Synchronous Mod Write w/ Context

Hello all,

I need to associate writes to a particular file with a process. The bulk of this project has been pretty straightforward but I am having issues capturing the ‘originator’ process ID. An example problem scenario is as follows:

hFile = CreateFileA();
hMapping = CreateFileMapping();
lpMemory = MapViewOfFile();

CloseHandle(hFile);
CloseHandle(hMapping);

*lpMemory = 0x12345678;

As I understand, these writes are passed to the mod writer for writing at a later time. In trying to prove the concept, I Initialized a cache map during IRP_MJ_ACQUIRE_FOR_SECTION_SYNC just so I could supply a context (the process) to the AcquireForLazyWrite callback. In testing, I found that this worked pretty well, but I am not sure if the stream handle context is isolated.

To add to the complexity, I’d like to be able to force the write to be synchronous. I’ve been calling CcFlushCache() from within IRP_MJ_RELEASE_FOR_SECTION_SYNC to force a synchronous IRP_MJ_WRITE from the system context. I still have a stream handle context at this point so have been able to ID the process in this manner (I thought these are closed as soon as the handles are closed, but it doesn’t seem so). I tried FltFlushBuffers() but encountered a deadlock – if this is how i should be flushing these writes, what is a good spot to call from?

My questions:
I realize that using Cc functions from a MF is probably discouraged – am I screwing something up by initializing a cache map on the section synchronization?
Is there a way to force mod writes synchronously (FltFlushBuffers?) and if so, will I still have the process context I’m looking for?
Multiple processes may be accessing this file, is there a possibility for overlap in contexts (are these ‘shared’ between processes given that there are a maximum possible 2? sections per FILE_OBJECT?).

Thanks! I read quite a bit about memory mapped files where I could on the forum, I apologize if I missed my answer!

Best,
EK

We discussed this just last week In short your methodology is flawed.

Why not just capture section creation? You have all you need at that point.

Cc functions from a MF is probably discouraged -
Discouraged as in “if you don’t own the filesystem you will eventually deadlock and crash a customer’s system”.

To add to Rod’s comments…

There’s no definitive way to track the write back to a particular process in this case. For example, if two processes execute your scenario above you can still only get one paging write in the System process. Which process is “the writer” in that case?

You have to assume that if the caller is creating a writable section then they’re going to write to the section. Sometimes you’ll be wrong and they won’t write but you at least fail safe.