Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


FsRtlIsNameInExpression in IRP_MJ_DIRECTORY_CONTROL

MDHMDH Member Posts: 20

Seems like FsRtlIsNameInExpression was made specifically for directory messages but according to the docs, it must be called at PASSIVE while IRP_MJ_DIRECTORY_CONTROL can be called at APC (https://community.osr.com/discussion/252635). Am I missing something here or is it really not safe to call this from the pre-op?

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302

    You're fine, FsRtlIsNameInExpression isn't going to do anything that requires an APC. If you want extra proof you can see that FAT calls FsRtlIsNameInExpression in the directory control handler so if it's not safe we're all doomed...(FatQueryDirectory->FatLocateDirent->FsRtlIsNameInExpression)

    -scott
    OSR

  • MDHMDH Member Posts: 20

    Thanks Scott. I noticed it also gets called in CDFS as well. So does that mean that it'd also be safe to call when holding a guarded mutex regardless of what this (https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/fast-mutexes-and-guarded-mutexes) says?

    "In particular, kernel routines that are illegal to call at IRQL = APC_LEVEL should not be called from a code path that is protected by either a fast mutex or a guarded mutex."

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302

    Yes, that would be fine. The Rtl/FsRtl routines are generally overly restrictive in the documentation by saying they require PASSIVE_LEVEL.

    APC_LEVEL or PASSIVE_LEVEL in a Guarded Region mostly don't matter until you try to synchronously call an I/O Zw routine with APCs disabled (because they use APCs to signal completion).

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA