Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:


MariushZdrabazdanskiMariushZdrabazdanski Member Posts: 13
edited October 23 in NTFSD

I'm trying to veto the bypassed operation. To do this, in PreCallback in case of receiving IRP_MJ_FILE_SYSTEM_CONTROL and Data->Iopb->Parameters.File System Control.Common.FsControlCode == FSCTL_MANAGE_BYPASS_IOS calling this function

Then I finish PreCallback with the status FLT_PREOP_COMPLETE.

The problem is that in USER_SPACE, in this case, garbage arrives in the outputbuffer. And I don't understand why.
Can someone suggest?

I act according to the instructions:

Example code

if (Data->Iopb->Parameters.FileSystemControl.Common.FsControlCode == FSCTL_MANAGE_BYPASS_IO) {
        UNICODE_STRING reason;
        PFS_BPIO_INPUT in;

        in = Data->Iopb->Parameters.FileSystemControl.Buffered.SystemBuffer;
        if (in) {
                if (in->Operation == FS_BPIO_OP_ENABLE || in->Operation == FS_BPIO_OP_QUERY) {
                        RtlInitUnicodeString(&reason, L"does not support bypassio");
                        status = FltVetoBypassIo(Data, FltObjects, STATUS_ACCESS_DENIED, &reason);

                        return FLT_PREOP_COMPLETE;


  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,265

    Did you do this bit:

    Update the FS_BPIO_OUTPUT structure, including the operation NTSTATUS describing
    why the enable request was vetoed, the driver's name, and a unique, descriptive string
    with additional details about why you vetoed the enable request.

    Your code doesn't show that bit.

  • MariushZdrabazdanskiMariushZdrabazdanski Member Posts: 13

    Yes, I figured it out, thank you very much. A rather strange situation, you need to update the structure in Data->Iopb->Parameters.FileSystemControl.Buffered.SystemBuffer in PostCallback.

    PostCallback!! What the documentation does not say a word about. And it confuses me

    And theoretically, it is not necessary to call FltVetoBypassIo at all
    Which is very strange...

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 608
    via Email
    How do you return Bypass in PostOp?
    That makes 0 sense, as the I/O already went down. FltMgr would need to
    renegotiate with the FS after.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 26 Feb - 1 Mar 2024 Live, Online