Filter Verifier Error

I am getting the following error in my pre-read callback in my minifilter on W2K8 R2, but I don’t understand why, b/c as you can see below I am not violating the conditions defined in the message (i.e. IRQL is PASSIVE, IrpFlags says this is a non-cached op, and according to the message APCs are enabled).

I am seeing this for calls to FltCreateFileEx, FltQueryInformationFile, and FltClose.

Any ideas?

FILTER VERIFIER ERROR: A filter tried to issue IO at an incorrect IRQL level, or with Special Kernel APCs disabled.
(Filter = FFFFFA80018C45B0 (MyDriver), MajorCode = 0x0, IsPaging = 0x0, NonCached = 0x0, IRP_MN_MDL = 0x0, IRQL = 0x0, Special Kernel APCs Enabled = 0x1)

kd> !irql
Debugger saved IRQL for processor 0x0 – 0 (LOW_LEVEL)

kd> ?? Data->Iopb
struct _FLT_IO_PARAMETER_BLOCK * 0xfffffa8002729338 +0x000 IrpFlags : 0x40000101 +0x004 MajorFunction : 0x3 '' +0x005 MinorFunction : 0 '' +0x006 OperationFlags : 0 '' +0x007 Reserved : 0 '' +0x008 TargetFileObject : 0xfffffa80018b8090 _FILE_OBJECT
+0x010 TargetInstance : 0xfffffa80`01e9ac30 _FLT_INSTANCE
+0x018 Parameters : _FLT_PARAMETERS

I am calling FltCreateFileEx like this, but I suspect the parameters don’t really matter since it fails the same way calling FltClose at times.

status = FltCreateFileEx(g_FilterHandle,
Instance,
&hFile,
&pOfflineFO,
FILE_READ_ATTRIBUTES | SYNCHRONIZE,
&oa,
&Iosb,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_ALERT,
NULL,
0,
0);

Sorry about that, this is a bug in the verifier message. The value for “Special Kernel APCs Enabled” is in fact the return value of KeAreAllApcsDisabled(), which means that the message should read “Special Kernel APCs Disabled”. The check is correct though, just the message is wrong.

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

Ok, thanks Alex. That makes the problem a little clearer.

I am assuming these are newbie questions, but I just haven’t had to worry about APCs in the past.

So, why are they disabled and how did they get that way?

I assume I could avoid the error by calling KeAreAllApcsDisabled() and skipping my code if they are, but how do I know if that is the right thing to do? Should I expect the call to come back to me again later when APCs are enabled or will I possibly never get another callback? If I will never get a callback in pre-read what is the right way to handle this so that I can open the file with FltCreateFileEx*?

Enter guarded region can disable special kernel APC (KeEnterGuardedRegion).
Do you use them?

Lijun


From: “xxxxx@charter.net
To: Windows File Systems Devs Interest List
Sent: Tue, January 5, 2010 6:07:30 PM
Subject: RE:[ntfsd] Filter Verifier Error

Ok, thanks Alex.? That makes the problem a little clearer.

I am assuming these are newbie questions, but I just haven’t had to worry about APCs in the past.

So, why are they disabled and how did they get that way?

I assume I could avoid the error by calling KeAreAllApcsDisabled() and skipping my code if they are, but how do I know if that is the right thing to do?? Should I expect the call to come back to me again later when APCs are enabled or will I possibly never get another callback? If I will never get a callback in pre-read what is the right way to handle this so that I can open the file with FltCreateFileEx*?


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

KeEnterCriticalRegion() is typically the point where they become disabled,
you are supposed to do this before waiting on ERESOURCES. However,
sometimes you may be called by another driver with APCS disabled.

t.

On Tue, 5 Jan 2010, xxxxx@charter.net wrote:

Ok, thanks Alex. That makes the problem a little clearer.

I am assuming these are newbie questions, but I just haven’t had to worry about APCs in the past.

So, why are they disabled and how did they get that way?

I assume I could avoid the error by calling KeAreAllApcsDisabled() and skipping my code if they are, but how do I know if that is the right thing to do? Should I expect the call to come back to me again later when APCs are enabled or will I possibly never get another callback? If I will never get a callback in pre-read what is the right way to handle this so that I can open the file with FltCreateFileEx*?


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

?
KeEnterCriticalRegion? disables the delivery of normal kernel APCs; special kernel-mode APCs are still enabled.


From: Tracy Camp
To: Windows File Systems Devs Interest List
Sent: Tue, January 5, 2010 6:13:55 PM
Subject: RE:[ntfsd] Filter Verifier Error

KeEnterCriticalRegion() is typically the point where they become disabled,
you are supposed to do this before waiting on ERESOURCES.? However,
sometimes you may be called by another driver with APCS disabled.

t.

On Tue, 5 Jan 2010, xxxxx@charter.net wrote:

> Ok, thanks Alex.? That makes the problem a little clearer.
>
> I am assuming these are newbie questions, but I just haven’t had to worry about APCs in the past.
>
> So, why are they disabled and how did they get that way?
>
> I assume I could avoid the error by calling KeAreAllApcsDisabled() and skipping my code if they are, but how do I know if that is the right thing to do?? Should I expect the call to come back to me again later when APCs are enabled or will I possibly never get another callback? If I will never get a callback in pre-read what is the right way to handle this so that I can open the file with FltCreateFileEx*?
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Also, depending on the OS version, acquiring certain types of locks might disable special kernel APCs.

Are you actually calling FltCreateFile in a preRead callback ? Why ? What does your code do and what is it that you are trying to accomplish ? You know, the standard set of questions :)…

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Lijun Wang
Sent: Tuesday, January 05, 2010 15:18
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Filter Verifier Error

KeEnterCriticalRegion disables the delivery of normal kernel APCs; special kernel-mode APCs are still enabled.


From: Tracy Camp
To: Windows File Systems Devs Interest List
Sent: Tue, January 5, 2010 6:13:55 PM
Subject: RE:[ntfsd] Filter Verifier Error

KeEnterCriticalRegion() is typically the point where they become disabled,
you are supposed to do this before waiting on ERESOURCES. However,
sometimes you may be called by another driver with APCS disabled.

t.

On Tue, 5 Jan 2010, xxxxx@charter.netmailto:xxxxx wrote:

> Ok, thanks Alex. That makes the problem a little clearer.
>
> I am assuming these are newbie questions, but I just haven’t had to worry about APCs in the past.
>
> So, why are they disabled and how did they get that way?
>
> I assume I could avoid the error by calling KeAreAllApcsDisabled() and skipping my code if they are, but how do I know if that is the right thing to do? Should I expect the call to come back to me again later when APCs are enabled or will I possibly never get another callback? If I will never get a callback in pre-read what is the right way to handle this so that I can open the file with FltCreateFileEx*?
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx>

I use stream contexts to track state.

I acquire/protect the contents via:
KeEnterCriticalRegion()
ExAcquireResourceExclusiveLite()

I release the stream contexts via:
ExReleaseResourceExclusiveLite
KeLeaveCriticalRegion

All that happens immediately before I call the code that gets the error.

I added the following two lines at the very beginning of my pre-read callback and they both return true.

bAllApcsDisabled = KeAreAllApcsDisabled();
bApcsDisabled = KeAreApcsDisabled();

I call FltCreateFileEx to open the file for query attributes, then query the attributes to find out if the offline bit is set, then close the file. If the file is offline, then I retrieve it. From my reading of the NTFSD forum I am under the impression that pre-read/pre-write/pre-acquire for section sync are the appropriate places to do that (as opposed to pre-create). Actually, I used to retrieve all files in pre-create, but switched to pre-read/pre-write/pre-acquire to prevent explorer from downloading all my files when it only wants attributes. Please correct me if I am wrong.

FYI, you can use FltAcquireResourceExclusive :).

Anyway, depending on the OS version special kernel APCs might be disabled during some types of reads and writes. What type of read is this ? Which file?

I don’t know how other HSM products deal with this. Perhaps someone on the list might contribute some suggestions.

One way I would do it would be to remember if the offline flag is set by setting a context on the file during create (as opposed to opening the file when I need to know this fact). This way, when I would know for sure that I need to retrieve the file (by whatever logic) I could simply look at the context to figure it out whether the file is actually offline or not. No context would indicate the file is local (or is not interesting for some reason) so there would be nothing to do for such files. In fact it seems to me that outside the create path I could always return FLT_PREOP_SUCCESS_NO_CALLBACK for files that don’t have any context because I know they have to be local so this would be the first check I’d make in my callbacks. But again, I have no experience with HSMs so I might be overlooking something…

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

Are you using reparse points too? If so, that’s probably a more
reliable indicator of whether or not a file is yours than the offline
bit. We set a reparse point and set up the stream context containing
the state information on create, and then update it as the restore
process goes along. That way on read, there’s no need to query
information from the file itself.

Eric

I use stream contexts to track state.

I acquire/protect the contents via:
KeEnterCriticalRegion()
ExAcquireResourceExclusiveLite()

I release the stream contexts via:
ExReleaseResourceExclusiveLite
KeLeaveCriticalRegion

All that happens immediately before I call the code that gets
the error.

I added the following two lines at the very beginning of my
pre-read callback and they both return true.

bAllApcsDisabled = KeAreAllApcsDisabled(); bApcsDisabled =
KeAreApcsDisabled();

I call FltCreateFileEx to open the file for query attributes,
then query the attributes to find out if the offline bit is
set, then close the file. If the file is offline, then I
retrieve it. From my reading of the NTFSD forum I am under
the impression that pre-read/pre-write/pre-acquire for
section sync are the appropriate places to do that (as
opposed to pre-create). Actually, I used to retrieve all
files in pre-create, but switched to
pre-read/pre-write/pre-acquire to prevent explorer from
downloading all my files when it only wants attributes.
Please correct me if I am wrong.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer

Will it be okay to skip “FltQueryInformationFile” if “KeAreAllApcsDisabled” returns true?

I am also facing a similar type of verifier message in case of calling “FltQueryInformationFile” from pre-create.

Thread is over 9 years old. Start a new thread if you’re having a problem (and post the debugger output so we can see what you’re seeing)