How to display a pop-up message box from a driver (kernel mode)?

Question

I'm writing a driver which needs to immediately pop up a dialog to notify the user of an event.
(Kind of similar to NTFS's "Corrupt file" notification, except that this is not a filesystem-related driver.)

I know ExRaiseHardError and IoRaiseInformationalHardError should be able to do the trick, but they don't seem to work -- they return "successfully" without actually doing anything.

How do I go about doing this (without creating a user-mode program)?

A user-mode version of the code (which works correctly) is below.

In the kernel-mode version, I call ExRaiseHardError instead of NtRaiseHardError, but in the exact same way.

#include <windows.h>

#pragma comment(lib, "ntdll.lib")    // Needs ntdll.lib from Windows Driver Kit

typedef enum HardErrorResponseType {
    ResponseTypeAbortRetryIgnore,
    ResponseTypeOK,
    ResponseTypeOKCancel,
    ResponseTypeRetryCancel,
    ResponseTypeYesNo,
    ResponseTypeYesNoCancel,
    ResponseTypeShutdownSystem,
    ResponseTypeTrayNotify,
    ResponseTypeCancelTryAgainContinue
} HardErrorResponseType;

typedef enum HardErrorResponse {
    ResponseReturnToCaller,
    ResponseNotHandled,
    ResponseAbort, ResponseCancel,
    ResponseIgnore,
    ResponseNo,
    ResponseOk,
    ResponseRetry,
    ResponseYes
} HardErrorResponse;

typedef enum HardErrorResponseButton {
    ResponseButtonOK,
    ResponseButtonOKCancel,
    ResponseButtonAbortRetryIgnore,
    ResponseButtonYesNoCancel,
    ResponseButtonYesNo,
    ResponseButtonRetryCancel,
    ResponseButtonCancelTryAgainContinue
} HardErrorResponseButton;

typedef enum HardErrorResponseDefaultButton {
    DefaultButton1 = 0,
    DefaultButton2 = 0x100,
    DefaultButton3 = 0x200
} HardErrorResponseDefaultButton;

typedef enum HardErrorResponseIcon {
    IconAsterisk = 0x40,
    IconError = 0x10,
    IconExclamation = 0x30,
    IconHand = 0x10,
    IconInformation = 0x40,
    IconNone = 0,
    IconQuestion = 0x20,
    IconStop = 0x10,
    IconWarning = 0x30,
    IconUserIcon = 0x80
} HardErrorResponseIcon;

typedef enum HardErrorResponseOptions {
    ResponseOptionNone = 0,
    ResponseOptionDefaultDesktopOnly = 0x20000,
    ResponseOptionHelp = 0x4000,
    ResponseOptionRightAlign = 0x80000,
    ResponseOptionRightToLeftReading = 0x100000,
    ResponseOptionTopMost = 0x40000,
    ResponseOptionServiceNotification = 0x00200000,
    ResponseOptionServiceNotificationNT3X = 0x00040000,
    ResponseOptionSetForeground = 0x10000,
    ResponseOptionSystemModal = 0x1000,
    ResponseOptionTaskModal = 0x2000,
    ResponseOptionNoFocus = 0x00008000
} HardErrorResponseOptions;

typedef LONG NTSTATUS;

typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

EXTERN_C DECLSPEC_IMPORT NTSTATUS NTAPI NtRaiseHardError(
    IN NTSTATUS ErrorStatus, IN ULONG NumberOfParameters,
    IN ULONG UnicodeStringParameterMask, IN PULONG_PTR Parameters,
    IN ULONG ValidResponseOptions,
    OUT HardErrorResponse *Response);

EXTERN_C DECLSPEC_IMPORT VOID NTAPI RtlInitUnicodeString(
    IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString);

#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
#define STATUS_SERVICE_NOTIFICATION ((NTSTATUS)0x50000018L)

int main(void)
{
    HardErrorResponse r;

    // To display a standard NTSTATUS value:
    NtRaiseHardError(STATUS_ACCESS_DENIED, 0, 0, NULL, ResponseTypeOK, &r);

    // To display a custom string:
    UNICODE_STRING wTitle, wText;
    RtlInitUnicodeString(&wTitle, L"Title");
    RtlInitUnicodeString(&wText, L"Text");
    ULONG_PTR params[4] = {
        (ULONG_PTR)&wText,
        (ULONG_PTR)&wTitle,
        (
            (ULONG)ResponseButtonOK   |
            (ULONG)IconInformation    |
            (ULONG)ResponseOptionNone |
            (ULONG)DefaultButton1
        ),
        INFINITE
    };
    NtRaiseHardError(STATUS_SERVICE_NOTIFICATION, 4, 0x3, params, 0, &r);

    return 0;
}

I'm not familiar with `ExRaiseHardError`, but I don't expect that `IoRaiseInformationalHardError` would immediately display a message. I think that it just queues one up for the admin to see the next time they log in. — Gabe, Mar 27 '12 at 21:10
@Gabe: Huh... so then how do filesystem drivers display the messages immediately? — user541686, Mar 27 '12 at 21:20
I didn't try but...did you try to use ZwRaiseHardError in kernel mode? — Adriano Repetti, Mar 27 '12 at 21:36
@Adriano: It doesn't exist in kernel mode from what I can see. — user541686, Mar 27 '12 at 21:37
I guess it's simply undocumented but it should have the same prototype. These functions are documented better in ReactOS... — Adriano Repetti, Mar 27 '12 at 21:41
@Adriano: Yeah that's where I got most of this... I'm pretty sure the signature is most likely correct; something tells me I just need to do some pre-setup sort of thing that I don't know about. — user541686, Mar 27 '12 at 21:43
Yes, would be nice to find a full simple original example!!! :| — Adriano Repetti, Mar 27 '12 at 21:49
@Adriano: I just found [this](http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/ntos/config/cmworker.c__.htm) but it doesn't seem any different from what I'm doing... — user541686, Mar 27 '12 at 22:11
Little bit strange but...question, does it work under Windows XP? — Adriano Repetti, Mar 28 '12 at 07:22
@Adriano: I haven't tried... do you expect it to? If so then I'll try it. — user541686, Mar 28 '12 at 07:23
Long time I don't have to write a driver for something, I remember some issues from XP to Vista but I can't be sure — Adriano Repetti, Mar 28 '12 at 08:09
Are you calling ExRaiseHardError in the system context? If yes try to call in the user process context. — Sergey Podobry, Mar 28 '12 at 11:34

score 3 · Answer 1 · answered Sep 17 '15 at 21:38

A kernel driver can not display a MessageBox. If you would like to do that then you have to provide a communication functionality through a user-land application with the kernel driver then show that MessageBox from your user-land application.

All the talk about [Zw/Nt]RaiseHardError is irrelevant. If you disassembled MessageBox you will notice that this API gets called eventually.

score 0 · Answer 2 · answered Apr 14 '12 at 02:29

0

I Don't think that without an application(or a service) running in the user mode you can load a driver in the memory(even if it is going to be a filter driver).

answered Apr 14 '12 at 02:29

vivek

21
3

How to display a pop-up message box from a driver (kernel mode)?

2 Answers2

Linked