Cool question - a FILE_OPEN request does not need an exclusive lock, IMO.
Bur FILE_OPEN_IF or any other do, though FltMgr should not be asking that
type of Disposition.
Do you have MEX extensions for Windbg? If not, get them from MS’s site, and
run !mex.t on the threads and post it please.
Long shot, but I wonder exactly what time they spent waiting.
@Dejan_Maksimovic said:
Cool question - a FILE_OPEN request does not need an exclusive lock, IMO.
Bur FILE_OPEN_IF or any other do, though FltMgr should not be asking that
type of Disposition.Do you have MEX extensions for Windbg? If not, get them from MS’s site, and
run !mex.t on the threads and post it please.
Long shot, but I wonder exactly what time they spent waiting.
Here you go, so indeed this is really related to these chrome cache files. Note that from these three files, we are the one who have created the index.txt.tmp.backup using FltCreateFile (with share read/write/delete) + FltWriteFile. But the other two files are not created by us. Considering that the driver for index.txt.tmp is FltMgr, maybe the minifilter for Kaspersky is the one that has created that file?
Also as a reminder, in the following call stack which is in the pre close of the index.txt.tmp.backup, we are using FltCreateFile to get the file object corresponding to the file (so we are using FILE_OPEN, with share read/write/delete), so we can get more info related to that file.
kd> !mex.t
Process Thread CID TEB UserTime KernelTime ContextSwitches Wait Reason Time State
chrome.exe (ffffb408e37f5080) ffffb408e3bbc080 (E|K|W|R|V) 294.1ea8 0000009b5739b000 63ms 3m:28.391 26149 WrDispatchInt 1s.046 Running on processor 3
Irp List:
IRP File Driver
ffffb408e3adc1c0 \Users\test\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\cc48a22222f64c442756e922770a3fdedfa75bed\index.txt.tmp.backup FltMgr
ffffb408e494e010 \Users\test\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\cc48a22222f64c442756e922770a3fdedfa75bed\index.txt.tmp FltMgr
ffffb408e4986010 \Users\test\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\cc48a22222f64c442756e922770a3fdedfa75bed\index.txt~RF5e7611.TMP NTFS
nt!KxReleaseQueuedSpinLock+0x23
nt!ExpReleaseResourceForThreadLite+0x1f6
NTFS!NtfsReleaseFcb+0x4b
NTFS!NtfsCommonQueryInformation$fin$0+0x6c
nt!_C_specific_handler+0x18e
nt!RtlpExecuteHandlerForUnwind+0xd
nt!RtlUnwindEx+0x432
nt!_C_specific_handler+0xe2
nt!RtlpExecuteHandlerForException+0xd
nt!RtlDispatchException+0x421
nt!RtlRaiseStatus+0x4e
NTFS!NtfsRaiseStatusInternal+0x6c
NTFS!NtfsCommonQueryInformation+0xbfe
NTFS!NtfsFsdDispatchSwitch+0xcc
NTFS!NtfsFsdDispatchWait+0x40
FLTMGR!FltpQueryInformationFile+0x112
FLTMGR!FltpGetFileName+0x30c
FLTMGR!FltpGetOpenedFileName+0x19
FLTMGR!FltpCallOpenedFileNameHandler+0x2b
FLTMGR!FltpExpandFilePathWorker+0x445
FLTMGR!FltpExpandFilePath+0x1a
FLTMGR!FltpGetNormalizedFileNameWorker+0x112
FLTMGR!FltpGetNormalizedFileName+0x1a
FLTMGR!FltpCreateFileNameInformation+0x32c
FLTMGR!HandleStreamListNotSupported+0x113
FLTMGR!FltpGetFileNameInformation+0x5e7
FLTMGR!FltGetFileNameInformation+0x1b0
luafv!LuafvGenerateFileName+0x4c
FLTMGR!FltpCallOpenedFileNameHandler+0x89
FLTMGR!FltpGetNormalizedFileNameWorker+0x2f
FLTMGR!FltpGetNormalizedFileName+0x1a
FLTMGR!FltpCreateFileNameInformation+0x32c
FLTMGR!HandleStreamListNotSupported+0x113
FLTMGR!FltpGetFileNameInformation+0x5e7
FLTMGR!FltGetFileNameInformation+0x1b0
wcifs!WcGenerateFileName+0x44
FLTMGR!FltpCallOpenedFileNameHandler+0x89
FLTMGR!FltpGetNormalizedFileNameWorker+0x2f
FLTMGR!FltpGetNormalizedFileName+0x1a
FLTMGR!FltpCreateFileNameInformation+0x32c
FLTMGR!HandleStreamListNotSupported+0x113
FLTMGR!FltpGetFileNameInformation+0x5e7
FLTMGR!FltGetFileNameInformation+0x1b0
klfle+0x610f0
klfle+0x57950
FLTMGR!FltpPerformPreCallbacks+0x2ea
FLTMGR!FltpPassThroughInternal+0x88
FLTMGR!FltpCreate+0x2e1
nt!IopParseDevice+0x168f
nt!ObpLookupObjectName+0x8af
nt!ObOpenObjectByNameEx+0x1dd
nt!IopCreateFile+0x860
nt!IoCreateFileEx+0x115
FLTMGR!FltpCreateFile+0x1cd
FLTMGR!FltCreateFile+0x8d
ourdriver+0x220a
FLTMGR!FltpPerformPreCallbacks+0x2ea
FLTMGR!FltpPassThroughInternal+0x88
FLTMGR!FltpPassThrough+0x1a6
FLTMGR!FltpDispatch+0x9e
nt!IopDeleteFile+0x12d
nt!ObpRemoveObjectRoutine+0x78
nt!ObfDereferenceObject+0xa1
nt!MiSegmentDelete+0x171
nt!MiCheckControlArea+0x147
nt!MmPurgeSection+0x1af
nt!CcPurgeCacheSection+0xcf
NTFS!NtfsDeleteFile+0xe2e
NTFS!NtfsCommonCleanup+0x2b2c
NTFS!NtfsCommonCleanupCallout+0x19
nt!KxSwitchKernelStackCallout+0x27
nt!KiSwitchKernelStackContinue
nt!KiExpandKernelStackAndCalloutOnStackSegment+0x241
nt!KiExpandKernelStackAndCalloutSwitchStack+0xa6
nt!KeExpandKernelStackAndCalloutInternal+0x2f
NTFS!NtfsFsdCleanup+0x268
FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a6
FLTMGR!FltpDispatch+0xb6
nt!IopCloseFile+0x150
nt!ObCloseHandleTableEntry+0x245
nt!NtClose+0xcb
nt!KiSystemServiceCopyEnd+0x13
0x7ffd91175ce4