When to call FsRtlEnterFileSystem/KeEnterCriticalRegion in minifilter ?

Hello !

I am reading MS avscan sample and noticed that they call FsRtlEnterFileSystem/KeEnterCriticalRegion not before ExAcquireResource***Lite. They call FsRtlEnterFileSystem/KeEnterCriticalRegion in context of PostCreate, PreCleanup and InstanceSetupCallback. My understanding was that in general we don’t need to call FsRtlEnterFileSystem/KeEnterCriticalRegion in minifilter. In filesystem we call FsRtlEnterFileSystem before acquiring file resources for thread to not became suspended.

So when should we care about thread suspension in minifilter ?

Entering a critical region is appropriate whenever suspension of the current thread could lead to deadlocks. In particular, when the current thread obtains a resource that could prevent another thread from making progress indefinitely. In avscan, the AvScan routine enters a critical region before initiating the scan because if the scan initiating thread is suspended, any other thread that tries to access the file being scanned will end up hanging indefinitely waiting for the scan to complete - but it never will.

Generalizing this, a minifilter should enter a critical region whenever it obtains a resource (in the broad sense, not just an ERESOURCE) that, if it is suspended while holding it, will prevent other threads accessing the object the resource is related to from making progress indefinitely. In the file systems themselves, this applies to the file’s main and paging I/O resources. In a minifilter, what this applies to depends on your goals and on your specific design.

Thank you very much again Koby !