I have a "monitoring-only" minifilter driver that is really pretty simple. However, I do have a problem that I'm running into I don't quite understand. Perhaps someone can shed some light.
So, with my minifilter one thing I'm interested in is getting notified of any ReadFile event. I am able get most of these by registering for the IRP_MJ_READ callback in my filter registration callback. For those most part, this seems to work.
But, when reading files from a network volume, I sometimes get these events, but sometimes I don't. I suspect this has something to do with caching and/or fast IO, which I don't know a ton about. I do know that I am receiving the callbacks for read events for fast IO, as I've checked the appropriate flag in the callback parameter when I get that event. I've also confirmed that when I registered for IRP_MJ_READ that I sent in '0' for the FLT_OPERATION_REGISTRATION_FLAGS, so I shouldn't be ignoring anything.
This is especially confusing because, in using ProcMon, I do see the ReadFile events coming in when I trigger the read. In the Detail column of ProcMon, it shows me an Offset, a Length, and a Priority, but nothing else to indicate anything unusual. HOWEVER, in ProcMon, I also see a couple FASTIO_CHECK_IF_POSSIBLE events come in right around the same time, which it doesn't generate if I just read a file off my local hard disk. My hunch is that this is related, I'm just not quite sure how.
I realize that I can register for a callback for FASTIO_CHECK_IF_POSSIBLE in my driver, but that doesn't really help me, because I really want that ReadEvent event which ProcMon seems to be getting that I can't get.
Anyone have any thoughts?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|