Hi
I have written a file system mini filter driver and registered preCreate and postCreate callbacks. In these callbacks I am writing logs in a text file using ZwCreateFile and ZwWriteFile.
This is working fine.
Why don’t I get the calback for this ZwCreateFile?
Shouldn’t I use FltCreateFile and FltWriteFile?
You don’t get the callback because the minifilter support handles the
ZwXXX calls and FltXXX calls so they only go down the stack to the lower
drivers.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:
> Hi
>
> I have written a file system mini filter driver and registered preCreate and postCreate callbacks. In these callbacks I am writing logs in a text file using ZwCreateFile and ZwWriteFile.
> This is working fine.
> Why don’t I get the calback for this ZwCreateFile?
> Shouldn’t I use FltCreateFile and FltWriteFile?
Then why is FltCreateFile given when ZwCreateFile is already there?
If you open the file using ZwCreateFile you should see an IRP_MJ_CREATE for it. If you open the file using FltCreateFile(Ex(2)) then you won’t see the IRP_MJ_CREATE. Please note that the right way to open the handle from a minifilter while processing an IO request is via FltCreateFile, ZwCreateFile will create interesting problems, like infinite loops and deadlocks.
I don’t know why you’re not seeing your create callback but there could be many factors and i don’t know if it’s worth investigating since you should be using FltCreateFile anyway.
I wrote a post on the topic of when to use Flt and when to use Zw calls, here (http://fsfilters.blogspot.com/2010/02/issuing-io-in-minifilters-part-1.html and http://fsfilters.blogspot.com/2010/02/issuing-io-in-minifilters-part-2-flt-vs.html).
Thanks,
Alex.
Thanks Alex 