Recently, we are making isolation filter drivers through mini filter drivers.
Recently, while testing the filter driver, I noticed the following strange symptoms. Obviously, IRP_MJ_CLEANUP and IRP_MJ_CLOSE were called to close the FCB, but after that, IRP_MJ_CLEANUP is called again.
i call “notepad isolationtest.txt” on cmd.exe
[WinIOSol] EvtID=000006477 IRP=IRP_MJ_CREATE Proc=002520,notepad.exe Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006477 >> Disposition=FILE_OPEN ShareAccess=FILE_SHARE_READ OpFlags= DesiredAccess=FILE_READ_ATTRIBUTES| CreateOptions=FILE_OPEN_REPARSE_POINT|
[WinIOSol] EvtID=000006477 FilterPreCreate Status=0x00000000,STATUS_SUCCESS Information=FILE_OPENED Open=1 Clean=1 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] CcAcquireForLazyWrite Thread=89A31B00 Open=1 Clean=1 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006479 IRP=IRP_MJ_QUERY_INFORMATION Thread=89181210,89181210 Class=FileBasicInformation Length=40 Proc=002520,\notepad.exe Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] CcReleaseFromLazyWrite Thread=89A31B00 Open=1 Clean=1 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006481 IRP=IRP_MJ_CLEANUP Thread=89181210,89181210 Proc=002520,\notepad.exe Open=1 Clean=1 Ref=1 Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006482 IRP=IRP_MJ_CLOSE Thread=89181210,89181210 Proc=002520,\notepad.exe Open=1 Clean=0 Ref=1 Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006482 UninitializeFCB Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006499 IRP=IRP_MJ_CLEANUP Thread=89181210,89181210 Proc=002520,\notepad.exe Open=1 Clean=1 Ref=1 Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] FilterPreAcquireCcFlush Thread=89181210 Open=1 Clean=0 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006500 IRP=IRP_MJ_WRITE,NORMAL Thread=89181210,89181210 Proc=002520,\notepad.exe Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006500 >> IrpFlags=IRP_INPUT_OPERATION|IRP_NOCACHE|IRP_PAGING_IO|IRP_SYNCHRONOUS_PAGING_IO| OpFlags= Key=0 Length=4096 ByteOffset=0 Buffer=00000000
[WinIOSol] FilterPreReleaseCcFlush Thread=89181210 Open=1 Clean=0 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt