HtsScsiView is a Windows 2000 scsi monitor application and kernel bus filter driver. Bus filtering is the third type of Plug and Play filter driver that can be implemented in Windows 2000. The other two types are Upper Filter Drivers and Lower Filter Drivers which come in the subflavors of Class Filter and Device Filter.

Upper and Lower filter drivers are moderately well documented in the NT ddk. Figuring out how to install a class filter driver is a bit of a puzzle, as the straightforward mechanism requires one to be the vendor of the filtered class, but once you read between the lines it all sort of makes sense.

The third type, bus filters, are mentioned in passing in the DDK, but other than the fact that they exist (and they do exist) no explanation at all is given. A bus filter driver is a PDO upper filter driver. It filters all the PDOs of a given bus driver, before these PDOs are attached to any PnP stack.

A prime example of where a bus filter driver comes in handy is the SCSI bus. Suppose that you wanted to monitor all SCSI activity on the system. There is no Upper Lower or Sideways filter driver that will do this, as each PDO created by ScsiPort potentially belongs to different PnP stacks based on the SCSI PnP enumeration ID of the PDO created by ScsiPort. What's a hacker to do?

What we do here is we write Bus filter drivers that filter at the PDO level based on bus enumeration events rather than PnP IDs.

For a sample of the power of bus filtering, download HtsScsiView, a real time scsi bus filter driver and monitor application.

As always, please be aware that this is a test application that contains a kernel driver component. It should only be run on test systems, not on production systems.