Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

FltCreateFile or ZwCreateFile

Hi

I have written a file system mini filter driver and registered preCreate and postCreate callbacks. In these callbacks I am writing logs in a text file using ZwCreateFile and ZwWriteFile.
This is working fine.
Why don't I get the calback for this ZwCreateFile?
Shouldn't I use FltCreateFile and FltWriteFile?

Comments

  • Don_Burn-2Don_Burn-2 Posts: 1,620
    You don't get the callback because the minifilter support handles the
    ZwXXX calls and FltXXX calls so they only go down the stack to the lower
    drivers.


    Don Burn
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr



    "xxxxx@gmail.com" <xxxxx@gmail.com> wrote in message
    news:xxxxx@ntfsd:

    > Hi
    >
    > I have written a file system mini filter driver and registered preCreate and postCreate callbacks. In these callbacks I am writing logs in a text file using ZwCreateFile and ZwWriteFile.
    > This is working fine.
    > Why don't I get the calback for this ZwCreateFile?
    > Shouldn't I use FltCreateFile and FltWriteFile?
  • Then why is FltCreateFile given when ZwCreateFile is already there?
  • Alex_CarpAlex_Carp Posts: 1,015
    If you open the file using ZwCreateFile you should see an IRP_MJ_CREATE for it. If you open the file using FltCreateFile(Ex(2)) then you won't see the IRP_MJ_CREATE. Please note that the right way to open the handle from a minifilter while processing an IO request is via FltCreateFile, ZwCreateFile will create interesting problems, like infinite loops and deadlocks.

    I don't know why you're not seeing your create callback but there could be many factors and i don't know if it's worth investigating since you should be using FltCreateFile anyway.

    I wrote a post on the topic of when to use Flt and when to use Zw calls, here (http://fsfilters.blogspot.com/2010/02/issuing-io-in-minifilters-part-1.html and http://fsfilters.blogspot.com/2010/02/issuing-io-in-minifilters-part-2-flt-vs.html).

    Thanks,
    Alex.
  • Thanks Alex :)
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!