Posted by The Channel 9 Team // Wed, Dec 7, 2005 5:42 PM
File System Filters are kernel-mode non-device drivers that monitor inbound and outbound FileSystem IO.
A prime example of an FSM is anti-virus software (the primary function of an AV app is to monitor IO stream content looking for virus patterns, after all).
Anyway, we were introduced to Neal by Dana Epp (he's working with the filter driver team to build a new security system and helped us during this interview) and we were impressed with Neal.
Why? Well, he's built two operating systems himself. More on that later, but hope you enjoy the first part of this, second part to come Monday.
Here, he takes you on a tour of the depths of Windows. Inside the kernel and the world of so-called kernel-mode drivers.
Show: Going Deep
Tags: OS, Kernel
|
| Video Length: 00:25:16
|
|
Replies:
34
// Views:
45,620
|
 |
|
|
Pretty interesting stuff. We need to have more videos like this, digging deep into Windows (or other MS technologies).
It might be a good idea to have a video with someone from the kernel team explaining how the NT kernel works. Not everybody here has read books on that, and I'm sure many people would be interested. Even better, get someone who can really tell us why certain things are designed the way they are, and what the benefits or disadvantages of that design have turned out to be since the conception of NT. This video already does some of that, but it focuses on one area of the kernel. Not that that's really a bad thing, but I just think it'd be a good idea to try and paint the big picture too.
|
 | Sven Groot wrote:
Pretty interesting stuff. We need to have more videos like this, digging deep into Windows (or other MS technologies).
It might be a good idea to have a video with someone from the kernel team explaining how the NT kernel works. Not everybody here has read books on that, and I'm sure many people would be interested. Even better, get someone who can really tell us why certain things are designed the way they are, and what the benefits or disadvantages of that design have turned out to be since the conception of NT. This video already does some of that, but it focuses on one area of the kernel. Not that that's really a bad thing, but I just think it'd be a good idea to try and paint the big picture too. |
Funny you should mention this, Sven. :)
I am going to introduce a new series on Channel 9 in the relatively near future which I'm calling Deep Windows (but that may change). This video is in fact a precursor and your reply gives me even more incentive to make Deep Windows a reality. Also, I will be starting a more speculative and theoretical "interview" series that will include roundtable discussion among very big thinkers here at Microsoft.
It's going to be a deep year on Channel 9.
Going deep,
Charles
EDIT: I'm leaning towards calling the series Going Deep. Yes. That's it.
|
|
Excellent video!
Some of the videos don't have much useful content, but this is very educational.
Neal mentions the Crash Analysis reports. Is there any chance of Channel 9 finding-out what happens to those automated reports, and why sometimes stuff is uploaded and other times not?
|
| koorb wrote:
Excellent video!
Some of the videos don't have much useful content, but this is very educational.
Neal mentions the Crash Analysis reports. Is there any chance of Channel 9 finding-out what happens to those automated reports, and why sometimes stuff is uploaded and other times not? |
Glad you liked the video. There are more Neal vids coming soon.
Perhaps we should interview some of the CA people. ;-)
|
Great video, Just one question.
If these Filters can now be unloaded at any time, what prevents someone from writing a virus that will unload the antivirus filter?
|
One big vote for Deep Windows here, as well as the roundtable. There are things that I don't know to ask but affect me every day - let's hear it! Keep it up and thanks for the C9 Guy ;)
PS - Will we ever see Bill here?
|
Compliments to Neal Christiansen on a well communicated overview of file system filters.
|
 |
Fonze
da Fonz...... aaayyyyeeee
|
|
|
I would be extremely interested in seeing some interviews with people who will talk about the inner workings of windows. I'm focusing on OS's as part of my CS major, and the one thing they don't talk enough about are the inner workings of windows, we study mostly linux =/
|
| Jerrold wrote:
Compliments to Neal Christiansen on a well communicated overview of file system filters. |
I'd like to second that. I wish my professors were as clear. ;)
|
This is a very good development :) I actually registered at this site anticipating this moment.
By the way, who works on the kernel team at Microsoft? Is Dave Cutler still doing work on the NT kernel?
|
Very cool - thanks guys.
Question One:
Neal said they could not monitor all locks and such that a Mini-Filter may have, so the FM can not undu all that - makes sense. However, could you try/catch around the callback for each MiniFilter and if an exception or bad return code, then unload that filter, post an Event log, and keep going? Or would that still leave a bunch of locks and memory leaks out there?
Question Two:
Speaking theoretically. Someone mentioned C#. How might they allow something like a MF to be written in C#? Thinking outside the box now. I realize Kernel mode and no clr in Kernel mode. But could a compiler and a special IO library be written, such that a c# program would compile into something that would run in kernel mode? Thinking about computers getting faster. Maybe some day, you could have a special Kernel Level-CLR that would allow a special version of the framework to be used to develop Kernel drivers. Then drivers could be run in Kernel Managed code (KMC).
Question Three:
No mention of Dave Cutler on NT design. Is he still around? What is he working on now?
Cheers and hats off to Neal and C9!
--
William Stacey [MVP]
|
Dave Cutler is definitely still around. In fact, Neal mentions him on part II of this interview.
|
Could you also do some videos with Raymond Chen (blog: http://weblogs.asp.net/oldnewthing) he really knows a lot about Windows. It would be cool seeing him talk a bit about his experiences.
His blog btw. is wonderful to read.
|
 |
Dr. Shim
Inaniloquent monomathical people inlapidate me.
|
|
|
| Charles wrote:
Funny you should mention this, Sven. :)
I
am going to introduce a new series on Channel 9 in the relatively near
future which I'm calling Deep Windows (but that may change). This
video is in fact a precursor and your reply gives me even more
incentive to make Deep Windows a reality...
|
Damn, that sounds nice. This is very surprising news indeed!
|
|
You have to have administrator privilege to unload a minifilter.
The developers of minifilters can decide if they want to support unload (we encourage it due to JimAl's "no reboot" initiative). They can also do additional authentication themselves to make sure a minifilter is being unloaded by someone appropriate.
|
It is really not practical to try and caputue failures in minifilters and unload them. It simply masks bugs in drivers and can lead to other strange things. FOr example if someone had an encryption filter that crashed and was automatically unloaded you as a user might wonder why you can no longer access your encrypted data. There is no way to handle all of this generically
It is better to provide tools such that 3rd party developers can create quality drivers that don't have crashing bugs. One of the things we are working on for longhorn is a comprehensive driver verifier for minifilters like we have for other drivers in the system.
As far as C# goes in the kernel, you should talk to the device driver guys; they are thinking about this for the future.
|
| littleguru wrote:
Could you also do some videos with Raymond Chen (blog: http://weblogs.asp.net/oldnewthing) he really knows a lot about Windows. It would be cool seeing him talk a bit about his experiences.
His blog btw. is wonderful to read. |
Raymond does not want to be interviewed on camera and we respect that. Sorry. We tried.
Charles
|
| Gandalf wrote:
By the way, who works on the kernel team at Microsoft? |
Several people work on the kernel team (Neal is one of them) and you are going to meet more KernelPeople in the near future. Stay tuned.
Charles
|
If SP4 is the final service pack for Windows 2000 meaning that no other widespread updates will be issue for that os, how come you are going to update it with the latest file filter technology you have mentioned?
|
Although your area of expertize is file filters, I would like to ask you why does not Windows support more file systems? At least for reading only. I mean other operating systems can successfully read and write to many file systems, not only NTFS and the legacy fat. Ok, not as reliably to all of them but still they have more interoperability support. If Windows has a better i/o architecture why isn't it more interoperable as well? Supporting more file systems like Unix/Linux ones, would enable us to access data that we have created in these oses, like let's say a diskette from a Linux system.
Also, I read somewhere that the SDK for writing new file system driver or for directly working with NTFS costs $1000. Is that correct? And if yes why?
|
 |
rhm
Love the OS, hate the advocates.
|
|
|
You can code filesystems using the DDK, which MSDN subscribers can
download. Non-subscribers can order it for the cost of the media.
If you want to access a foreign filesystem just for light use (such as
reading ext2 formatted floppies) it would be easier and safer to run
the filesystem code as a library is usermode and interface it to the NT
filesystem using re-parse points (roughly equivalent to the loopback
device in Linux). I'm sure there's code out there that does this
already, or at least there's code for running ext2 in user-mode so it
wouldn't take long to put together.
|
Diskettes? People still use those? :) Have not touched one in about a year. I think things like NFS, made it so you really don't need another driver. Things like VMWare probably also reduce the need anymore. I bet you could find one however. I had thought most *nixes these days offer a DOS diskette ability - maybe not.
--
wjs
|
| The Channel 9 Team wrote:
Dave Cutler is definitely still
around. In fact, Neal mentions him on part II of this interview. |
Brilliant :)
Is there going to be an interview or a video with him?
|
| Charles wrote:
Raymond does not want to be interviewed on camera and we respect that. Sorry. We tried.
Charles |
That's terrible. Thank you for the try.
|
|
|