IRP_MJ_CLOSE/IRP_MJ_CLEANUP always in KernelMode?

Hello all,

I am new to the file system driver development, so I apologize in advance if my question does not make a lot of sense.

I have been looking at the sample code provided with the IFS kit, namely at the FileSpy. I have noticed that all IRP_MJ_CLOSE and IRP_MJ_CLEANUP requests come with Irp->RequestorMode == KernelMode. I am not sure why this is happening. I thought that the RequestorMode is set to KernelMode only for the system related calls to the file driver (i.e. paging, etc), so if I am closing a file using a notepad, I would get a IRP_MJ_CLOSE call with RequestorMode == UserMode.

Basically, what happens is that if I try to filter on

if (RequestorMode == UserMode), I do not see any IRP_MJ_CLOSE/IRP_MJ_CLEANUP requests. I do see IRP_MJ_CREATE, IRP_MJ_READ, and IRP_MJ_WRITE and other requests as expected.

Any help is appreciated.


Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger