I am in the design phase of a Filesystem minifilter driver. In the driver, I want to do some processing (which is supposed to be done at <= APC_LEVEL) in the preoperation callback for IRP_MJ_WRITE. From the documentation, I could find the following :
PFLT_PRE_OPERATION_CALLBACK function pointer :
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551109(v=vs.85).aspx :
The IRQL for this generic callback routine depends on its specific IO paths.
Writing Preoperation Callback Routines :
https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/writing-preoperation-callback-routines (breaking it into 4 parts) :
- Like a dispatch routine, a preoperation callback routine can be called at IRQL = PASSIVE_LEVEL or at IRQL = APC_LEVEL.
- Typically it is called at IRQL = PASSIVE_LEVEL, in the context of the thread that originated the I/O request.
- For fast I/O and file system filter (FsFilter) operations, the preoperation callback routine is always called at IRQL = PASSIVE_LEVEL.
- However, for an IRP-based operation, a minifilter driver’s preoperation callback routine can be called in the context of a system worker thread if a higher filter or minifilter driver pends the operation for processing by the worker thread.
In the 4th part above, is there any caveat where the callback can be called at greater than APC_LEVEL ? There is an old non-concluded thread related to this :
https://www.osronline.com/showthread.cfm?link=234258
Is it safe to assume that the callback will always be running at <= APC_LEVEL [considering there is no faulty driver on the system] ?