IRQL of a pre create callback of minifilters in case of share access (PID 4)?

brad_H · July 1, 2023, 6:52am

In MSDN documents:
https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/writing-preoperation-callback-routines

It is said that “A pre-operation callback can be called at IRQL = PASSIVE_LEVEL or IRQL = APC_LEVEL”

So is this always true? Specifically, in case of share access from a remote machine, which casses the pre callback to be called by the system process (PID 4). is this also always called at APC_LEVEL or PASSIVE_LEVEL?

Dejan_Maksimovic · July 1, 2023, 11:24am

Some allocations that the FltMgr passes are, I think, allocated from paged
pool. Which means you cannot even check them at DPC.

I think this is guaranteed, or to be more precise, someone else f’ed up
above you if it’s not the case.

Dejan.