Sounds like a newbie question, but it is not…
After a call to APIs like ZwOpenFile/FltCreateFile/ZwCreateKey/etc., what is the most correct way to tell if I need to close a handle?
One would think it is
if(NT_SUCCESS(ntRes))
ZwClose(hHandle);
But… I have often seen cases where this is not the way to tell if the call to the open API succeeded, as sometimes the return value is a success code, but IoStatus.Status is not, and the actual status is there. This is kinda rare, but often enough that it is not uncatchable.
So… is it:
if(NT_SUCCESS(ntRes) && NT_SUCCESS(IoStatus.Status))
or simply
if(hHandle) // kernel handles are all NULL if invalid, for the above API
?
Regards, Dejan.