I am developing a minifilter driver to monitor Create/Read/Write/Close operations on system and need to send these operations data of interested processes to user mode application for processing. Based on processing of user mode application, i am completing those respective callbacks. In this i am facing one issue that some Post-Read callbacks are coming as paging I/O along with IRQL of those callbacks is greater than APC_LEVEL. So in such scenario, i could not send data to user mode as FltSendMessage needs to be called below or at APC_LEVEL. Also FltDoCompletionProcessingWhenSafe function fails for Paging I/O which is mentioned in its MSDN documentation.
I would like to understand whether this is indeed not possible to send notification from Paging I/O + IRQL greater than APC_LEVEL to user mode or is there any way to do this? I have tried returning FLT_PREOP_SYNCHRONIZE from PreRead callback but that callback comes as asynchronous callback so i could not return FLT_PREOP_SYNCHRONIZE.
I also looked into FltQueueDeferredIoWorkItem API but documentation says that this function also fails with STATUS_FLT_NOT_SAFE_TO_POST_OPERATION for paging I/O. So as per my understanding till now, is it like we can not defer processing of Paging I/O to any worker thread and we have to process it in the same context in which it got called?
Please help me to understand this.
Thank you in advance.
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Writing WDF Drivers||21 Oct 2019||OSR Seminar Space & ONLINE|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|
|Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||27 Apr 2020||OSR Seminar Space & ONLINE|