Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Prevent multiple callback on same filenamr

johnhouldingjohnhoulding Member Posts: 28
Hello Everyone. I have a minifilter which in callback operation get filename and send it to usermode app to logging(or scanning) it works fine . But there are multiple pre or post operation on same filename. I know its normal because when we work file we are not alone system also may access this file. But is there any way to prevent this. I mean i know we can stop these operation but how can I create minifilter to see same filename only one time?I readed about context stream but i dont know which type i must use?stream,streamhandle or etc?Can someone help me to understand context and give me some of resource(sample)?Thank you for reading


  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,299
    While it’s not intuitiveLy obvious, names are one of the more complicated things in the file system filter space (hard links, junctions, open by ID, renames, network vs local, it goes on and on...). So, I suggest you step back a bit and not worry about names for the moment.

    You undoubtedly want a stream context. On FAT this would be the same as per-file, but on NTFS (and other file systems, e.g. UDF) files can have multiple data streams. These each have a unique path and for most purposes can (effectively) be thought of as unique files.

    The general flow for scanning/monitoring is to establish a stream context on PostCreate. The first thread to set the stream context “wins” and triggers the monitoring/scanning. Subsequent threads look up the context and piggyback on the work of the first thread.

    Set up a secondary drive with FAT and play with the avscan WDK sample. Try to avoid the noise and hyper focus on its use of the stream context. It should help give you an idea of the flow.

    From there you have a million rat holes to fall down :)

    Good luck!


  • johnhouldingjohnhoulding Member Posts: 28
    Thank you very much Mr Scott for reply.I know my questions are newbie. I actually will not play fat or network .Im intrested only Ntfs and only executable file. I know there is also special major function for work executable irp mj acq for section but i saw in here there is also problem for reading file from user mode. Firstly I tested irp_mj_set_information it works fine there is no any problem. in post callback i get renamed file name and scan this.( like when browser download file after downloading browser rename filename to its original filename)There are not a lot of callback. But when try irp-mj-create i parse filename to catch only exe extension it also works but multiple same filenames. ( if im not wrong i must use stream context for this reason). And my 3rd options is irp mj write .I also tested it but i cant scan writing stream(consider I write data to file block by block) then i cant know when file writing operation completed.for this reason i used irp mj close but i cannot see any callback notify when user call CloseHandle after writing operation.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA