无需重启即可安装和重新安装Callouts驱动程序 [英] Installation and Reinstallation of Callouts Driver Without Reboot

问题描述

大家好！

在没有重启的情况下安装和重新安装Windows应用程序对于许多情况（例如高负载服务器）来说是一项很有价值的功能。我认为，在每次重大防火墙或防病毒应用程序更新后重启服务器真的不太好。
因此我希望这个讨论对许多开发人员来说都很有意思。

安装内核模式驱动程序WFPSamplerCalloutDriver.sys（标注驱动程序）后，WFPSampler的当前实现需要重新启动。此行为是由WFPSamplerCalloutDriver.inf文件的StartType参数引起的。此参数
的默认值为0（SERVICE_BOOT_START）。但是，可以将此参数的值设置为1（SERVICE_SYSTEM_START），以防止安装程序在安装驱动程序时重新启动。关于安装没有重启的驱动程序的问题（"可能是
以避免在安装wfpsampler时重启？"）这里已经讨论过：

http://code.msdn.microsoft.com/windowshardware/Windows-Filtering-Platform-27553baa/view /讨论/ 3 。我想为这个问题和相关问题添加一些许可，并提供重新安装驱动程序的一些建议。

请考虑以下情况。

1. 在WFPSamplerCalloutDriver.inf文件中安装了StartType参数值设置为1（SERVICE_SYSTEM_START）的驱动程序。没有重启。
2. 驱动程序已卸载。没有再次重新启动。

现在尝试重新安装驱动程序会导致错误，代码为
2150760457 （在执行启动驱动程序服务所需的以下命令期间，该GUID或LUID已存在的对象：

 Net Start WFPSamplerCallouts 

出现此问题是因为驱动程序未取消注册标注，并且未在EventDriverUnload（）函数中释放BFE的会话。这可以通过向EventDriverUnload（）函数添加以下代码行来解决：

 KrnlHlprExposedCalloutsUnregister（）; 
 KrnlHlprFwpmSessionReleaseHandle（& g_EngineHandle）; 

作为替代方案，也可以重新启动BFE服务。但是这种方法有一些缺点，例如，它需要更多时间，依赖服务（IPsec，防火墙）也需要重新启动。这可能不安全，因为它可能会导致违反
的安全性并影响网络应用程序。

我有以下与安装callout驱动程序有关的问题：

1. 将上面指定的代码行添加到EventDriverUnload（）函数是否安全？它会引起任何问题吗？是否需要为此功能添加更多代码才能正确注销驱动程序？
2. 只有在BFE服务启动后，驱动程序才能注册标注。如果呼出干燥器安装了SERVICE_BOOT_START但没有使用SERVICE_SYSTEM_START的StartType参数值，那么在这种情况下可以获得什么好处？

解决方案

这看起来是处理inf的错误。 只是进行卸载不会停止服务。即使卸载部分说到了。

如果您要停止服务（Net Stop WFPSamplerCallouts），那么您将看到调用EventDriverUnload，然后调用EventCleanupDeviceObject（其中）完成所有取消注册等等）以及最后的EventCleanupDriverCleanup。

再次将此fricer标记为System start的唯一原因是确保启动时功能，并在持续策略重新启动时立即可用由BFE添加。

我需要进一步调查inf问题，并会尝试回复我的调查结果。

希望这个帮助

Hello everybody!

Installation and reinstallation of Windows applications without reboot is a valuable feature for many cases, e.g., high-loaded servers. To my opinion, it is really not very nice to restart a server after each major update of a firewall or an antivirus application. For this reason I hope this discussion will be interesting for many developers.

Current implementation of WFPSampler requires reboot after installation of kernel mode driver WFPSamplerCalloutDriver.sys (callouts driver). This behaviour is caused by StartType parameter of WFPSamplerCalloutDriver.inf file. The default value of this parameter is 0 (SERVICE_BOOT_START). However, it is possible to set value of this parameter to 1 (SERVICE_SYSTEM_START) that prevents installer from reboot during installation of the driver. A question about installation of the driver without reboot ("Is it possible to avoid reboot when wfpsampler is installed?") was already discussed here: http://code.msdn.microsoft.com/windowshardware/Windows-Filtering-Platform-27553baa/view/Discussions/3. I would like to add some clearance to this question and related problems and provide some suggestion for reinstallation of the driver.

Consider the following scenario.

1. The driver was installed with StartType parameter value set to 1 (SERVICE_SYSTEM_START) in WFPSamplerCalloutDriver.inf file. No reboot occurred.
2. The driver was uninstalled. No reboot occurred again.

Now an attempt of reinstallation of the driver causes an error with the code 2150760457 (An object with that GUID or LUID already exists) during execution of the following command required for starting of a service of the driver:

Net Start WFPSamplerCallouts

This problem occurs because the driver does not unregister callouts and does not release a session for BFE in EventDriverUnload() function. This can be fixed by adding the following lines of code to the EventDriverUnload() function:

 KrnlHlprExposedCalloutsUnregister(); 
 KrnlHlprFwpmSessionReleaseHandle(&g_EngineHandle);

As an alternative it is also possible to restart BFE service. But this approach has some disadvantages, e.g., it requires more time, dependent services (IPsec, Firewall) also needs to be restarted. This is potentially not safe because it may cause violation of security and can affect on network applications.

I have the following questions related to installation of the callout driver:

1. Is it safe to add lines of code specified above to the EventDriverUnload() function? Could it cause any problems? Is there a need to add any more code to this function for a proper unregistration of the driver?
2. The driver is able to register callouts only after BFE service has started. What benefits can be achieved in this case if the callouts drier is installed with SERVICE_BOOT_START but not with SERVICE_SYSTEM_START value of StartType parameter?

解决方案

This looks to be a bug with processing the inf.  Just doing an uninstall is not stopping the service. even though the Uninstall section says to.

As a work around if you were to stop the service (Net Stop WFPSamplerCallouts), then you'd see that EventDriverUnload is invoked, then EventCleanupDeviceObject (which does all of the unregistering etc.) and finally EventCleanupDriverCleanup.

Again the only reason this fricer is marked for System start is to ensure boot-time functionality, and immediate available when persistent policy is re-added by BFE.

I'll need to investigate further the inf issue, and will try to respond back with my findings.

Hope this helps,

这篇关于无需重启即可安装和重新安装Callouts驱动程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！