Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Get SecurityDescriptor for objects at PASSIVE_LEVEL

AvalonAvalon Member Posts: 13

I have a filter and a callback I receive can come in at DPC_LEVEL in any process.

Most of the time it enters as PASSIVE, so FltQuerySecurityObject()/ZwQuerySecurityObject()/ObGetObjectSecurity() etc can succeed, but they all run at <= PASSIVE. Often I will get BSOD, sometimes random (double fault etc), but they really do appear to come from here. As the docs themselves state "ObGetObjectSecurity should only be called at IRQL Level = PASSIVE_LEVEL with APCs enabled, otherwise deadlocks or crashes may occur."

So is it possible to analyze the SecurityDescriptor of a FileObject at DISPATCH? (All code is synchronous at the moment).
If not what are the options - Worker item (at PASSIVE), thread pool, any other non-async methods preferably?


  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,339

    You already stated the answer: Queue a work item. Dropping IRQL to passive is one of the primary reasons we have Work Items.


    Peter Viscarola

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA