Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

getting error STATUS_TRANSACTION_NOT_ACTIVE while calling FltGetFileNameInformation from minifilter.

iradization42iradization42 Member Posts: 4
edited July 2019 in NTFSD

Hi, I'm running POC for process doppelganger injection method which create NTFS transaction on unsuspected file (svchost.exe) to copy a malicious payload,
execute it and eventually rolling back the transaction before closing the file so it will be undetected by AV. (see code here
In my setup there's also a minifilter driver installed, that gets callback on file preCleanup events. The callback function calls kernel API FltGetFileNameInformation with nameOption param set to FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT.
The option FLT_FILE_NAME_QUERY_DEFAULT says according to documentation that "If it is not currently safe to query the file system for the file name, FltGetFileNameInformation does nothing."
In my scenario it sometimes fails the method FltGetFileNameInformation due to error c0190003 (STATUS_TRANSACTION_NOT_ACTIVE).
I wish to understand better the nature of this error code and why it's triggered. My best guess is that somewhere before the file transaction is rolled back, the process that runs the POC terminated, so that the file gets closed with a pending transaction that is neither rolled back nor committed.

// Created a transaction, handle hTransaction
HANDLE hTransaction = CreateTransaction(NULL,0,0,0,0,0, temp);

//CreateFileTransacted on file %fileFullPath, handle %hTransactedFile
HANDLE hTransactedFile = CreateFileTransacted(fileFullPath,

    // process may be terminated somewhere here 

//rolling back the original svchost

Perhaps anybody ever encounter this error code and can confirm or contradict my theory ?

thanks !

Post edited by iradization42 on


  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,890

    Answer me this: Why would we help you do this?

    Wouldn’t we be helping you perfect a method for malware injection?


    Peter Viscarola

  • iradization42iradization42 Member Posts: 4

    Hi Peter, by no means my intensions are to create new malware injection method, but a Technic to block them (although today doppelganger is detected by Microsoft defender) - not commercially yet, but for educational purpose, hoping to gain some relevant experience and get into the cyber defense industry.

    What I've seen is when the transacted file is being closed I get the STATUS_TRANSACTION_NOT_ACTIVE error, after the transaction was rolled back perfectly.

    Therefore, I'd like to know if there's a way to distinguish between regular file and transacted file on preCleanup callback.

    thanks !

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,890

    by no means my intensions are to create new malware injection method

    I believe you. Really, I do.

    Can I have your bank account number, please? Just so I can check to see what a bank account number in your country looks like?

    By no means are my intensions to steal your money. But for educational purposes.


    Peter Viscarola

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA