Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

What is the purpose of fileobject->lock structure in file system filter driver?

Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

I am working on minifilter file system encryption driver based on shadow fileobject design.

I can see 2 members in FILE_OBJECT structure.

When should I initialize these and how?

Thanks in advance,


  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,120
    > When should I initialize these and how?

    I never have.
  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 111
    Why you need this tell us your use case first. why u even think about them...
  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    Use case: I am trying to export .pst file on an encrypted network share path.

    Bugcheck is observed as per below call stack:

    00 (Inline Function) --------`-------- nt!InsertTailList+0xf ? the head here is NULL
    01 ffffd000`21ab8a30 fffff804`004949ed nt!KeWaitForSingleObject+0x1ff
    02 (Inline Function) --------`-------- nt!IopWaitForLockAlertable+0x39
    03 ffffd000`21ab8ac0 fffff804`00584687 nt!IopAcquireFileObjectLock+0x85
    04 ffffd000`21ab8b10 fffff804`001627b3 nt!NtUnlockFile+0xeb70b
    05 ffffd000`21ab8bd0 00007ffa`e63ec5ea nt!KiSystemServiceCopyEnd+0x13
    06 0000003c`f538cf68 00007ffa`e37edfad ntdll!ZwUnlockFile+0xa
    07 0000003c`f538cf70 00007ffa`e37edffc KERNELBASE!UnlockFileEx+0x3d
    08 0000003c`f538cfc0 00007ffa`ae808522 KERNELBASE!UnlockFile+0x34
    09 0000003c`f538d020 00007ffa`ae8082e2 mspst32!MSProviderInit+0x6e2a
    0a 0000003c`f538d060 00007ffa`ae8081d8 mspst32!MSProviderInit+0x6bea
    0b 0000003c`f538d0e0 00007ffa`ae8c8950 mspst32!MSProviderInit+0x6ae0
    0c 0000003c`f538d160 00000000`00000000 mspst32!PSTCrashRecovery+0x954

    IopAcquireFileObjectLock is trying to acquire lock on file object and fileobject->Lock is not intialized as observed.

    In IRP_MJ_CREATE , we are initializing FileObject and completing it.

    I tried to modify behavior of IRP_MJ_CREATE by calling KeInitializeEvent( &(FileObject->Lock), SynchronizationEvent , FALSE);

    This helps for this BSOD,but I am not sure if this expected to do it in a shadow FileObject design.

    Can you please suggest about this.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,260
    The Lock field is automatically initialized by the I/O Manager for
    synchronous file opens. I can see three possible reasons for your crash:

    1. You've opened a file asychronous and then played with the File Object

    2. You have a reference counting problem and the File Object was freed

    3. The File Object became corrupt somehow

    You need to dig out the File Object and look at it in the debugger. What
    does !pool say? If you dump out the File Object (dt nt!_FILE_OBJECT address)
    does it look OK or like garbage?

    Also, make sure you turn Driver Verifier on for your driver and FltMgr.sys.
    This might point you to the problem much earlier.



  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 111
    Like you said its a shadow file object based design so I think you can do initialize it at the time of creation of a file object. did you tried without encryption ? if yes what IO mgr is sending at the first place? if IO mgr is sending it as non initialized then there is noting to worry.
    if he sends it initialized the your driver somehow poking it...
    If at all in both cases it is uninitialized then use driver verifire and try to reproduce it with verifier soon you will get to why it is coming.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA