Communication Between User Mode and Kernel Mode

The filter manager supports communication between user mode and kernel mode through communication ports. The minifilter driver controls security on the port by specifying a security descriptor to be applied to the communication port object. Communication through a communication port is not buffered, so it is faster and more efficient. A user-mode application or service can reply to messages from a minifilter driver for bidirectional communication.

When the minifilter driver creates a communication server port, it implicitly begins to listen for incoming connections on the port. When a user-mode caller attempts to connect to the port, the filter manager calls the minifilter driver's ConnectNotifyCallback routine with a handle to the newly created connection. When the filter manager regains control, it passes the user-mode caller a separate file handle that represents the user-mode caller's endpoint to the connection. This handle can be used to associate I/O completion ports with the listener port.

A connection is accepted only if the user-mode caller has sufficient access as specified by the security descriptor on the port. Each connection to the port gets its own message queue and private endpoints.

Closing either endpoint (kernel or user) terminates that connection. When a user-mode caller closes its handle to the endpoint, the filter manager calls the minifilter driver's DisconnectNotifyCallback routine so the minifilter driver can close its handle to the connection.

Closing the communication server port prevents new connections but does not terminate existing connections. The filter manager terminates existing connections when the minifilter driver unloads.

Filter Manager Routines for Communication Between User Mode and Kernel Mode

The filter manager provides the following support routines for kernel-mode minifilter drivers to communicate with user-mode applications:





The following support routines are provided for user-mode applications to communicate with minifilter drivers:





Minifilter Driver Callback Routines for Communication Between User Mode and Kernel Mode

The following minifilter driver callback routines are passed as parameters to FltCreateCommunicationPort:

Callback Routine Name Callback Routine Type