Отлаживал рассылку IO-менеджером IRP_MJ_SHUTDOWN, в процессе набросал несколько скриптов для перечисления зарегистрированных устройств. Для работы скриптов потребуется pykd. Результаты работы скриптов сняты с Windows 10 AMD64 (build 10240), pykd 0.3.1.1.
Получение устройств, зарегистрированных вызовом IoRegisterShutdownNotification(...):
>>> nt = module("nt")
>>> ti = createStruct("SHUTDOWN_PACKET")
>>> ti.append("ListEntry", nt.type("_LIST_ENTRY"))
>>> ti.append("DeviceObject", nt.type("_DEVICE_OBJECT").ptrTo())
>>> for i in typedVarList( nt.IopNotifyShutdownQueueHead, ti, "ListEntry" ):
... print( dbgCommand("!devobj 0x{:x}".format(int(i.DeviceObject))) )
...
Device object (ffffe001e1863050) is for:
0000001b \Driver\usbhub DriverObject ffffe001e17a02d0
Current Irp 00000000 RefCount 0 Type 00008600 Flags 00002840
Dacl ffffc10226788f51 DevExt ffffe001e18631a0 DevObjExt ffffe001e1866640
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0x00000080) FILE_AUTOGENERATED_DEVICE_NAME
AttachedTo (Lower) ffffe001e1726050 \Driver\usbohci
Device queue is not busy.
Device object (ffffe001e15e1610) is for:
ahcache \Driver\ahcache DriverObject ffffe001e15ef060
Current Irp 00000000 RefCount 1 Type 00000022 Flags 00000840
Dacl ffffc10226788f51 DevExt 00000000 DevObjExt ffffe001e15e1760
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
Device queue is not busy.
Device object (ffffe001e14de030) is for:
\Driver\CSC DriverObject ffffe001e15f23c0
Current Irp 00000000 RefCount 0 Type 00000014 Flags 00000800
Dacl ffffc1022691f010 DevExt ffffe001e14de180 DevObjExt ffffe001e14df300
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0x00000010) FILE_REMOTE_DEVICE
Device queue is not busy.
Device object (ffffe001e1361e40) is for:
KsecDD \Driver\KSecDD DriverObject ffffe001e1367a70
Current Irp 00000000 RefCount 43 Type 00000039 Flags 00000840
Dacl ffffc102267d6171 DevExt 00000000 DevObjExt ffffe001e1361f90
ExtensionFlags (0000000000)
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
Device queue is not busy.
Device object (ffffe001e1307060) is for:
MountPointManager \Driver\mountmgr DriverObject ffffe001e1308790
Current Irp 00000000 RefCount 0 Type 00000012 Flags 00000840
Dacl ffffc1022691f010 DevExt ffffe001e13071b0 DevObjExt ffffe001e1307320
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
Device queue is not busy.
Device object (ffffe001e1313a00) is for:
RawTape \FileSystem\RAW DriverObject ffffe001e131a8a0
Current Irp 00000000 RefCount 1 Type 00000020 Flags 00000850
Dacl ffffc1022691f010 DevExt 00000000 DevObjExt ffffe001e1313b50
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
Device queue is not busy.
Device object (ffffe001e03f5500) is for:
WMIDataDevice \Driver\WMIxWDM DriverObject ffffe001e02a2b30
Current Irp 00000000 RefCount 8 Type 00000022 Flags 00000840
Dacl ffffc10226788f51 DevExt 00000000 DevObjExt ffffe001e03f5650
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
Device queue is not busy.
Если IopNotifyShutdownQueueHead заменить на IopNotifyLastChanceShutdownQueueHead, то получим устройства, зарегистрированные вызовом IoRegisterLastChanceShutdownNotification(...):
Device object (ffffe001e1308060) is for:
VolMgrControl \Driver\volmgr DriverObject ffffe001e1309610
Current Irp 00000000 RefCount 0 Type 00000012 Flags 00000840
Dacl ffffc1022691f010 DevExt ffffe001e13081b0 DevObjExt ffffe001e1308340
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
AttachedTo (Lower) ffffe001e03fbe40 \Driver\PnpManager
Device queue is not busy.
Device object (ffffe001e130a3b0) is for:
Spaceport \Driver\spaceport DriverObject ffffe001e02426e0
Current Irp 00000000 RefCount 0 Type 00000004 Flags 00002840
Dacl ffffc10226788f51 DevExt ffffe001e130a500 DevObjExt ffffe001e130aec8
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0x00000100) FILE_DEVICE_SECURE_OPEN
AttachedTo (Lower) ffffe001e03f8660 \Driver\PnpManager
Device queue is not busy.
Кроме этого, IRP_MJ_SHUTDOWN (без дополнительной регистрации) получают драйвера файловый систем, зарегистрированные вызовом IoRegisterFileSystem(...) (три списка, в зависимости от типа устройства):
>>> nt = module("nt")
>>> for i in typedVarList( nt.IopDiskFileSystemQueueHead, nt.type("_DEVICE_OBJECT"), "Queue.ListEntry" ):
... print( dbgCommand("!devobj 0x{:x}".format(int(i))) )
...
Device object (ffffe001e16ce480) is for:
Fat \FileSystem\fastfat DriverObject ffffe001e14dfe60
Current Irp 00000000 RefCount 1 Type 00000008 Flags 00000040
Dacl ffffc1022691f010 DevExt 00000000 DevObjExt ffffe001e16ce5d0
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
AttachedDevice (Upper) ffffe001e1784dc0 \FileSystem\FltMgr
Device queue is not busy.
Device object (ffffe001e135ce40) is for:
Ntfs \FileSystem\NTFS DriverObject ffffe001e13616d0
Current Irp 00000000 RefCount 1 Type 00000008 Flags 08000040
Dacl ffffc1022691f010 DevExt 00000000 DevObjExt ffffe001e135cf90
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
AttachedDevice (Upper) ffffe001e1364580 \FileSystem\FltMgr
Device queue is not busy.
Device object (ffffe001e1366e30) is for:
ExFatRecognizer \FileSystem\Fs_Rec DriverObject ffffe001e135dda0
Current Irp 00000000 RefCount 1 Type 00000008 Flags 00010040
Dacl ffffc1022691f010 DevExt ffffe001e1366f80 DevObjExt ffffe001e1366f90
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
Device queue is not busy.
Device object (ffffe001e1366c00) is for:
ReFSRecognizer \FileSystem\Fs_Rec DriverObject ffffe001e135dda0
Current Irp 00000000 RefCount 1 Type 00000008 Flags 00010040
Dacl ffffc1022691f010 DevExt ffffe001e1366d50 DevObjExt ffffe001e1366d60
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
Device queue is not busy.
Device object (ffffe001e13669d0) is for:
ReFSv1Recognizer \FileSystem\Fs_Rec DriverObject ffffe001e135dda0
Current Irp 00000000 RefCount 1 Type 00000008 Flags 00010040
Dacl ffffc1022691f010 DevExt ffffe001e1366b20 DevObjExt ffffe001e1366b30
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
Device queue is not busy.
Device object (ffffe001e135c060) is for:
UdfsDiskRecognizer \FileSystem\Fs_Rec DriverObject ffffe001e135dda0
Current Irp 00000000 RefCount 1 Type 00000008 Flags 00010040
Dacl ffffc1022691f010 DevExt ffffe001e135c1b0 DevObjExt ffffe001e135c1c0
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
Device queue is not busy.
Device object (ffffe001e1313e40) is for:
RawDisk \FileSystem\RAW DriverObject ffffe001e131a8a0
Current Irp 00000000 RefCount 1 Type 00000008 Flags 00000050
Dacl ffffc1022691f010 DevExt 00000000 DevObjExt ffffe001e1313f90
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
AttachedDevice (Upper) ffffe001e136cb30 \FileSystem\FltMgr
Device queue is not busy.
>>> nt = module("nt")
>>> for i in typedVarList(nt.IopCdRomFileSystemQueueHead, nt.type("_DEVICE_OBJECT"), "Queue.ListEntry" ):
... print( dbgCommand("!devobj 0x{:x}".format(int(i))) )
...
Device object (ffffe001e14cfe40) is for:
FatCdrom \FileSystem\fastfat DriverObject ffffe001e14dfe60
Current Irp 00000000 RefCount 1 Type 00000003 Flags 00000040
Dacl ffffc1022691f010 DevExt 00000000 DevObjExt ffffe001e14cff90
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
AttachedDevice (Upper) ffffe001e17d7870 \FileSystem\FltMgr
Device queue is not busy.
Device object (ffffe001e135c3a0) is for:
UdfsCdRomRecognizer \FileSystem\Fs_Rec DriverObject ffffe001e135dda0
Current Irp 00000000 RefCount 1 Type 00000003 Flags 00000040
Dacl ffffc1022691f010 DevExt ffffe001e135c4f0 DevObjExt ffffe001e135c500
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
Device queue is not busy.
Device object (ffffe001e135d060) is for:
CdfsRecognizer \FileSystem\Fs_Rec DriverObject ffffe001e135dda0
Current Irp 00000000 RefCount 1 Type 00000003 Flags 00010040
Dacl ffffc1022691f010 DevExt ffffe001e135d1b0 DevObjExt ffffe001e135d1c0
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
Device queue is not busy.
Device object (ffffe001e1313c20) is for:
RawCdRom \FileSystem\RAW DriverObject ffffe001e131a8a0
Current Irp 00000000 RefCount 1 Type 00000003 Flags 00000050
Dacl ffffc1022691f010 DevExt 00000000 DevObjExt ffffe001e1313d70
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
AttachedDevice (Upper) ffffe001e136b040 \FileSystem\FltMgr
Device queue is not busy.
>>> nt = module("nt")
>>> for i in typedVarList( nt.IopTapeFileSystemQueueHead, nt.type("_DEVICE_OBJECT"), "Queue.ListEntry" ):
... print( dbgCommand("!devobj 0x{:x}".format(int(i))) )
...
Device object (ffffe001e1313a00) is for:
RawTape \FileSystem\RAW DriverObject ffffe001e131a8a0
Current Irp 00000000 RefCount 1 Type 00000020 Flags 00000850
Dacl ffffc1022691f010 DevExt 00000000 DevObjExt ffffe001e1313b50
ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)
Device queue is not busy.
Очередность рассылки IRP IO-менеджером:
- Устройства, зарегистрированные вызовом IoRegisterShutdownNotification(...)
- Устройства из списка IopDiskFileSystemQueueHead
- Устройства из списка IopCdRomFileSystemQueueHead
- Устройства из списка IopTapeFileSystemQueueHead
- Устройства, зарегистрированные вызовом IoRegisterLastChanceShutdownNotification(...)
Между пунктами 1 и 2 происходит вызов функции nt!CmShutdownSystem(), которая в конце взводит признак HvShutdownComplete в TRUE. А, опираясь на взведенный признак HvShutdownComplete, многие реестровые функции возвращают STATUS_TOO_LATE.
ΞρεΤΙκ