seeeing multiple irp_mj_create post operation(with stream_context)

Hello. My minifilter driver catch irp_mj_create operation(post) then I get filename(exe extensions only) and copy filename to stream context to send it IRP_MJ_CLEANUP. But sometimes I seeing multiple callback.
For example: In python interpereter :

f = open(“2.exe”,‘wb’)
f.close()
f = open(“2.exe”,‘wb’)

in DbgView:
Context not found creating…:\Device\HarddiskVolume4\Users\admin\Desktop\2.exe
Context found:\Device\HarddiskVolume4\Users\admin\Desktop\2.exe

This works well But when I open notepad write some random data and save as exe file I see multiple callback in DbgView:

Context not found creating…:\Device\HarddiskVolume4\Users\admin\Desktop\3.exe
Context not found creating…:\Device\HarddiskVolume4\Users\admin\Desktop\3.exe

non product code:

FLT_POSTOP_CALLBACK_STATUS PostOpCreate(PFLT_CALLBACK_DATA Data,
	PCFLT_RELATED_OBJECTS FltObjects,
	PVOID CompletionContext,
	FLT_POST_OPERATION_FLAGS Flags)
{

	PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
	PSCANNER_STREAM_CONTEXT scannerContext = NULL;
	NTSTATUS status;

	if (!NT_SUCCESS(Data->IoStatus.Status) ||
		(STATUS_REPARSE == Data->IoStatus.Status)) {
		return FLT_POSTOP_FINISHED_PROCESSING;
	}

	status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);
	if (!NT_SUCCESS(status))
	{
		goto exit;
	}

	status = FltParseFileNameInformation(FileNameInfo);
	if (!NT_SUCCESS(status))
	{
		goto exit;
	}

	if (FltObjects->FileObject->WriteAccess)
	{

		if (FileNameInfo->Extension.Length > 0 && FileNameInfo->Extension.Buffer != NULL)
		{
			if (RtlCompareUnicodeString(&FileNameInfo->Extension, &ExeExtension, FALSE) != 0)
			{
				goto exit;
			}

			status = FltGetStreamContext(FltObjects->Instance, FltObjects->FileObject, &scannerContext);
			if (NT_SUCCESS(status))
			{
				DbgPrint("Context found:%S\n", scannerContext->Path);
				/*scannerContext->reScan = TRUE;*/
				/*FltSetStreamContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_KEEP_IF_EXISTS, &scannerContext, NULL);*/
				goto exit;
			}
			else if (status == STATUS_NOT_FOUND)
			{
				DbgPrint("Context not found creating...:%wZ\n", FileNameInfo->Name);
				status = FltAllocateContext(hXRFilter, FLT_STREAM_CONTEXT, sizeof(SCANNER_STREAM_CONTEXT), NonPagedPool, &scannerContext);
				if (NT_SUCCESS(status))
				{
					scannerContext->reScan = FALSE;
					RtlCopyMemory(scannerContext->Path, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
					FltSetStreamContext(FltObjects->Instance, FltObjects->FileObject, FLT_SET_CONTEXT_REPLACE_IF_EXISTS, scannerContext, NULL);
					goto exit;
				}
			}
			else {
				goto exit;
			}

		}
	}

exit:
	if (FileNameInfo != NULL)
	{
		FltReleaseFileNameInformation(FileNameInfo);
	}

	if (scannerContext != NULL)
	{
		FltReleaseContext(scannerContext);
	}
	
	return FLT_POSTOP_FINISHED_PROCESSING;
}

What is problem how can I solve it?Thank you for reading…

Why do you think that there is a problem? Have to looked at the operations stream with filespy or procmon to see what happens between the creates.

Are you sure that the file hasn’t been deleted, or renamed, or purged from the cache in which case a new context would be expected…

1 Like

Thanks for response. I actually dont think there is problem. But i just look for way to scan file just once. Because I only scan filename if there a lot of callback with same filename i must scan all of them. For this reason i look for way to prevent this. And my second question is how I know post irp_mj_cleanup last callback? Because suppose i open file for write and write data to file and without(CloseHandle) I see post cleanup and when I scan file , file didnt closed and maybe writed data not flushed to file and when I open file for reading I see nothing.