This is my first attempt to reply to a question, so a simple “no, man, stop
helping” will suffice if this answer sucks.
In process monitor logs, i see IRP_MJ_READ request and the same
IRP_MJ_READ operation gets triggered in my minifilter.
Does the IRP_MJ_READ come from Notepad? One can imagine Notepad opening
the file and having someone else see the open and do their own open,
perhaps to scan the file. If that happens, the file data could be cached
before Notepad tries its first read.
what i am expecting is, to map or cache file data one has to get it from
actual file first and then onwards it will be used from cache.
Someone has to cache it, that is true. But there is no rule that Notepad
has to be the one that cached it, nor that Notepad can only read data that
Notepad has cached. Even if nobody else saw Notepad’s open and read ahead
of Notepad, it may still be in the cache from when it was originally
created. If you run a program to create the file, close the file, then
exit that program, the data could be cached from the creation unless the
creator took steps to avoid the cache. In that case, Notepad could see the
data left over from the creation.
You may be assuming that if Notepad opens the file then nobody else will
read the file between Notepad’s open and read. I think this is not right
in this particular case, it is not generally right. Even if it is right,
you may be assuming that the data is not in cache from some previous
operation that is completely independent of Notepad. One could imagine
something like indexer loading the file (although I don’t know whether
indexer takes care to avoid polluting the cache, so take my reference to
indexer as an example that may not reflect what could actually happen), in
which case the data would be cached with no action from Notepad.
That’s the best I got. Let the downvoting begin. 
On Thu, Aug 30, 2018 at 9:04 AM, xxxxx@gmail.com > wrote:
> Hello Folks,
>
> I am working on on-the fly encryption/decryption minifilter driver and
> facing very popular memory mapped file IO issue for notepad.exe. I went
> through almost all
> posts on NTFSD about this and did not get exact solution for solving this
> issue.
>
> As per my understanding, I am encrypting data in PreWrite callback only if
> IRP_NOCACHE flag is present and decrypting it in PostRead or
> PostReadWhenSafe callback only if IRP_PAGING_IO flag is present. This
> sometimes works and sometimes does not work with notepad.
> In process monitor logs, i see IRP_MJ_READ request and the same
> IRP_MJ_READ operation gets triggered in my minifilter. But this operation
> does not contain IRP_PAGING_IO flag so i don’t decrypt it. But later i see
> IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION operation by notepad. I
> understood that minifilter can’t track data read from cache. But what i am
> expecting is, to map or cache file data one has to get it from actual file
> first and then onwards it will be used from cache. My question is why i
> can’t see that first read operation (which is to cache data from file) or
> is it something that its not compulsory to have IRP_PAGING_IO flag when
> data from file gets cached?
>
> I know this is very popular problem and lot has been discussed about this
> on this list. But i tried my best and made some progress. Please help me to
> understand above issue.
>
> Thanks.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>