I’m always suspicious when someone claims a bug in Windows, but as far as I can tell, this code meets all documented requirements. If I’m wrong, please show me.
This minifilter code has worked for many years, but as soon as a Windows 10 computer starts Windows Sandbox, a page fault happens.
PostOperationCallback(PFLT_CALLBACK_DATA Data...)
{
switch(Data->Iopb->MajorFunction)
{
case IRP_MJ_CREATE:
{
PECP_LIST EcpList = NULL;
if (KeGetCurrentIrql() <= APC_LEVEL)
{
NTSTATUS status = FltGetEcpListFromCallbackData(Filter, Data, &EcpList);
if((STATUS_SUCCESS == status) && (NULL != EcpList))
{
SRV_OPEN_ECP_CONTEXT* pEcpContext = NULL;
ULONG EcpContextSize = 0;
status = FltFindExtraCreateParameter(Filter, EcpList, &GUID_ECP_SRV_OPEN, (void*)&pEcpContext, &EcpContextSize);
if((STATUS_SUCCESS == status) && (NULL != pEcpContext))
{
if(NULL != pEcpContext->SocketAddress)
{
switch(pEcpContext->SocketAddress->ss_family) <---- causes page fault
I’m assuming the SocketAddress is paged out in this specific case, but only when Windows Sandbox is running?