Filter Communication Ports | Data Corruption | Maximum Size

Question

I am trying to exchange an array of strings between a minifilter and a c# user mode application using filter communication ports and marshaling. I was able to send from the c# application and receive the message at the minifilter end. Sometimes I receive malformed data, I am logging and viewing the logs in DebugView connected to the local machine. Why is this happening ?

Also is there a optimal size of a message than can be handled by filter communication ports ?

Answer 1

Hello Rhubanraj Palanikumar,

Malformed data when using filter communication ports in a minifilter and a C# user mode application can occur due to various reasons. To list some of them: Buffer Size Mismatch, Data Alignment, Marshaling Code errors, Buffer Overflows...

To monitor and troubleshoot this I can recommend the tool "fltmc" in Powershell:

To list all loaded minifilter drivers: fltmc instances

To start monitoring the communication between the filter driver and the user mode application: fltmc log 0xffffffffff

To stop monitoring: fltmc log 0x0

To view the logs: Get-WinEvent -LogName 'Microsoft-Windows-FilterManager/Debug'

Reference: https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/development-and-testing-tools#fltmcexe-command

Feel free to post parts of your logs with errors, so the community can review and present more actions.

About a default messaging size, there isn't a strict, fixed size limit for messages that can be handled by filter communication ports (FltCreateCommunicationPort) in Windows minifilter drivers. The size of a message that can be handled largely depends on practical considerations, memory availability, and performance requirements.

--If the reply is helpful, please Upvote and Accept as answer--