Each time a VSS snapshot device is created, I attach a filter to that device object. When VSS snapshot is deleted, the remove device is called, and I am able to teardown my filter.
Now, if I enable System Recovery snapshots on a volume (C: for example), I see some strange behavior. I do not know if this is normal, or I need to address the issue. When our softwares VSS snapshot is created, everything seems to work as expected. However, after the IOCTL_VOLSNAP_DELETE_SNAPSHOT is detected, i never see the remove device for the snapshot device. I see the IOCTL_VOLUME_OFFLINE sent to the snapshot device, but the remove device is never recieved. Eventually, I can have hundreds of these device objects being filtered. What is even more strange, let's say I have 200 filters attached on a volumes snapshot chain because they are not deleted, when the system is rebooted, these 200 filter device objects are once again created and I attache. If I use various VSS tools after boot to peek into VSS via the APIs, I only see the snapshot created by System Recovery, so there are not 200 snapshots, only the two. But my filter attached to 200 device objects.
If I delete the system recovery snapshot, I will see all 200 device objects get their remove device calls.
Has anyone encounter this? I know there is a default of 512 snapshots. My may run up to the 512 and see what happens.
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|