In my mini filter driver, when I return FLT_PREOP_PENDING from IRP_MJ_WRITE pre-operation (no paging io, no fastio)- and then (from other thread) the operation is completed by FltCompletePendedPreOperation with ‘Data’ parameter from request and with FLT_PREOP_SUCCESS_NO_CALLBACK, file is not written is user mode but return with ERROR_INVALID_USER_BUFFER. The same procedure works properly with IRP_MJ_CREATE pre-operation. Do you have an idea why? How to fix it?
What I did, but it is not elegant- in my pre-IRP_MJ_WRITE operation instead of returning FLT_PREOP_PENDING, I’m creating a KEVENT and calling KeWaitForSingleObject, than when the second (worker) thread finishes processing it calls KeSetEvent, and when wait unblocks- it returns FLT_PREOP_SUCCESS_NO_CALLBACK… And all works fine (but I didn’t test it too much :)) What is dangerous in this solution?
If you are going to block and wait in the original thread, why don’t you just issue the I/O in that thread instead of using a second thread? In other words, why were you queueing the request and returning pending?
Regarding the second (working) thread- in fact, it is a user-mode application which gets the event and decides if allows or blocks it, so this is why file writing should be pended on pre-operation phase.