Seems like FsRtlIsNameInExpression was made specifically for directory messages but according to the docs, it must be called at PASSIVE while IRP_MJ_DIRECTORY_CONTROL can be called at APC (https://community.osr.com/discussion/252635). Am I missing something here or is it really not safe to call this from the pre-op?

You’re fine, FsRtlIsNameInExpression isn’t going to do anything that requires an APC. If you want extra proof you can see that FAT calls FsRtlIsNameInExpression in the directory control handler so if it’s not safe we’re all doomed…(FatQueryDirectory->FatLocateDirent->FsRtlIsNameInExpression)

Thanks Scott. I noticed it also gets called in CDFS as well. So does that mean that it’d also be safe to call when holding a guarded mutex regardless of what this (https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/fast-mutexes-and-guarded-mutexes) says?

“In particular, kernel routines that are illegal to call at IRQL = APC_LEVEL should not be called from a code path that is protected by either a fast mutex or a guarded mutex.”

Yes, that would be fine. The Rtl/FsRtl routines are generally overly restrictive in the documentation by saying they require PASSIVE_LEVEL.

APC_LEVEL or PASSIVE_LEVEL in a Guarded Region mostly don’t matter until you try to synchronously call an I/O Zw routine with APCs disabled (because they use APCs to signal completion).