I’ve developed a mini-filter driver that intercepts a sequence of callbacks including create, read, write, and close. I’m trying to perform certain operations during the close callback, and those operations work fine when I open, edit, or create a file.
However, when I copy-paste or move a file, the close callback is not triggered unless the file is explicitly opened. I also tried handling this in the cleanup callback, but that wasn’t triggered either.
Could someone help me understand why this happens or suggest a solution?
You get an IRP_MJ_CLEANUP when the last HANDLE to a File Object goes away. The IRP_MJ_CLOSE comes when the last reference to a File Object goes away.
So, you’ll generally see a cleanup once the app calls CloseHandle. The close might be delayed indefinitely if the Cc or Mm are caching the file.
This behavior of “never seeing a close” has been discussed ad nauseum on this list over the years. Try googling “irp_mj_close site:community.osr.com”, there’s a lot to go over in terms of why this happens and is expected. Expect it to take time to go through all this, understand it, and then go properly design your filter.
I also go over it in depth in our minifilter seminar as I strongly believe understanding the architectural concepts behind all this behavior is important to successfully create a file system filter.