Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1227 lines
35 KiB

  1. /*++
  2. Copyright (c) 1991-2000 Microsoft Corporation
  3. Module Name:
  4. DRIVER.CXX
  5. Abstract:
  6. Functions for Loading, Maintaining, and Unloading Device Drivers.
  7. ScLoadDeviceDriver
  8. ScControlDriver
  9. ScGetDriverStatus
  10. ScGetObjectName
  11. ScUnloadDriver
  12. ScIsPnPDriver
  13. Author:
  14. Dan Lafferty (danl) 27-Apr-1991
  15. Environment:
  16. User Mode -Win32
  17. Notes:
  18. Revision History:
  19. 22-Feb-1999 jschwart
  20. Prevent stopping of PnP drivers via ControlService (since it bluescreens
  21. the machine and is easier to fix here than the REAL fix in NtUnloadDriver)
  22. 02-Oct-1997 AnirudhS
  23. Removed IOCTL to NDIS for NDIS driver arrivals.
  24. 08-Jan-1997 AnirudhS
  25. ScGetDriverStatus, ScGetObjectName, etc: Instead of expecting a
  26. shared lock on the service database and upgrading it to exclusive,
  27. which is broken, just expect an exclusive lock.
  28. 03-Jan-1997 AnirudhS
  29. Temporary fix for QFE bug 66887: When a driver stops, don't free its
  30. object name. Free it only when the driver is reconfigured or deleted.
  31. The changes are marked by "QFE 66887" comments.
  32. 19-Jan-1996 AnirudhS
  33. Add IOCTLs to NDIS for TDI and NDIS driver arrivals.
  34. 30-Oct-1995 AnirudhS
  35. ScLoadDeviceDriver: Turn STATUS_IMAGE_ALREADY_LOADED into
  36. ERROR_SERVICE_ALREADY_RUNNING.
  37. 05-Aug-1993 Danl
  38. ScGetObjectName: It is possible to read an empty-string object
  39. name from the registry. If we do, we need to treat this the same
  40. as if the ObjectName value were not in the registry.
  41. 01-Jun-1993 Danl
  42. GetDriverStatus: When state moves from STOPPED to RUNNING,
  43. then the service record is updated so that STOP is accepted as
  44. a control.
  45. 10-Jul-1992 Danl
  46. Changed RegCloseKey to ScRegCloseKey
  47. 27-Apr-1991 danl
  48. created
  49. --*/
  50. //
  51. // INCLUDES
  52. //
  53. #include "precomp.hxx"
  54. #include <ntddndis.h> // NDIS IOCTL codes
  55. #include <stdlib.h> // wide character c runtimes.
  56. #include <cfgmgr32.h> // PNP manager functions
  57. #include <pnp.h> // PNP manager functions, server side
  58. #include "scconfig.h" // ScReadStartName
  59. #include "driver.h" // ScGetDriverStatus()
  60. #include "depend.h" // ScGetDependentsStopped()
  61. #include "scsec.h" // ScGetPrivilege, ScReleasePrivilege
  62. #include <debugfmt.h> // FORMAT_LPWSTR
  63. //
  64. // DEFINES
  65. //
  66. #define OBJ_DIR_INFO_SIZE 4096L
  67. #define SERVICE_PATH L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\"
  68. #define FILE_SYSTEM_OBJ_NAME L"\\FileSystem\\"
  69. #define DRIVER_OBJ_NAME L"\\Driver\\"
  70. //
  71. // This is a string version of GUID_DEVCLASS_LEGACYDRIVER in devguid.h
  72. //
  73. #define LEGACYDRIVER_STRING L"{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  74. //
  75. // LOCAL FUNCTION PROTOTYPES
  76. //
  77. DWORD
  78. ScGetObjectName(
  79. LPSERVICE_RECORD ServiceRecord
  80. );
  81. BOOL
  82. ScIsPnPDriver(
  83. IN LPSERVICE_RECORD Service
  84. );
  85. DWORD
  86. ScLoadDeviceDriver(
  87. LPSERVICE_RECORD ServiceRecord
  88. )
  89. /*++
  90. Routine Description:
  91. This function attempts to load a device driver. If the NtLoadDriver
  92. call is successful, we know that the driver is running (since this
  93. is a synchronous operation). If the call fails, the appropriate
  94. windows error code is returned.
  95. NOTE: It is expected that the Database Lock will be held with
  96. exclusive access upon entry to this routine.
  97. WARNING: This routine releases and acquires the Database Lock.
  98. Arguments:
  99. ServiceRecord - This is pointer to a service record for the Device
  100. Driver that is being started.
  101. Return Value:
  102. --*/
  103. {
  104. DWORD status = NO_ERROR;
  105. NTSTATUS ntStatus;
  106. LPWSTR regKeyPath;
  107. UNICODE_STRING regKeyPathString;
  108. ULONG privileges[1];
  109. #if DBG
  110. DWORD dwLoadTime;
  111. #endif
  112. SC_LOG1(TRACE,"In ScLoadDeviceDriver for "FORMAT_LPWSTR" Driver\n",
  113. ServiceRecord->ServiceName);
  114. SC_ASSERT(ScServiceListLock.Have());
  115. SC_ASSERT(ScServiceRecordLock.HaveExclusive());
  116. //
  117. // If the ObjectName does not exist yet, create one.
  118. //
  119. if (ServiceRecord->ObjectName == NULL) {
  120. status = ScGetObjectName(ServiceRecord);
  121. if (status != NO_ERROR) {
  122. goto CleanExit;
  123. }
  124. }
  125. //
  126. // Create the Registry Key Path for this driver name.
  127. //
  128. regKeyPath = (LPWSTR)LocalAlloc(
  129. LMEM_FIXED,
  130. sizeof(SERVICE_PATH) +
  131. WCSSIZE(ServiceRecord->ServiceName));
  132. if (regKeyPath == NULL) {
  133. status = ERROR_NOT_ENOUGH_MEMORY;
  134. goto CleanExit;
  135. }
  136. wcscpy(regKeyPath, SERVICE_PATH);
  137. wcscat(regKeyPath, ServiceRecord->ServiceName);
  138. //
  139. // Load the Driver
  140. // (but first get SeLoadDriverPrivilege)
  141. //
  142. RtlInitUnicodeString(&regKeyPathString, regKeyPath);
  143. privileges[0] = SE_LOAD_DRIVER_PRIVILEGE;
  144. status = ScGetPrivilege(1,privileges);
  145. if (status != NO_ERROR) {
  146. goto CleanExit;
  147. }
  148. SC_ASSERT(ServiceRecord->ServiceStatus.dwCurrentState == SERVICE_STOPPED);
  149. //
  150. // Release and reacquire the lock around the NtLoadDriver call so that
  151. // a driver can generate a PnP event during its load routine (in NT5,
  152. // the ClusDisk driver can synchronously generate a dismount event while
  153. // it's loading)
  154. //
  155. ScServiceRecordLock.Release();
  156. #if DBG
  157. dwLoadTime = GetTickCount();
  158. #endif
  159. ntStatus = NtLoadDriver(&regKeyPathString);
  160. #if DBG
  161. dwLoadTime = GetTickCount() - dwLoadTime;
  162. if (dwLoadTime > 5000)
  163. {
  164. SC_LOG2(ERROR,
  165. " **** NtLoadDriver(%ws) took %lu ms!\n",
  166. ServiceRecord->ServiceName,
  167. dwLoadTime);
  168. }
  169. #endif
  170. ScServiceRecordLock.GetExclusive();
  171. ScReleasePrivilege();
  172. LocalFree(regKeyPath);
  173. if (NT_SUCCESS(ntStatus)) {
  174. SC_LOG1(TRACE,"ScLoadDeviceDriver: NtLoadDriver Success for "
  175. FORMAT_LPWSTR " \n",ServiceRecord->ServiceName);
  176. }
  177. else if (ntStatus == STATUS_IMAGE_ALREADY_LOADED) {
  178. SC_LOG1(TRACE,"ScLoadDeviceDriver: Driver " FORMAT_LPWSTR
  179. " is already running\n",ServiceRecord->ServiceName);
  180. status = ERROR_SERVICE_ALREADY_RUNNING;
  181. }
  182. else {
  183. SC_LOG2(WARNING,"ScLoadDeviceDriver: NtLoadDriver(%ws) Failed 0x%lx\n",
  184. ServiceRecord->ServiceName,
  185. ntStatus);
  186. if (ntStatus == STATUS_NO_SUCH_DEVICE) {
  187. status = ERROR_BAD_UNIT;
  188. }
  189. else {
  190. status = RtlNtStatusToDosError(ntStatus);
  191. }
  192. goto CleanExit;
  193. }
  194. //
  195. // Update the Service Record with this driver's start information.
  196. //
  197. ServiceRecord->ServiceStatus.dwCurrentState = SERVICE_RUNNING;
  198. ServiceRecord->ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
  199. ServiceRecord->ServiceStatus.dwWin32ExitCode = NO_ERROR;
  200. ServiceRecord->ServiceStatus.dwServiceSpecificExitCode = 0;
  201. ServiceRecord->ServiceStatus.dwCheckPoint = 0;
  202. ServiceRecord->ServiceStatus.dwWaitHint = 0;
  203. ServiceRecord->UseCount++;
  204. SC_LOG2(USECOUNT, "ScLoadDeviceDriver: " FORMAT_LPWSTR
  205. " increment USECOUNT=%lu\n", ServiceRecord->ServiceName, ServiceRecord->UseCount);
  206. //
  207. // Tell NDIS to issue the PNP notifications about this driver's arrival,
  208. // if necessary
  209. //
  210. ScNotifyNdis(ServiceRecord);
  211. CleanExit:
  212. return(status);
  213. }
  214. VOID
  215. ScNotifyNdis(
  216. LPSERVICE_RECORD ServiceRecord
  217. )
  218. /*++
  219. Routine Description:
  220. This function issues Plug-and-Play notifications to NDIS about the
  221. arrival of certain types of drivers and services.
  222. Arguments:
  223. ServiceRecord - Service or driver that just started successfully.
  224. Return Value:
  225. None. Errors are written to the event log.
  226. --*/
  227. {
  228. HANDLE hDevice;
  229. BOOL fResult;
  230. DWORD cb;
  231. DWORD IoControlCode;
  232. //
  233. // TDI GROUP SPECIAL: Drivers in group TDI are assumed to be PNP-unaware
  234. // network transport drivers. Win32 services in group TDI are assumed to
  235. // be in that group because they start PNP-unaware transport drivers.
  236. // (PNP-aware transports are in group PNP_TDI.)
  237. // Such a transport doesn't notify the higher-level network components
  238. // (TDI clients) that it has arrived. So we issue an IOCTL to NDIS to ask
  239. // it to read the transport's bindings from the registry and notify the
  240. // clients on this transport's behalf.
  241. //
  242. if (ServiceRecord->MemberOfGroup == ScGlobalTDIGroup)
  243. {
  244. IoControlCode = IOCTL_NDIS_ADD_TDI_DEVICE;
  245. }
  246. else
  247. {
  248. return;
  249. }
  250. hDevice = CreateFile(
  251. L"\\\\.\\NDIS",
  252. GENERIC_READ | GENERIC_WRITE,
  253. 0, // sharing mode - not significant
  254. NULL, // security attributes
  255. OPEN_EXISTING,
  256. 0, // file attributes and flags
  257. NULL // handle to template file
  258. );
  259. if (hDevice == INVALID_HANDLE_VALUE)
  260. {
  261. SC_LOG(WARNING, "Couldn't open handle to NDIS for IOCTL, error %lu\n",
  262. GetLastError());
  263. return;
  264. }
  265. fResult = DeviceIoControl(
  266. hDevice,
  267. IoControlCode,
  268. ServiceRecord->ServiceName, // input buffer
  269. (DWORD) WCSSIZE(ServiceRecord->ServiceName), // input buffer size
  270. NULL, // output buffer
  271. 0, // output buffer size
  272. &cb, // bytes returned
  273. NULL); // OVERLAPPED structure
  274. CloseHandle(hDevice);
  275. if (!fResult)
  276. {
  277. SC_LOG3(WARNING, "IOCTL %#lx to NDIS for %ws failed, error %lu\n",
  278. IoControlCode, ServiceRecord->ServiceName, GetLastError());
  279. }
  280. }
  281. DWORD
  282. ScControlDriver(
  283. DWORD ControlCode,
  284. LPSERVICE_RECORD ServiceRecord,
  285. LPSERVICE_STATUS lpServiceStatus
  286. )
  287. /*++
  288. Routine Description:
  289. This function checks controls that are passed to device drivers. Only
  290. two controls are accepted.
  291. stop - This function attemps to unload the driver. The driver
  292. state is set to STOP_PENDING since unload is an
  293. asynchronous operation. We have to wait until another
  294. call is made that will return the status of this driver
  295. before we can query the driver object to see if it is
  296. still there.
  297. interrogate - This function attempts to query the driver object
  298. to see if it is still there.
  299. WARNING: This function should only be called with a pointer to
  300. a ServiceRecord that belongs to a DRIVER.
  301. Arguments:
  302. ControlCode - This is the control request that is being sent to
  303. control the driver.
  304. ServiceRecord - This is a pointer to the service record for the
  305. driver that is to be controlled.
  306. lpServiceStatus - This is a pointer to a buffer that upon exit will
  307. contain the latest service status.
  308. Return Value:
  309. --*/
  310. {
  311. DWORD status;
  312. SC_LOG1(TRACE,"In ScControlDriver for "FORMAT_LPWSTR" Driver\n",
  313. ServiceRecord->ServiceName);
  314. if (ControlCode != SERVICE_CONTROL_INTERROGATE &&
  315. ControlCode != SERVICE_CONTROL_STOP)
  316. {
  317. return ERROR_INVALID_SERVICE_CONTROL;
  318. }
  319. CServiceRecordExclusiveLock Lock;
  320. if (ControlCode == SERVICE_CONTROL_INTERROGATE)
  321. {
  322. //
  323. // On interrogate, we need to see if the service is still there.
  324. // Then we update the status accordingly.
  325. //
  326. status = ScGetDriverStatus(ServiceRecord, lpServiceStatus);
  327. if (status == NO_ERROR)
  328. {
  329. //
  330. // Based on the state, return the appropriate error code
  331. // so driver return codes match with those of services
  332. //
  333. switch(lpServiceStatus->dwCurrentState)
  334. {
  335. case SERVICE_STOPPED:
  336. status = ERROR_SERVICE_NOT_ACTIVE;
  337. break;
  338. case SERVICE_STOP_PENDING:
  339. status = ERROR_SERVICE_CANNOT_ACCEPT_CTRL;
  340. break;
  341. }
  342. }
  343. }
  344. else
  345. {
  346. //
  347. // This operation is invalid on PnP drivers
  348. //
  349. if (ScIsPnPDriver(ServiceRecord))
  350. {
  351. status = ERROR_INVALID_SERVICE_CONTROL;
  352. goto CleanExit;
  353. }
  354. //
  355. // Find out if the driver is still running.
  356. //
  357. status = ScGetDriverStatus(ServiceRecord, lpServiceStatus);
  358. if (status != NO_ERROR)
  359. {
  360. goto CleanExit;
  361. }
  362. if (ServiceRecord->ServiceStatus.dwCurrentState != SERVICE_RUNNING) {
  363. //
  364. // If the driver is not running, then it cannot accept the
  365. // STOP control request. Drivers do not accept STOP requests
  366. // when in the START_PENDING state. Make these return codes
  367. // match with those of services based on the driver's state
  368. //
  369. switch(lpServiceStatus->dwCurrentState)
  370. {
  371. case SERVICE_STOPPED:
  372. status = ERROR_SERVICE_NOT_ACTIVE;
  373. break;
  374. case SERVICE_STOP_PENDING:
  375. status = ERROR_SERVICE_CANNOT_ACCEPT_CTRL;
  376. break;
  377. default:
  378. status = ERROR_INVALID_SERVICE_CONTROL;
  379. break;
  380. }
  381. goto CleanExit;
  382. }
  383. //
  384. // Check for dependent services still running
  385. //
  386. if (!ScDependentsStopped(ServiceRecord))
  387. {
  388. status = ERROR_DEPENDENT_SERVICES_RUNNING;
  389. goto CleanExit;
  390. }
  391. status = ScUnloadDriver(ServiceRecord);
  392. if (status == ERROR_INVALID_SERVICE_CONTROL)
  393. {
  394. //
  395. // If the driver fails to unload with this error,
  396. // then it must be one that cannot be stopped.
  397. // We want to mark it as such, and return an error.
  398. //
  399. SC_LOG0(TRACE,"ScControlDriver: Marking driver as non-stoppable\n");
  400. ServiceRecord->ServiceStatus.dwControlsAccepted = 0L;
  401. goto CleanExit;
  402. }
  403. //
  404. // Set the Current State to STOP_PENDING, and get the
  405. // current status (again);
  406. //
  407. ServiceRecord->ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
  408. status = ScGetDriverStatus(ServiceRecord, lpServiceStatus);
  409. }
  410. CleanExit:
  411. return status;
  412. }
  413. DWORD
  414. ScGetDriverStatus(
  415. IN OUT LPSERVICE_RECORD ServiceRecord,
  416. OUT LPSERVICE_STATUS lpServiceStatus OPTIONAL
  417. )
  418. /*++
  419. Routine Description:
  420. This function determines the correct current status for a device driver.
  421. The updated status is only returned if NO_ERROR is returned.
  422. WARNING: This function expects the EXCLUSIVE database lock to be held.
  423. CODEWORK: For greater parallelism while enumerating driver status, get
  424. the exclusive lock only if the driver status has changed.
  425. NOTE: The ServiceRecord passed in MUST be for a DeviceDriver.
  426. Arguments:
  427. ServiceRecord - This is a pointer to the Service Record for the
  428. Device Driver for which the status is desired.
  429. lpServiceStatus - This is a pointer to a buffer that upon exit will
  430. contain the latest service status.
  431. Return Value:
  432. NO_ERROR - The operation completed successfully.
  433. ERROR_NOT_ENOUGH_MEMORY - If the local alloc failed.
  434. Or any unexpected errors from the NtOpenDirectoryObject or
  435. NtQueryDirectoryObject.
  436. --*/
  437. {
  438. NTSTATUS ntStatus;
  439. DWORD status;
  440. HANDLE DirectoryHandle;
  441. OBJECT_ATTRIBUTES Obja;
  442. ULONG Context;
  443. ULONG ReturnLength;
  444. BOOLEAN restartScan;
  445. UNICODE_STRING ObjectPathString;
  446. UNICODE_STRING ObjectNameString;
  447. LPBYTE lpBuffer;
  448. LPWSTR pObjectPath;
  449. LPWSTR pDeviceName;
  450. BOOL found = FALSE;
  451. SC_LOG1(TRACE, "In ScGetDriverStatus for "FORMAT_LPWSTR" Driver\n", ServiceRecord->ServiceName);
  452. SC_ASSERT(ScServiceRecordLock.HaveExclusive());
  453. SC_ASSERT(ServiceRecord->ServiceStatus.dwServiceType & SERVICE_DRIVER);
  454. //
  455. // If the ObjectName does not exist yet, create one.
  456. //
  457. if (ServiceRecord->ObjectName == NULL)
  458. {
  459. status = ScGetObjectName(ServiceRecord);
  460. if (status != NO_ERROR)
  461. {
  462. return status;
  463. }
  464. }
  465. //
  466. // Take the ObjectPathName apart such that the path is in one
  467. // string, and the device name is in another string.
  468. //
  469. // First copy the Object Path string into a new buffer. Allocate extra space
  470. // that we'll need for the query call below.
  471. //
  472. lpBuffer = (LPBYTE) LocalAlloc(LMEM_FIXED,
  473. WCSSIZE(ServiceRecord->ObjectName) + OBJ_DIR_INFO_SIZE);
  474. if (lpBuffer == NULL)
  475. {
  476. return ERROR_NOT_ENOUGH_MEMORY;
  477. }
  478. pObjectPath = (LPWSTR) (lpBuffer + OBJ_DIR_INFO_SIZE);
  479. wcscpy(pObjectPath, ServiceRecord->ObjectName);
  480. //
  481. // Find the last occurrence of '\'. The Device name follows that.
  482. // replace the '\' with a NULL terminator. Now we have two strings.
  483. //
  484. pDeviceName = wcsrchr(pObjectPath, L'\\');
  485. if (pDeviceName == NULL)
  486. {
  487. SC_LOG0(ERROR,"ScGetDriverStatus: DeviceName not in object path name\n");
  488. LocalFree(lpBuffer);
  489. return ERROR_PATH_NOT_FOUND;
  490. }
  491. *pDeviceName = L'\0';
  492. pDeviceName++;
  493. //
  494. // Open the directory object by name
  495. //
  496. RtlInitUnicodeString(&ObjectPathString, pObjectPath);
  497. InitializeObjectAttributes(&Obja, &ObjectPathString, 0, NULL, NULL);
  498. ntStatus = NtOpenDirectoryObject(&DirectoryHandle,
  499. DIRECTORY_TRAVERSE | DIRECTORY_QUERY,
  500. &Obja);
  501. if (!NT_SUCCESS(ntStatus))
  502. {
  503. LocalFree(lpBuffer);
  504. if (ntStatus == STATUS_OBJECT_PATH_NOT_FOUND)
  505. {
  506. //
  507. // If a driver uses a non-standard object path, the path may
  508. // not exist if the driver is not running. We want to treat
  509. // this as if the driver is not running.
  510. //
  511. goto CleanExit;
  512. }
  513. SC_LOG1(ERROR, "ScGetDriverStatus: NtOpenDirectoryObject failed 0x%lx\n", ntStatus);
  514. return RtlNtStatusToDosError(ntStatus);
  515. }
  516. RtlInitUnicodeString(&ObjectNameString, pDeviceName);
  517. restartScan = TRUE;
  518. do
  519. {
  520. POBJECT_DIRECTORY_INFORMATION pObjInfo;
  521. //
  522. // Query the Directory Object to enumerate all object names
  523. // in that object directory.
  524. //
  525. ntStatus = NtQueryDirectoryObject(DirectoryHandle,
  526. lpBuffer,
  527. OBJ_DIR_INFO_SIZE,
  528. FALSE,
  529. restartScan,
  530. &Context,
  531. &ReturnLength);
  532. if (!NT_SUCCESS(ntStatus))
  533. {
  534. SC_LOG1(ERROR, "ScGetDriverStatus:NtQueryDirectoryObject Failed 0x%lx\n", ntStatus);
  535. LocalFree(lpBuffer);
  536. NtClose(DirectoryHandle);
  537. return RtlNtStatusToDosError(ntStatus);
  538. }
  539. //
  540. // Now check to see if the device name that we are interested in is
  541. // in the enumerated data.
  542. //
  543. for (pObjInfo = (POBJECT_DIRECTORY_INFORMATION) lpBuffer;
  544. pObjInfo->Name.Length != 0;
  545. pObjInfo++)
  546. {
  547. if (RtlCompareUnicodeString( &(pObjInfo->Name), &ObjectNameString, TRUE) == 0)
  548. {
  549. found = TRUE;
  550. break;
  551. }
  552. }
  553. restartScan = FALSE;
  554. }
  555. while ((ntStatus == STATUS_MORE_ENTRIES) && (found == FALSE));
  556. NtClose(DirectoryHandle);
  557. LocalFree(lpBuffer);
  558. CleanExit:
  559. if (found)
  560. {
  561. DWORD PreviousState;
  562. PreviousState = ServiceRecord->ServiceStatus.dwCurrentState;
  563. if (PreviousState != SERVICE_STOP_PENDING)
  564. {
  565. //
  566. // The driver IS running.
  567. //
  568. ServiceRecord->ServiceStatus.dwCurrentState = SERVICE_RUNNING;
  569. if (PreviousState == SERVICE_STOPPED)
  570. {
  571. //
  572. // It used to be stopped but now it is running.
  573. //
  574. ServiceRecord->ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
  575. ServiceRecord->ServiceStatus.dwWin32ExitCode = NO_ERROR;
  576. ServiceRecord->ServiceStatus.dwServiceSpecificExitCode = 0;
  577. ServiceRecord->ServiceStatus.dwCheckPoint = 0;
  578. ServiceRecord->ServiceStatus.dwWaitHint = 0;
  579. ServiceRecord->UseCount++;
  580. SC_LOG2(USECOUNT, "ScGetDriverStatus: " FORMAT_LPWSTR
  581. " increment USECOUNT=%lu\n", ServiceRecord->ServiceName, ServiceRecord->UseCount);
  582. }
  583. if (ServiceRecord->ServiceStatus.dwWin32ExitCode == ERROR_SERVICE_NEVER_STARTED)
  584. {
  585. ServiceRecord->ServiceStatus.dwWin32ExitCode = NO_ERROR;
  586. }
  587. SC_LOG1(TRACE,
  588. "ScGetDriverStatus: "FORMAT_LPWSTR" Driver is RUNNING\n",
  589. ServiceRecord->ServiceName);
  590. }
  591. }
  592. else
  593. {
  594. //
  595. // The driver is NOT running.
  596. //
  597. SC_LOG1(TRACE,
  598. "ScGetDriverStatus: "FORMAT_LPWSTR" Driver is NOT RUNNING\n",
  599. ServiceRecord->ServiceName);
  600. switch(ServiceRecord->ServiceStatus.dwCurrentState) {
  601. case SERVICE_STOP_PENDING:
  602. //
  603. // If the old state was STOP_PENDING, then we can consider
  604. // it stopped.
  605. //
  606. LocalFree(ServiceRecord->ObjectName);
  607. ServiceRecord->ServiceStatus.dwCurrentState = SERVICE_STOPPED;
  608. ServiceRecord->ServiceStatus.dwControlsAccepted = 0;
  609. ServiceRecord->ServiceStatus.dwCheckPoint = 0;
  610. ServiceRecord->ServiceStatus.dwWaitHint = 0;
  611. ServiceRecord->ServiceStatus.dwWin32ExitCode = NO_ERROR;
  612. ServiceRecord->ObjectName = NULL;
  613. //
  614. // Since the service is no longer running, we need to decrement
  615. // the use count. If the count is decremented to zero, and
  616. // the service is marked for deletion, it will get deleted.
  617. //
  618. ScDecrementUseCountAndDelete(ServiceRecord);
  619. break;
  620. case SERVICE_STOPPED:
  621. //
  622. // We are not likely to query this driver's status again soon,
  623. // so free its object name.
  624. //
  625. LocalFree(ServiceRecord->ObjectName);
  626. ServiceRecord->ObjectName = NULL;
  627. break;
  628. default:
  629. //
  630. // The driver stopped without being requested to do so.
  631. //
  632. LocalFree(ServiceRecord->ObjectName);
  633. ServiceRecord->ServiceStatus.dwCurrentState = SERVICE_STOPPED;
  634. ServiceRecord->ServiceStatus.dwControlsAccepted = 0;
  635. ServiceRecord->ServiceStatus.dwCheckPoint = 0;
  636. ServiceRecord->ServiceStatus.dwWaitHint = 0;
  637. ServiceRecord->ServiceStatus.dwWin32ExitCode = ERROR_GEN_FAILURE;
  638. ServiceRecord->ObjectName = NULL;
  639. //
  640. // Since the service is no longer running, we need to decrement
  641. // the use count. If the count is decremented to zero, and
  642. // the service is marked for deletion, it will get deleted.
  643. //
  644. ScDecrementUseCountAndDelete(ServiceRecord);
  645. break;
  646. }
  647. }
  648. if (ARGUMENT_PRESENT(lpServiceStatus))
  649. {
  650. RtlCopyMemory(
  651. lpServiceStatus,
  652. &(ServiceRecord->ServiceStatus),
  653. sizeof(SERVICE_STATUS));
  654. }
  655. return NO_ERROR;
  656. }
  657. DWORD
  658. ScGetObjectName(
  659. LPSERVICE_RECORD ServiceRecord
  660. )
  661. /*++
  662. Routine Description:
  663. This function gets a directory object path name for a driver by looking
  664. it up in the registry, or, if it isn't specified in the registry, by
  665. computing it from the driver name and type. It allocates storage
  666. for this name, and passes back the pointer to it. The Pointer to
  667. the object name string is stored in the ServiceRecord->ObjectName
  668. location.
  669. WARNING: This function expects the EXCLUSIVE database lock to be held.
  670. Arguments:
  671. ServiceRecord - This is a pointer to the ServiceRecord for the Driver.
  672. Return Value:
  673. NO_ERROR - The operation was successful.
  674. ERROR_NOT_ENOUGH_MEMORY - If there wasn't enough memory available for
  675. the ObjectName.
  676. or any error from ScOpenServiceConfigKey.
  677. --*/
  678. {
  679. DWORD status;
  680. DWORD bufferSize;
  681. LPWSTR objectNamePath;
  682. HKEY serviceKey;
  683. LPWSTR pObjectName;
  684. SC_ASSERT(ScServiceRecordLock.HaveExclusive());
  685. if (ServiceRecord->ObjectName != NULL) {
  686. //
  687. // Some other thread beat us to it
  688. //
  689. return(NO_ERROR);
  690. }
  691. //
  692. // Open the Registry Key for this driver name.
  693. //
  694. status = ScOpenServiceConfigKey(
  695. ServiceRecord->ServiceName,
  696. KEY_READ,
  697. FALSE,
  698. &serviceKey);
  699. if (status != NO_ERROR) {
  700. SC_LOG1(ERROR,"ScGetObjectName: ScOpenServiceConfigKey Failed %d\n",
  701. status);
  702. return(status);
  703. }
  704. //
  705. // Get the NT Object Name from the registry.
  706. //
  707. status = ScReadStartName(
  708. serviceKey,
  709. &pObjectName);
  710. ScRegCloseKey(serviceKey);
  711. //
  712. // Make sure we read a value with length greater than 0
  713. //
  714. if (status == NO_ERROR && pObjectName != NULL)
  715. {
  716. if (*pObjectName != '\0') {
  717. ServiceRecord->ObjectName = pObjectName;
  718. return(NO_ERROR);
  719. }
  720. else {
  721. LocalFree(pObjectName);
  722. }
  723. }
  724. //
  725. // There must not be a name in the ObjectName value field.
  726. // In this case, we must build the name from the type info and
  727. // the ServiceName. Names will take the following form:
  728. // "\\FileSystem\\Rdr" example of a file system driver
  729. // "\\Driver\\Parallel" example of a kernel driver
  730. //
  731. //
  732. SC_LOG1(TRACE,"ScGetObjectName: ScReadStartName Failed(%d). Build the"
  733. "name instead\n",status);
  734. if (ServiceRecord->ServiceStatus.dwServiceType == SERVICE_FILE_SYSTEM_DRIVER) {
  735. bufferSize = sizeof(FILE_SYSTEM_OBJ_NAME);
  736. objectNamePath = FILE_SYSTEM_OBJ_NAME;
  737. }
  738. else {
  739. bufferSize = sizeof(DRIVER_OBJ_NAME);
  740. objectNamePath = DRIVER_OBJ_NAME;
  741. }
  742. bufferSize += (DWORD) WCSSIZE(ServiceRecord->ServiceName);
  743. pObjectName = (LPWSTR)LocalAlloc(LMEM_FIXED, (UINT) bufferSize);
  744. if (pObjectName == NULL) {
  745. SC_LOG0(ERROR,"ScGetObjectName: LocalAlloc Failed\n");
  746. return(ERROR_NOT_ENOUGH_MEMORY);
  747. }
  748. wcscpy(pObjectName, objectNamePath);
  749. wcscat(pObjectName, ServiceRecord->ServiceName);
  750. ServiceRecord->ObjectName = pObjectName;
  751. return(NO_ERROR);
  752. }
  753. DWORD
  754. ScUnloadDriver(
  755. LPSERVICE_RECORD ServiceRecord
  756. )
  757. /*++
  758. Routine Description:
  759. This function attempts to unload the driver whose service record
  760. is passed in.
  761. NOTE: Make sure the ServiceRecord is for a driver and not a service
  762. before calling this routine.
  763. Arguments:
  764. ServiceRecord - This is a pointer to the service record for a driver.
  765. This routine assumes that the service record is for a driver and
  766. not a service.
  767. Return Value:
  768. NO_ERROR - if successful.
  769. ERROR_INVALID_SERVICE_CONTROL - This is returned if the driver is
  770. not unloadable.
  771. otherwise, an error code is returned.
  772. Note:
  773. --*/
  774. {
  775. NTSTATUS ntStatus = STATUS_SUCCESS;
  776. DWORD status;
  777. LPWSTR regKeyPath;
  778. UNICODE_STRING regKeyPathString;
  779. ULONG privileges[1];
  780. //
  781. // Create the Registry Key Path for this driver name.
  782. //
  783. regKeyPath = (LPWSTR)LocalAlloc(
  784. LMEM_FIXED,
  785. sizeof(SERVICE_PATH) +
  786. WCSSIZE(ServiceRecord->ServiceName));
  787. if (regKeyPath == NULL) {
  788. status = ERROR_NOT_ENOUGH_MEMORY;
  789. return(status);
  790. }
  791. wcscpy(regKeyPath, SERVICE_PATH);
  792. wcscat(regKeyPath, ServiceRecord->ServiceName);
  793. //
  794. // Unload the Driver
  795. // (but first get SeLoadDriverPrivilege)
  796. //
  797. RtlInitUnicodeString(&regKeyPathString, regKeyPath);
  798. privileges[0] = SE_LOAD_DRIVER_PRIVILEGE;
  799. status = ScGetPrivilege(1,privileges);
  800. if (status != NO_ERROR) {
  801. LocalFree(regKeyPath);
  802. return(status);
  803. }
  804. ntStatus = NtUnloadDriver (&regKeyPathString);
  805. (VOID)ScReleasePrivilege();
  806. LocalFree(regKeyPath);
  807. if (!NT_SUCCESS(ntStatus)) {
  808. if (ntStatus == STATUS_INVALID_DEVICE_REQUEST) {
  809. status = ERROR_INVALID_SERVICE_CONTROL;
  810. return(status);
  811. }
  812. SC_LOG1(ERROR,"ScControlDriver: NtUnloadDriver Failed 0x%lx\n",ntStatus);
  813. status = RtlNtStatusToDosError(ntStatus);
  814. return(status);
  815. }
  816. SC_LOG1(TRACE,"ScLoadDeviceDriver: NtUnloadDriver Success for "
  817. ""FORMAT_LPWSTR "\n",ServiceRecord->ServiceName);
  818. return(NO_ERROR);
  819. }
  820. BOOL
  821. ScIsPnPDriver(
  822. IN LPSERVICE_RECORD Service
  823. )
  824. /*++
  825. Routine Description:
  826. This function checks whether a specified driver is a PnP driver
  827. Arguments:
  828. Service - Specifies the driver of interest.
  829. Return Value:
  830. TRUE - if the driver is a PnP driver or if this cannot be determined.
  831. FALSE - if the service is not a PnP driver.
  832. --*/
  833. {
  834. CONFIGRET Status;
  835. BOOL fRetStatus = TRUE;
  836. WCHAR * pBuffer;
  837. ULONG cchLen, cchTransferLen, ulRegDataType;
  838. WCHAR szClassGuid[MAX_GUID_STRING_LEN];
  839. //
  840. // Allocate a buffer for the list of device instances associated with
  841. // this service
  842. //
  843. Status = PNP_GetDeviceListSize(
  844. NULL, // hBinding
  845. Service->ServiceName, // pszFilter
  846. &cchLen, // list length in wchars
  847. CM_GETIDLIST_FILTER_SERVICE); // filter is a service name
  848. if (Status != CR_SUCCESS)
  849. {
  850. SC_LOG2(WARNING, "PNP_GetDeviceListSize failed %#lx for service %ws\n",
  851. Status, Service->ServiceName);
  852. return TRUE;
  853. }
  854. pBuffer = (WCHAR *) LocalAlloc(0, cchLen * sizeof(WCHAR));
  855. if (pBuffer == NULL)
  856. {
  857. SC_LOG(ERROR, "Couldn't allocate buffer for device list, error %lu\n",
  858. GetLastError());
  859. return TRUE;
  860. }
  861. //
  862. // Initialize parameters for PNP_GetDeviceList, the same way as is
  863. // normally done in the client side of the API
  864. //
  865. pBuffer[0] = L'\0';
  866. //
  867. // Get the list of device instances that are associated with this service
  868. //
  869. // (For legacy and PNP-aware services, we could get an empty device list.)
  870. //
  871. Status = PNP_GetDeviceList(
  872. NULL, // binding handle
  873. Service->ServiceName, // pszFilter
  874. pBuffer, // buffer for device list
  875. &cchLen, // buffer length in wchars
  876. CM_GETIDLIST_FILTER_SERVICE | // filter is a service name
  877. CM_GETIDLIST_DONOTGENERATE // do not generate an instance if none exists
  878. );
  879. if (Status != CR_SUCCESS)
  880. {
  881. SC_LOG2(ERROR, "PNP_GetDeviceList failed %#lx for service %ws\n",
  882. Status, Service->ServiceName);
  883. LocalFree(pBuffer);
  884. return TRUE;
  885. }
  886. //
  887. // If there are no devnodes, this is not a PnP driver
  888. //
  889. if (cchLen == 0 || pBuffer[0] == L'\0')
  890. {
  891. SC_LOG1(TRACE, "ScIsPnPDriver: %ws is not a PnP driver (no devnodes)\n",
  892. Service->ServiceName);
  893. LocalFree(pBuffer);
  894. return FALSE;
  895. }
  896. //
  897. // If there's more than one devnode, this is a PnP driver
  898. //
  899. if (*(pBuffer + wcslen(pBuffer) + 1) != L'\0')
  900. {
  901. SC_LOG1(TRACE, "ScIsPnPDriver: %ws is a PnP driver (more than 1 devnode)\n",
  902. Service->ServiceName);
  903. LocalFree(pBuffer);
  904. return TRUE;
  905. }
  906. //
  907. // Get the class GUID of this driver
  908. //
  909. cchLen = cchTransferLen = sizeof(szClassGuid);
  910. Status = PNP_GetDeviceRegProp(
  911. NULL, // binding handle
  912. pBuffer, // device instance
  913. CM_DRP_CLASSGUID, // property to get
  914. &ulRegDataType, // pointer to REG_* type
  915. (LPBYTE) szClassGuid, // buffer for property
  916. &cchTransferLen, // transfer length
  917. &cchLen, // buffer length in bytes
  918. 0); // flags
  919. if (Status != CR_SUCCESS)
  920. {
  921. SC_ASSERT(Status != CR_BUFFER_SMALL);
  922. SC_LOG2(ERROR, "PNP_GetDeviceRegProp failed %#lx for service %ws\n",
  923. Status, Service->ServiceName);
  924. LocalFree(pBuffer);
  925. return TRUE;
  926. }
  927. //
  928. // If the single devnode's class is LegacyDriver,
  929. // this is not a PnP driver
  930. //
  931. fRetStatus = (_wcsicmp(szClassGuid, LEGACYDRIVER_STRING) != 0);
  932. SC_LOG2(TRACE, "ScIsPnPDriver: %ws %ws a PnP driver\n",
  933. Service->ServiceName, fRetStatus ? L"is" : L"is not");
  934. LocalFree(pBuffer);
  935. return fRetStatus;
  936. }