Hello all!
My situation: Business requirements are such that I need to hash any file that has been written to by certain processes and report new hash. Until recently, I was doing the hash on irp_mj_cleanup but it was decided that the performance impact was to great and so something had to change.
I tried implementing a change where I use FltQueueGenericeWorkItem to push the hashing into another thread, allowing the original process to complete it’s cleanup and thereby improving performance (or apparent performance anyway) because the process is not waiting on the cleanup of the file while I hash.
This has cause an issue though, because I need to reopen the file to do the hashing, if the process tries to reopen the file without sharing, the original process fails. This happens more than I would like (with word for instance). I am trying to fix this issue my having the irp_mj_create wait on the completion of the hash, but this has introduced additional problems, like a strange memory corruption other issues, like not being able to set an event without a BSOD.
My Question is this: am I barking up the wrong tree? Should I be doing this a completely different way? I saw that the AVSCAN driver sample had some code I could steal, but I have to support windows 7 so I am not sure I can use that code. Any help would be great, thank you in advance for your time.