Detecting FSCTL_DISMOUNT_VOLUME in volume filter driver

Hi,

I am attaching to FS CDO from my volume filter driver (WDM). I am getting IRP_MN_MOUNT_VOLUME by monitoring IRP_MJ_FILE_SYSTEM_CONTROL. However, I am not getting FSCTL_DISMOUNT_VOLUME here. I am monitoring IRP_MN_USER_FS_REQUEST and IRP_MN_KERNEL_CALL both. I was under the impression that IrpSp->Parameters.FileSystemControl.FsControlCode for this IRP_MNs would give me FSCTL_DISMOUNT_VOLUME. But it seems to me that these FSCTL are not being sent to CDO. Are they sent only to VDO of FS stack ? Do I need to attach to VDOs to receive these notifications ?

Is there any other easier way to receive notifications on volume dismount from my volume filter driver. IOCTL_VOLUME_OFFLINE seems to be coming a bit too late for me because even before I get this IOCTL I am not able to write to volume device object below me as it seems to be locked and any attempt to write returns STATUS_DEVICE_OFF_LINE to me.

Any suggestions ?

Thanks,
Ukis

This is correct.

Have you tried registering for GUID_IO_VOLUME_DISMOUNT notification? This is
triggered by the file system prior to the dismount. You’ll need to call
IoRegisterPlugPlayNotification for EventCategoryTargetDeviceChange and
specify GUID_IO_VOLUME_DISMOUNT as the GUID.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntdev…

Hi,

I am attaching to FS CDO from my volume filter driver (WDM). I am getting
IRP_MN_MOUNT_VOLUME by monitoring IRP_MJ_FILE_SYSTEM_CONTROL. However, I am
not getting FSCTL_DISMOUNT_VOLUME here. I am monitoring
IRP_MN_USER_FS_REQUEST and IRP_MN_KERNEL_CALL both. I was under the
impression that IrpSp->Parameters.FileSystemControl.FsControlCode for this
IRP_MNs would give me FSCTL_DISMOUNT_VOLUME. But it seems to me that these
FSCTL are not being sent to CDO. Are they sent only to VDO of FS stack ? Do
I need to attach to VDOs to receive these notifications ?

Is there any other easier way to receive notifications on volume dismount
from my volume filter driver. IOCTL_VOLUME_OFFLINE seems to be coming a bit
too late for me because even before I get this IOCTL I am not able to write
to volume device object below me as it seems to be locked and any attempt to
write returns STATUS_DEVICE_OFF_LINE to me.

Any suggestions ?

Thanks,
Ukis

note that processing GUID_IO_VOLUME_DISMOUNT should be done with caution as the OS does this synchronously. ie: don’t do too much work or you may create issues, especially in a clustered environment. If the cluster service isn’t able to process dismount fast enough it will just pull the plug on your disks.