APCs disabled in IRP_MJ_CREATE post operation Win11 24H2

Klincent · December 20, 2024, 3:51pm

Hi,

I have a filesystem minifilter which for happycases returns FLT_PREOP_SYNCHRONIZE from IRP_MJ_CREATE preoperation.
Then, in postoperation minifilter calls FltQueryInformationFile to get FileId.
Documentation of FltQueryInformationFile says "Callers of FltQueryInformationFile must be running at IRQL = PASSIVE_LEVEL and [with APCs enabled]" therefore minifilter checks

	if (KeAreApcsDisabled() || KeAreAllApcsDisabled())
		return STATUS_ACCESS_DENIED;

	status = FltQueryInformationFile( Instance,
                                    FileObject,
                                    &basicInfo,
                                    sizeof(FILE_BASIC_INFORMATION),
                                    FileBasicInformation,
                                    NULL );

When recently tested on win11 24H2 I was surprised that APCs were consistently disabled on each call. I installed 24H2 on 2 laptops, also on one VM with same results. Is this new behaviour expected? Similar code, in well know example of filesystem minifilter avscan does not apply these checks. Otoh documentation, as I citated above forbids FltQueryInformationFile with disabled APCs so I would like to also ask, what should be done here? Shall minifilter call FltQueryInformationFile regardless state of APCs? Or shall it call the FsRtlQueryInformationFile when it detects APCs are disabled?

Thank you

DymOK93 · December 24, 2024, 11:28pm

Your check is incorrect: FltQueryInformationFile requires only special kernel APCs to be enabled, so

if (KeAreAllApcsDisabled())
   return STATUS_ACCESS_DENIED;

Hate MSDN bugs

But this check is also redundant, since post-create is always called at PASSIVE_LEVEL with kernel special APCs enabled, this is the FLTMGR contract.

There is no need to return FLT_PREOP_SYNCHRONIZE, just use FLT_PREOP_SUCCESS_WITH_CALLBACK: "Minifilter drivers should not return FLT_PREOP_SYNCHRONIZE for create operations, because these operations are already synchronized by *FltMgr"

Klincent · December 25, 2024, 8:54am

Thank you for response.

I did a test on my win11 24H2 and observed that in postcreate KeAreApcsDisabled()==true and KeAreAllApcsDisabled()==false.
I can confirm that calling FltQueryInformationFile() worked, however, test sample size is so far low.

My understanding is that under MSDN bug you meant that documentation is not specific enough about FltQueryInformationFile() and it shall say that "special kernel APCs must be enabled", is that right?

I still find it quite surprising, prior 24H2 in postcreate I consistently get KeAreApcsDisabled()==false.

Klincent

DymOK93 · December 25, 2024, 12:29pm

Yes

This may be a protection against thread suspending during IRP_MJ_CREATE processing.
Old behavior resulted in leaks of ECPs allocated by minifilters (ECPs are released after all IRP_MJ_CREATEs have been processed - there may be multiple requests due to reparse points, but FLTMGR didn't take this into account, so the minifilter could be unloaded between requests)

system · January 24, 2025, 12:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.