isolation minifilter - why twice IRP_MJ_CLEANUP

Recently, we are making isolation filter drivers through mini filter drivers.

Recently, while testing the filter driver, I noticed the following strange symptoms. Obviously, IRP_MJ_CLEANUP and IRP_MJ_CLOSE were called to close the FCB, but after that, IRP_MJ_CLEANUP is called again.

i call “notepad isolationtest.txt” on cmd.exe

[WinIOSol] EvtID=000006477 IRP=IRP_MJ_CREATE Proc=002520,notepad.exe Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006477 >> Disposition=FILE_OPEN ShareAccess=FILE_SHARE_READ OpFlags= DesiredAccess=FILE_READ_ATTRIBUTES| CreateOptions=FILE_OPEN_REPARSE_POINT|
[WinIOSol] EvtID=000006477 FilterPreCreate Status=0x00000000,STATUS_SUCCESS Information=FILE_OPENED Open=1 Clean=1 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] CcAcquireForLazyWrite Thread=89A31B00 Open=1 Clean=1 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006479 IRP=IRP_MJ_QUERY_INFORMATION Thread=89181210,89181210 Class=FileBasicInformation Length=40 Proc=002520,\notepad.exe Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] CcReleaseFromLazyWrite Thread=89A31B00 Open=1 Clean=1 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006481 IRP=IRP_MJ_CLEANUP Thread=89181210,89181210 Proc=002520,\notepad.exe Open=1 Clean=1 Ref=1 Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006482 IRP=IRP_MJ_CLOSE Thread=89181210,89181210 Proc=002520,\notepad.exe Open=1 Clean=0 Ref=1 Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006482 UninitializeFCB Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006499 IRP=IRP_MJ_CLEANUP Thread=89181210,89181210 Proc=002520,\notepad.exe Open=1 Clean=1 Ref=1 Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] FilterPreAcquireCcFlush Thread=89181210 Open=1 Clean=0 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006500 IRP=IRP_MJ_WRITE,NORMAL Thread=89181210,89181210 Proc=002520,\notepad.exe Src=C:\Documents and Settings\Administrator\isolationtest.txt
[WinIOSol] EvtID=000006500 >> IrpFlags=IRP_INPUT_OPERATION|IRP_NOCACHE|IRP_PAGING_IO|IRP_SYNCHRONOUS_PAGING_IO| OpFlags= Key=0 Length=4096 ByteOffset=0 Buffer=00000000
[WinIOSol] FilterPreReleaseCcFlush Thread=89181210 Open=1 Clean=0 Ref=1 Name=C:\Documents and Settings\Administrator\isolationtest.txt

my code : https://github.com/jgh0721/Win-IO-Monitor

You have a bug someplace. The FCB is referenced for each IRP_MJ_CREATE and dereferenced on each IRP_MJ_CLOSE. Once the last IRP_MJ_CLOSE arrives there will be no more operations against the FCB.

There’s a lot of annoying races in getting this correct. Isolation filters don’t usually do the tracking themselves though, you simply set a stream context on the lower FCB and let the file system deal with it. Then when the lower FCB goes away you tear down your own FCB.

Thanks for the reply.

Thanks to that, I got a hint on that problem.

ps. I couldn’t think of adding and managing Stream Context in the lower FCB in the isolation filter. If so, is it possible that way when trying to do isolation filter + encryption?