Having problem getting all readEvents for some network volumes.

Hello,

I have a “monitoring-only” minifilter driver that is really pretty simple. However, I do have a problem that I’m running into I don’t quite understand. Perhaps someone can shed some light.


So, with my minifilter one thing I’m interested in is getting notified of any ReadFile event. I am able get most of these by registering for the IRP_MJ_READ callback in my filter registration callback. For those most part, this seems to work.


But, when reading files from a network volume, I sometimes get these events, but sometimes I don’t. I suspect this has something to do with caching and/or fast IO, which I don’t know a ton about. I do know that I am receiving the callbacks for read events for fast IO, as I’ve checked the appropriate flag in the callback parameter when I get that event. I’ve also confirmed that when I registered for IRP_MJ_READ that I sent in ‘0’ for the FLT_OPERATION_REGISTRATION_FLAGS, so I shouldn’t be ignoring anything.


This is especially confusing because, in using ProcMon, I do see the ReadFile events coming in when I trigger the read. In the Detail column of ProcMon, it shows me an Offset, a Length, and a Priority, but nothing else to indicate anything unusual. HOWEVER, in ProcMon, I also see a couple FASTIO_CHECK_IF_POSSIBLE events come in right around the same time, which it doesn’t generate if I just read a file off my local hard disk. My hunch is that this is related, I’m just not quite sure how.


I realize that I can register for a callback for FASTIO_CHECK_IF_POSSIBLE in my driver, but that doesn’t really help me, because I really want that ReadEvent event which ProcMon seems to be getting that I can’t get.


Anyone have any thoughts?

Hmm, I may have just answered my own question. I think I need to register for the IRP_MJ_MDL_READ irp, perhaps.

EDIT – hmm, maybe not. Not sure if that’s what I need.

OK, I figured out my problem.


I actually was getting back the IRP_MJ_READ for all network reads. However, it was failing in a subsequent call to FltGetFileNameInformation because I was disallowing it to use the name cache when looking up the name, which causes me to discard the event downstream. I changed to allow the usage of the name cache when calling FltGetFileNameInformation, and then things work more as I expect. Thanks.