Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Having problem getting all readEvents for some network volumes.

LittlePapaBearLittlePapaBear Member Posts: 6


I have a "monitoring-only" minifilter driver that is really pretty simple. However, I do have a problem that I'm running into I don't quite understand. Perhaps someone can shed some light.

So, with my minifilter one thing I'm interested in is getting notified of any ReadFile event. I am able get most of these by registering for the IRP_MJ_READ callback in my filter registration callback. For those most part, this seems to work.

But, when reading files from a network volume, I sometimes get these events, but sometimes I don't. I suspect this has something to do with caching and/or fast IO, which I don't know a ton about. I do know that I am receiving the callbacks for read events for fast IO, as I've checked the appropriate flag in the callback parameter when I get that event. I've also confirmed that when I registered for IRP_MJ_READ that I sent in '0' for the FLT_OPERATION_REGISTRATION_FLAGS, so I shouldn't be ignoring anything.

This is especially confusing because, in using ProcMon, I do see the ReadFile events coming in when I trigger the read. In the Detail column of ProcMon, it shows me an Offset, a Length, and a Priority, but nothing else to indicate anything unusual. HOWEVER, in ProcMon, I also see a couple FASTIO_CHECK_IF_POSSIBLE events come in right around the same time, which it doesn't generate if I just read a file off my local hard disk. My hunch is that this is related, I'm just not quite sure how.

I realize that I can register for a callback for FASTIO_CHECK_IF_POSSIBLE in my driver, but that doesn't really help me, because I really want that ReadEvent event which ProcMon seems to be getting that I can't get.

Anyone have any thoughts?


  • LittlePapaBearLittlePapaBear Member Posts: 6
    edited March 27

    Hmm, I may have just answered my own question. I think I need to register for the IRP_MJ_MDL_READ irp, perhaps.

    EDIT -- hmm, maybe not. Not sure if that's what I need.

  • LittlePapaBearLittlePapaBear Member Posts: 6

    OK, I figured out my problem.

    I actually was getting back the IRP_MJ_READ for all network reads. However, it was failing in a subsequent call to FltGetFileNameInformation because I was disallowing it to use the name cache when looking up the name, which causes me to discard the event downstream. I changed to allow the usage of the name cache when calling FltGetFileNameInformation, and then things work more as I expect. Thanks.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA