Help on no FastIoQueryOpen

I found on a server that file operations were not going through FastIoQueryOpen but directly through QueryOpen, causing my filter driver to miss capturing open query events.
this is from the local normal environment,


this one is from the problematic server.

As I know, in order to catch 'IRP_MJ_QUERY_OPEN' requests, you filter should contain 'SUPPORTED_FS_FEATURES_QUERY_OPEN' flag (0x00000004) in the 'SupportedFeatures' registry parameter.

More on 'SupportedFeatures':

FsRtlGetSupportedFeatures function (ntifs.h)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.