or devnode, for every physical or logical device on the machine. It is important to note that file systems and file system filter drivers are not PnP device drivers; thus the PnP device tree contains no devnodes for them.

The devnode for a particular storage device contains the storage device stack for the device; this is the chain of attached device objects that represent the device’s storage device drivers. Because a storage device, such as a disk, might contain one or more logical volumes (partitions or dynamic volumes), the storage device stack itself often looks more like a tree than a stack. The root of this tree is a functional device object (FDO) for a storage adapter or for another device stack that is integrated with the storage stack. The leaves of this tree are the physical device objects (PDOs) for the logical volumes, also called storage volumes, on which file system volumes can be mounted.

For diagrams and descriptions of some typical storage device stacks, see the following sections of the Storage Devices Design Guide:

Storage Volumes

A volume is a storage device, such as a fixed disk, floppy disk, or CD-ROM, that is formatted to store directories and files. A large volume can be divided into more than one logical volume, also called a partition. Each logical volume is formatted for use by a particular media-based file system, such as NTFS, FAT, or CDFS.

A storage volume, or storage device object, is a device object в€’ usually a physical device object (PDO) в€’ that represents a logical volume to the system. The storage device object resides in the storage device stack, but it is not necessarily the topmost device object in the stack.

When a file system is mounted on a storage volume, it creates a file system volume device object (VDO) to represent the volume to the file system. The file system VDO is mounted on the storage device object by means of a shared object called a volume parameter block (VPB).

Mount Manager

The Mount Manager is the part of the I/O system that is responsible for managing storage volume information such as volume names, drive letters, and volume mount points. When a new storage volume is added to the system, Mount Manager is notified of its arrival in either of the following ways:

The class driver that created the storage volume calls IoRegisterDeviceInterface to register a new interface in the MOUNTDEV_MOUNTED_DEVICE_GUID interface class. When this happens, the Plug and Play device interface notification mechanism alerts the Mount Manager of the volume’s arrival in the system.

The driver for the storage volume sends the Mount Manager an IRP_MJ_DEVICE_CONTROL request, specifying IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION for the I/O control code. This request can be created by calling IoBuildDeviceIoControlRequest.

Unique Volume Name

Mount Manager responds to the arrival of a new storage volume by querying the volume driver for the following information:

The volume’s nonpersistent device object name (or target name), located in the Device directory of the system object tree (for example: «\Device\HarddiskVolume1»)

The volume’s globally unique identifier (GUID), also called the unique volume name

A suggested persistent symbolic link name for the volume, such as a drive letter (for example, «\DosDevices\D:»)

For more information about the interaction between storage drivers and Mount Manager, see Supporting Mount Manager Requests in a Storage Class Driver.

File System Stacks

File system drivers create two different types of device objects: control device objects (CDO) and volume device objects (VDO). A file system stack consists of one of these device objects, together with any filter device objects for file system filter drivers that are attached to it. The file system’s device object always forms the bottom of the stack.

File System CDOs

File system CDOs represent entire file systems, rather than individual volumes, and are stored in the global file system queue. A file system creates one or more named CDOs in its DriverEntry routine. For example, FastFat creates two CDOs: one for fixed media and one for removable media. CDFS creates only one CDO, because it has only removable media.

File system CDOs are required to be named. This is because file system filter drivers, as well as many kernel-mode support routines, rely on this difference between VDOs and CDOs as a way of telling them apart.

File System VDOs

File system VDOs represent volumes mounted by file systems. A file system creates a VDO when it mounts a volume, usually in response to a volume mount request. Unlike a CDO, a VDO is always associated with a specific logical or physical storage device.

Unlike CDOs, VDOs must never be named, because naming a volume device object would create a security hole.

Как исправить синий экран смерти NTFS_FILE_SYSTEM на Windows 10?

NTFS_FILE_SYSTEM – это синий экран смерти, который способен появляться на всех версиях операционной системы Windows. Как правило, причиной, стоящей за этим критическим сбоем, являются проблемы с файловой системой жесткого диска, на котором располагается ОС Windows. Чуть реже, причиной BSoD NTFS_FILE_SYSTEM может быть какой-то драйвер в системе, который выводит ее из стабильного состояния.

Обычно, решается данный синий экран смерти с помощью такой системной утилиты, как Check Disk. Эта утилита встроена в вашу операционную систему, так что искать ее или загружать со сторонних ресурсов вам не понадобится. Применить Check Disk можно с помощью системной консоли Windows. Именно этим мы с вами и займемся в данной статье.

Устраняем NTFS_FILE_SYSTEM на Windows 10

Не каждый синий экран смерти намертво блокирует компьютер пользователя. Если вам удалось обойти NTFS_FILE_SYSTEM и войти в операционную систему, то считайте себя везунчиком, так как устранить критический сбой, вероятно, вам удастся куда быстрее. Все дело в том, что применить программу Check Disk можно только в Командной строке, доступ к которой можно получить в двух местах: ОС и Windows RE(среда восстановления).

Если же синий экран смерти NTFS_FILE_SYSTEM заблокировал вашу систему, то, к сожалению, вам придется воспользоваться Средой Восстановления, доступ к которой можно получить с помощью установочного носителя Windows.

Если есть доступ к системе:

• нажмите правой кнопкой мыши на Пуск;
• выберите в контекстном меню пункт «Командная строка(администратор)»;
• впишите в консоль команду chkdsk /f /r и нажмите Enter;
• дождитесь окончания процедуры, а затем перезагрузите компьютер.

Если доступа к системе нет(NTFS_FILE_SYSTEM блокирует доступ):

• создайте установочный носитель Windows 10(USB-носитель или CD);
• загрузитесь через него и доберитесь до окна с кнопкой «Установить»;
• нажмите на кнопку «Восстановление системы»;
• выберите раздел «Поиск и устранение неисправностей»;
• далее откройте «Дополнительные параметры»;
• далее кликните на инструмент «Командная строка»;
• введите в консоль команду chkdsk /f /r и нажмите Enter;
• на запрос о выполнение проверки при следующей загрузке системы – нажмите «Y»;
• перезагрузитесь и подождите, пока завершиться процесс проверки вашего жесткого диска.

Обычно, использования программы Check Disk достаточно, чтобы разрешить проблему с синим экраном смерти NTFS_FILE_SYSTEM. Тем не менее бывают случаи, когда вышеуказанный метод не срабатывает. Что же, в таком случае, мы рекомендуем вам попробовать войти в Среду Восстановления Windows и испробовать некоторые опции: восстановление при загрузке и восстановление системы с помощью точки восстановления. Если и это не поможет, то можете воспользоваться опцией «Вернуть компьютер в предыдущее состояние», что, по-сути, эквивалентно переустановке Windows 10.

Как включить Windows Projected File System на Windows 10

Компания Microsoft недавно представила предварительную сборку Windows 10 под номером 17604 в канале обновление «Ранний доступ». В этом релизе добавляется одна интересная функция под названием Windows Projected File System.

• Откройте меню Пуск > Служебные — Windows > Панель управления > Программы и компоненты > Включение или отключение компонентов Windows. Здесь поставьте галочку напротив строки Windows Projected File System (в моём случае в сборке 17110 на ней написано beta).

Защита файлов Windows File Protection (WFP) не позволяет программам заменять критически важные системные файлы Windows. Приложения не могут перезаписывать их, поскольку операционная система и другие программы пользуются этими файлами.

Microsoft представила Windows File Protection для защиты этих критически важных системных файлов и предотвращения проблем в работе операционной системы. Windows File Protection не является новой функцией Windows. Microsoft использовала эту подсистему ещё в Windows 2000 и Windows XP, вернув обратно к жизни в 2018 году.

Однако вряд ли новый механизм полагается на архитектуру 20-летней давности. Например, Microsoft переименовала GVFS (Git Virtual File System) в ProjF (Windows Projected Filesystem).

Как работает Windows File Protection

Если программа использует метод для замены защищённых файлов, WFP восстанавливает оригинальные файлы. Инсталлятор Windows подключается к WFP при установке критически важных системных файлов и делает запрос на установку и замену защищённых файлов вместо попытки установить или заменить их самостоятельно.

WFP работает главным образом незаметно в фоновом режиме. Механизм защиты запускается после того, как WFP получает уведомление об изменении файла в защищённой директории. Система заменяет изменённый файл на файл из кэша или источника установки, отменяя изменения.

Как исправить синий экран смерти NTFS_FILE_SYSTEM на Windows 10?

NTFS_FILE_SYSTEM – это синий экран смерти, который способен появляться на всех версиях операционной системы Windows. Как правило, причиной, стоящей за этим критическим сбоем, являются проблемы с файловой системой жесткого диска, на котором располагается ОС Windows. Чуть реже, причиной BSoD NTFS_FILE_SYSTEM может быть какой-то драйвер в системе, который выводит ее из стабильного состояния.

Обычно, решается данный синий экран смерти с помощью такой системной утилиты, как Check Disk. Эта утилита встроена в вашу операционную систему, так что искать ее или загружать со сторонних ресурсов вам не понадобится. Применить Check Disk можно с помощью системной консоли Windows. Именно этим мы с вами и займемся в данной статье.

Устраняем NTFS_FILE_SYSTEM на Windows 10

Не каждый синий экран смерти намертво блокирует компьютер пользователя. Если вам удалось обойти NTFS_FILE_SYSTEM и войти в операционную систему, то считайте себя везунчиком, так как устранить критический сбой, вероятно, вам удастся куда быстрее. Все дело в том, что применить программу Check Disk можно только в Командной строке, доступ к которой можно получить в двух местах: ОС и Windows RE(среда восстановления).

Если же синий экран смерти NTFS_FILE_SYSTEM заблокировал вашу систему, то, к сожалению, вам придется воспользоваться Средой Восстановления, доступ к которой можно получить с помощью установочного носителя Windows.

Если есть доступ к системе:

• нажмите правой кнопкой мыши на Пуск;
• выберите в контекстном меню пункт «Командная строка(администратор)»;
• впишите в консоль команду chkdsk /f /r и нажмите Enter;
• дождитесь окончания процедуры, а затем перезагрузите компьютер.

Если доступа к системе нет(NTFS_FILE_SYSTEM блокирует доступ):

• создайте установочный носитель Windows 10(USB-носитель или CD);
• загрузитесь через него и доберитесь до окна с кнопкой «Установить»;
• нажмите на кнопку «Восстановление системы»;
• выберите раздел «Поиск и устранение неисправностей»;
• далее откройте «Дополнительные параметры»;
• далее кликните на инструмент «Командная строка»;
• введите в консоль команду chkdsk /f /r и нажмите Enter;
• на запрос о выполнение проверки при следующей загрузке системы – нажмите «Y»;
• перезагрузитесь и подождите, пока завершиться процесс проверки вашего жесткого диска.

Обычно, использования программы Check Disk достаточно, чтобы разрешить проблему с синим экраном смерти NTFS_FILE_SYSTEM. Тем не менее бывают случаи, когда вышеуказанный метод не срабатывает. Что же, в таком случае, мы рекомендуем вам попробовать войти в Среду Восстановления Windows и испробовать некоторые опции: восстановление при загрузке и восстановление системы с помощью точки восстановления. Если и это не поможет, то можете воспользоваться опцией «Вернуть компьютер в предыдущее состояние», что, по-сути, эквивалентно переустановке Windows 10.

Installing a File System Driver

About Driver Installation

The Setup application programming interface (SetupAPI) provides the functions that control Windows setup and driver installation, including the installation of file system and file system filter drivers.

The installation process is controlled by INF files. For more information about INF files:

For file system driver-specific INF file information, see below

For more information about general driver installation (including information about driver packages, INF files, and driver signing), see Device and Driver Installation.

After creating an INF file, you will typically write the source code for your setup application. The setup application calls user-mode setup functions to access the information in the INF file and perform installation operations.

The following information regarding installing and uninstalling file system filter drivers also applies to file system drivers:

Creating an INF File for a File System Driver

A file system driver’s INF file provides instructions that SetupAPI uses to install the driver. The INF file is a text file that specifies the files that must be present for your driver to run and the source and destination directories for the driver files. An INF file also contains driver configuration information that SetupAPI stores in the registry, such as the driver’s start type and load order group.

You can create a single INF file to install your driver on multiple versions of the Windows operating system. For more information about creating such an INF file, see Creating INF Files for Multiple Platforms and Operating Systems and Creating International INF Files.

Starting with 64-bit versions of Windows Vista, all kernel-mode components, including non-PnP (Plug and Play) drivers such as file system drivers (file system, legacy filter, and minifilter drivers), must be signed in order to load and execute. For these versions of the Windows operating system, the following list contains information that is relevant to file system drivers.

INF files for non-PnP drivers, including file system drivers, are not required to contain [Manufacturer] or [Models] sections.

The SignTool command-line tool, located in the \bin\SelfSign directory of the WDK installation directory, can be used to directly «embed sign» a driver SYS executable file. For performance reasons, boot-start drivers must contain an embedded signature.

Given an INF file, the Inf2Cat command-line tool can be used to create a catalog (.cat) file for a driver package.

With Administrator privileges, an unsigned driver can still be installed on x64-based systems starting with Windows Vista. However, the driver will fail to load (and thus execute) because it is unsigned.

For detailed information about the driving signing process, including the driving signing process for 64-bit versions of Windows Vista, see Kernel-Mode Code Signing Walkthrough.

All kernel-mode components, including custom kernel-mode development tools, must be signed. For more information, see Signing Drivers during Development and Test (Windows Vista and Later).

INF files cannot be used to read information from the registry or to launch a user-mode application.

Sections in a File System Driver INF File

To construct your own file system driver INF file, use the following information as a guide. You can use the InfVerif tool to check the syntax of your INF file.

An INF file for a file system driver generally contains the following sections.

Version Section (required)

The Version section specifies the driver version information, as shown in the following code example.

The following table shows the values that file system filter drivers should specify in the Version section.

Entry	Value
Signature	«$WINDOWS NT$»
Provider	In your own INF file, you should specify a provider other than Microsoft.
DriverVer	See INF DriverVer directive
CatalogFile	Leave this entry blank. In the future, it will contain the name of a WHQL-supplied catalog file for signed drivers.

DestinationDirs Section (optional but recommended)

The DestinationDirs section specifies the directories where the file system driver files will be copied.

In this section and in the ServiceInstall section, you can specify well-known system directories by using system-defined numeric values. For a list of these values, see INF DestinationDirs Section. In the following code example, the value «12» refers to the Drivers directory (%windir%\system32\drivers).

SourceDisksNames Section (required)

The SourceDisksNames section specifies the distribution media to be used.

In the following code example, the SourceDisksNames section lists a single distribution media for the file system driver. The unique identifier for the media is 1. The name of the media is specified by the %Disk1% token, which is defined in the Strings section of the INF file.

SourceDisksFiles Section (required)

The SourceDisksFiles section specifies the location and names of the files to be copied.

In the following code example, the SourceDisksFiles section lists the file to be copied for the file system driver and specifies that the files can be found on the media whose unique identifier is 1 (This identifier is defined in the SourceDisksNames section of the INF file.)

DefaultInstall Section (required)

In the DefaultInstall section, a CopyFiles directive copies the file system driver’s driver files to the destination that is specified in the DestinationDirs section.

The CopyFiles directive should not refer to the catalog file or the INF file itself; SetupAPI copies these files automatically.

You can create a single INF file to install your driver on multiple versions of the Windows operating system. This type of INF file is created by creating additional DefaultInstall, DefaultInstall.Services, DefaultUninstall, and DefaultUninstall.Services sections for each operating system version. Each section is labeled with a decoration (for example, .ntx86, .ntia64, or .nt) that specifies the operating system version to which it applies. For more information about creating this type of INF file, see Creating INF Files for Multiple Platforms and Operating Systems.

In the following code example, the CopyFiles directive copies the files that are listed in the ExampleFileSystem.DriverFiles section of the INF file.

DefaultInstall.Services Section (required)

The DefaultInstall.Services section contains an AddService directive that controls how and when the services of a particular driver are loaded.

In the following code example, the AddService directive adds the file system service to the operating system. The %ServiceName% token contains the service name string, which is defined in the Strings section of the INF file. ExampleFileSystem.Service is the name of the file system driver’s ServiceInstall section.

ServiceInstall Section (required)

The ServiceInstall section adds subkeys or value names to the registry and sets values. The name of the ServiceInstall section must appear in an AddService directive in the DefaultInstall.Services section.

The following code example shows the ServiceInstall section for the file system driver.

The DisplayName entry specifies the name for the service. In the preceding example, the service name string is specified by the %ServiceName% token, which is defined in the Strings section of the INF file.

The Description entry specifies a string that describes the service. In the preceding example, this string is specified by the %ServiceDesc% token, which is defined in the Strings section of the INF file.

The ServiceBinary entry specifies the path to the executable file for the service. In the preceding example, the value 12 refers to the Drivers directory (%windir%\system32\drivers).

The ServiceType entry specifies the type of service. The following table lists the possible values for ServiceType and their corresponding service types.

Value	Description
0x00000001	SERVICE_KERNEL_DRIVER (Device driver service)
0x00000002	SERVICE_FILE_SYSTEM_DRIVER (File system or file system filter driver service)
0x00000010	SERVICE_WIN32_OWN_PROCESS (Microsoft Win32 service that runs in its own process)
0x00000020	SERVICE_WIN32_SHARE_PROCESS (Win32 service that shares a process)

The ServiceType entry should always be set to SERVICE_FILE_SYSTEM_DRIVER for a file system driver.

The StartType entry specifies when to start the service. The following table lists the possible values for StartType and their corresponding start types.

Value	Description
0x00000000	SERVICE_BOOT_START
0x00000001	SERVICE_SYSTEM_START
0x00000002	SERVICE_AUTO_START
0x00000003	SERVICE_DEMAND_START
0x00000004	SERVICE_DISABLED

For detailed descriptions of these start types to determine which one is appropriate for your file system driver, see What Determines When a Driver Is Loaded.

Starting with x64-based Windows Vista systems, the binary image file of a boot-start driver (a driver that has a start type of SERVICE_BOOT_START) must contain an embedded signature. This requirement ensures optimal system boot performance. For more information, see Kernel-Mode Code Signing Walkthrough.

For information about how the StartType and LoadOrderGroup entries determine when the driver is loaded, see What Determines When a Driver Is Loaded.

The ErrorControl entry specifies the action to be taken if the service fails to start during system startup. The following table lists the possible values for ErrorControl and their corresponding error control values.

Value	Description
0x00000000	SERVICE_ERROR_IGNORE (Log the error and continue system startup.)
0x00000001	SERVICE_ERROR_NORMAL (Log the error, display a message to the user, and continue system startup.)
0x00000002	SERVICE_ERROR_SEVERE (Switch to the registry’s LastKnownGood control set and continue system startup.
0x00000003	SERVICE_ERROR_CRITICAL (If system startup is not using the registry’s LastKnownGood control set, switch to LastKnownGood and try again. If startup still fails, run a bug-check routine. Only the drivers that are needed for the system to startup should specify this value in their INF files.)

The LoadOrderGroup entry must always be set to «File System» for a file system driver. This is different from what is specified for a file system filter driver or file system minifilter driver where the LoadOrderGroup entry is set to one of the file system filter load order groups. For more information about the load order groups that are used for file system filter drivers and file system minifilter drivers, see Load Order Groups for File System Filter Drivers and Load Order Groups and Altitudes for Minifilter Drivers.

The AddReg directive refers to one or more INF writer-defined AddRegistry sections that contain any information to be stored in the registry for the newly installed service.

If the INF file will also be used for upgrading the driver after the initial install, the entries that are contained in the AddRegistry section should specify the 0x00000002 (FLG_ADDREG_NOCLOBBER) flag. Specifying this flag preserves the registry entries in HKLM\CurrentControlSet\Services when subsequent files are installed. For example:

DefaultUninstall Section (optional)

The DefaultUninstall section is optional but recommended if your driver can be uninstalled. It contains DelFiles and DelReg directives to remove files and registry entries.

In the following code example, the DelFiles directive removes the files that are listed in the ExampleFileSystem.DriverFiles section of the INF file.

The DelReg directive refers to one or more INF writer-defined DelRegistry sections that contain any information to be removed from the registry for the service that is being uninstalled.

DefaultUninstall.Services Section (optional)

The DefaultUninstall.Services section is optional but recommended if your driver can be uninstalled. It contains DelService directives to remove the file system driver’s services.

In the following code example, the DelService directive removes the file system driver’s service from the operating system.

The DelService directive should always specify the 0x200 (SPSVCINST_STOPSERVICE) flag to stop the service before it is deleted.

There are certain classes of file system products that cannot be completely uninstalled. In this situation, it is acceptable to just uninstall the components of the product that can be uninstalled and leave installed the components of the product that cannot be uninstalled. An example of such a product is the Microsoft Single Instance Store (SIS) feature.

Strings Section (required)

The Strings section defines each %strkey% token that is used in the INF file.

For example, the file system driver defines the following strings in its INF file.

You can create a single international INF file by creating additional locale-specific Strings.LanguageID sections in the INF file. For more information about international INF files, see Creating International INF Files.