Minifilter driver, memmap files and IRP_MJ_WRITE

Mauro_Leggieri-1 · March 20, 2013, 10:32pm

Hi,

I’m writing a driver that logs write to files. I know that memory mapper writes may be done asynchronously after the file is closed and FltGetFileNameInformation cannot be called in that situation so I do the following:

On IRP_MJ_CREATE PostCallback (with FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO) I call FltGetFileNameInformation and store the name in a stream context.

The stream context is deleted in a routine registered in the FLT_CONTEXT_REGISTRATION struct.

When I get the IRP_MJ_WRITE (no FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO flag to “see” memmap writes) I want to retrieve the name of the file.

It is safe to call FltGetStreamContext? Documentation says that precallback can have any IRQL but I don’t know it there exists an upper limit.

Tried returning FLT_PREOP_SYNCHRONIZE but, at least on XP, system becomes deadlocked.

How can I get the file name or, at least, setup a worker background thread for this situation incrementing the refcount of the FileObject?

Thanks,
Mauro.

Mauro_Leggieri-1 · March 21, 2013, 7:40am

Update: I could retrieve the name using the stream context in IRP_MJ_WRITE but not sure if this callback is always called with IRQL <= APC_LEVEL including in paging i/o.

Alex_Carp · March 21, 2013, 10:51am

Just make sure you allocate your context from non-paged pool and you should be fine even in the paging IO path and higher IRQLs.

On the deadlock with FLT_PREOP_SYNCHRONIZE, it’s likely that some other app (or driver) is doing something wrong. See this page for an explanation on what could go wrong and some tips on how to investigate it (http://fsfilters.blogspot.com/2011/05/irp-completion-statuspending-and-fltmgr.html).

Thanks,
Alex.
On Mar 21, 2013, at 4:43 AM, xxxxx@caiman.com.ar wrote:

Update: I could retrieve the name using the stream context in IRP_MJ_WRITE but not sure if this callback is always called with IRQL <= APC_LEVEL including in paging i/o.

NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Mauro_Leggieri-1 · March 23, 2013, 4:38pm

Thanks Alex for the answer.