Reversing npsvctrig.sys - Named Pipe Service Triggers
This post is a writeup of my notes from reversing npsvctrig.sys. I was recently looking into Service Triggers and couldn’t find any writeups or info on this driver - hence sharing this. Overview npsvctrig.sys is a native Windows filesystem minifilter driver that implements, as the name suggests, part of the functionality for Named Pipe Service Triggers. The driver is small and straightforward. In a nutshell, it maintains a list of active named pipe triggers, uses minifilter callbacks to intercept specific actions being performed against those named pipes, and then publishes an ETW event containing the name of the pipe when one occurs. The Service Control Manager (SCM) consumes these events, and takes them as an indicator it should start the corresponding service executable. ...