I’m implementing a minifilter driver and I need to flush and purge the cache of files that I monitor.
I saw that recently Microsoft added a new API FltFlushBuffers2() that does flush and can also purge the cache.
In the past I used the cache manager API’s to do that, but they are not safe to use and cause my driver to hang from time to time.
FltFlushBuffers2() seems to be supported only from Windows build version 19041 which still can’t be installed on all computers.
What alternatives I have if I need to flush and purge files that I monitor from within my minifilter?
The minifilter is not initiating the write requests to the file.
I want to flush and purge the cache that was updated by write and read requests that user applications did and the driver monitored
FltFlushBuffers2 is just a wrapper around sending an IRP_MJ_FLUSH_BUFFERS with various different minor function codes:
//
// Flush minor function codes
//
#define IRP_MN_FLUSH_AND_PURGE 0x01
#if (NTDDI_VERSION >= NTDDI_WIN8)
#define IRP_MN_FLUSH_DATA_ONLY 0x02 //see FLUSH_FLAGS_FILE_DATA_ONLY for definition of how this works
#define IRP_MN_FLUSH_NO_SYNC 0x03 //see FLUSH_FLAGS_NO_SYNC for definition of how this works
#endif
#if (NTDDI_VERSION >= NTDDI_WIN10_RS1)
#define IRP_MN_FLUSH_DATA_SYNC_ONLY 0x04 //see FLUSH_FLAGS_FILE_DATA_SYNC_ONLY for definition of how this works
#endif
As Rod said you can just build your own callback data instead of using this API.
Note however that it’s up to the file system to actually implement these minor function code. For example, I don’t believe FAT uses any of them.
I’ve got the same issue as Sagi, and while sending the IRP directly does work (thanks Rod and Scott!), my Lead would rather I use the “documented” way of doing things. As such, I’m trying to use FltFlushBuffers2() if it is available. To check the availability, I’m using MmGetSystemRoutineAddress():
Although I’m testing on Windows 10 2H20, this always returns NULL. It also returns NULL for FltFlushBuffers and FltCancelIo. The same code works for MmMapIoSpaceEx() in my driver.
Is there a different way of getting the addresses of Filter Manager functions?