MSDN – Windows Kernel API Reference

Overview

This page provides a complete, build‑ready sample for the Windows Kernel I/O Subsystem. The sample demonstrates how to create a simple filter driver that intercepts read/write IRPs, logs the operation, and forwards the request to the lower driver.

Sample Kernel‑Mode Driver

#include <ntddk.h>
#include <wdf.h>

#define DRIVER_TAG 'ioSF'

DRIVER_INITIALIZE DriverEntry;
EVT_WDF_DRIVER_DEVICE_ADD IoSample_EvtDeviceAdd;
EVT_WDF_IO_QUEUE_IO_READ IoSample_EvtIoRead;
EVT_WDF_IO_QUEUE_IO_WRITE IoSample_EvtIoWrite;

NTSTATUS
DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
    WDF_DRIVER_CONFIG config;
    NTSTATUS status;

    WDF_DRIVER_CONFIG_INIT(&config, IoSample_EvtDeviceAdd);
    status = WdfDriverCreate(DriverObject,
                             RegistryPath,
                             WDF_NO_OBJECT_ATTRIBUTES,
                             &config,
                             WDF_NO_HANDLE);
    return status;
}

NTSTATUS
IoSample_EvtDeviceAdd(_In_ WDFDRIVER Driver, _Inout_ PWDFDEVICE_INIT DeviceInit)
{
    UNREFERENCED_PARAMETER(Driver);
    WDF_OBJECT_ATTRIBUTES deviceAttributes;
    WDFDEVICE device;
    WDF_IO_QUEUE_CONFIG queueConfig;
    NTSTATUS status;

    WDF_OBJECT_ATTRIBUTES_INIT(&deviceAttributes);
    status = WdfDeviceCreate(&DeviceInit, &deviceAttributes, &device);
    if (!NT_SUCCESS(status)) return status;

    WDF_IO_QUEUE_CONFIG_INIT_DEFAULT_QUEUE(&queueConfig, WdfIoQueueDispatchParallel);
    queueConfig.EvtIoRead = IoSample_EvtIoRead;
    queueConfig.EvtIoWrite = IoSample_EvtIoWrite;

    status = WdfIoQueueCreate(device,
                              &queueConfig,
                              WDF_NO_OBJECT_ATTRIBUTES,
                              WDF_NO_HANDLE);
    return status;
}

VOID
IoSample_EvtIoRead(_In_ WDFQUEUE Queue,
                   _In_ WDFREQUEST Request,
                   _In_ size_t Length)
{
    UNREFERENCED_PARAMETER(Queue);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
               "IoSample: Read request of %zu bytes\\n", Length);
    WdfRequestCompleteWithInformation(Request, STATUS_SUCCESS, Length);
}

VOID
IoSample_EvtIoWrite(_In_ WDFQUEUE Queue,
                    _In_ WDFREQUEST Request,
                    _In_ size_t Length)
{
    UNREFERENCED_PARAMETER(Queue);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
               "IoSample: Write request of %zu bytes\\n", Length);
    WdfRequestCompleteWithInformation(Request, STATUS_SUCCESS, Length);
}

Building the Sample

Use the Windows Driver Kit (WDK) and Visual Studio. Follow these steps:

1. Open Visual Studio and create a new Kernel Mode Driver (KMDF) project.
2. Replace the generated source file with the code above.
3. Set the target platform to x64 or ARM64 as required.
4. Build the solution (Ctrl+Shift+B).

Running & Testing

After building, install the driver on a test machine running Windows 10/11 (Developer Mode recommended).

pnputil /add-driver IoSample.inf /install
sc start IoSample

Verify the debug output using WinDbg or DebugView to see the logged read/write operations.

Further References

• Introduction to KMDF
• Windows Driver Model Overview
• I/O Request Packet (IRP)