I think I have pinpointed what causes the problem with McAfee and
SwapBuffers sample driver (and thus our and prolly quite a few other
mini-filters). For those not up to date, McAfee and SwapBuffers driver
on the same system would cause a PFN_LIST_CORRUPT bugcheck with Arg1:
0x9A. This is hard to reproduce on Windows 2003, exhibits often as a
lockup on XP, but almost instantly surfaces on Vista (as soon as both
drivers are active).
Comparing SwapBuffers and our driver, it seems that the problem is
caused by FltLockUserBuffer from
IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY safe completion routine.
Sure enough, this can be worked around with FLT_PREOP_SYNCHRONIZE (no
need to lock the buffer). The drivers coexist on Vista if this change is
applied.
I’m not pointing fingers at McAfee here, since I am skeptical as to
how legal FltLockUserBuffer API is really. But, someone @ McAfee should
look into this, as it’s legit to call it for directory list call.
Hope this helps others. I didn’t think Vista would give more
information (it didn’t), but someone suggested I try (as with every
Windows version, driver verification is better) - and repro was assured
at least.
Time for me to do something about that encryption FAQ…
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.