Minifilter unload hangs when IoCreateFileSpecifyDeviceObjectHint is used in PreCreate

Hi all,

I’ve got a very small minifilter driver, which tests if a file exists or not
using IoCreateFileSpecifyDeviceObjectHint() in PreCreate handler. Strangely
InstanceTeardownStart() gets invoked but InstanceTeardownComplete() doesn’t
get invoked on DriverUnload, which obviously suggests a hang on minifilter
unload and of course the system goes nuts after this.

I’ve got PostCreate, PreCleanUp and PreWrite routines which I stole from DDK
scanner sample and they are nearly empty functions(I removed code from
scanner sample). So the code snippet below is pretty much the whole code
that I’ve got.

Does anyone have a clue?

The code snippet is as follows.
(BTW, I also noticed FltCreateFile suffers the same problem with passed
instance handle and without FILE_NON_DIRECTORY_FILE flag)

FLT_PREOP_CALLBACK_STATUS PreCreate (
IN OUT PFLT_CALLBACK_DATA Data,
IN PCFLT_RELATED_OBJECTS FltObjects,
OUT PVOID *CompletionContext
)
{
PFLT_FILE_NAME_INFORMATION nameInfo;
NTSTATUS status;

//
// Check if we are interested in this file.
//

status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo);

if (!NT_SUCCESS( status )) {
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

FltParseFileNameInformation( nameInfo );

PDEVICE_OBJECT pVolumeDev = NULL;
status = FltGetDeviceObject(FltObjects->Volume, &pVolumeDev);
if(NT_SUCCESS(status))
{
PDEVICE_OBJECT pBaseFsDev =
IoGetDeviceAttachmentBaseRef(pVolumeDev);
if(pBaseFsDev)
{
HANDLE hFile = NULL;
IO_STATUS_BLOCK iostatus;
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, &nameInfo->Name,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);

status = IoCreateFileSpecifyDeviceObjectHint(
&hFile,
// File Handle
FILE_READ_DATA | SYNCHRONIZE, //
DesiredAccess
&oa,
// ObjectAttributes
&iostatus,
// IoStatusBlock
NULL,
// AllocationSize (OPTIONAL)
FILE_ATTRIBUTE_NORMAL, // FileAttributes
0,
// ShareAccess
FILE_OPEN,
// Disposition
FILE_SYNCHRONOUS_IO_NONALERT, // CreateOptions
NULL,
// EaBuffer (OPTIONAL)
0,
// EaLength
CreateFileTypeNone,
// CreateFileType
NULL,
// ExtraCreateParameters (OPTIONAL)
IO_IGNORE_SHARE_ACCESS_CHECK, // Options
pBaseFsDev
);

if(NT_SUCCESS(status) && hFile)
{
ZwClose(hFile);
}

ObDereferenceObject(pBaseFsDev); // release basefs device object

DbgPrint(“CREATE: %wZ VolumeDev 0x%x BaseFsDev 0x%x hFile 0x%x
(0x%x)\n”, &nameInfo->Name, pVolumeDev, pBaseFsDev, hFile, status);
}

ObDereferenceObject(pVolumeDev); // release volume device object }
}

FltReleaseFileNameInformation( nameInfo );

return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

In a minifilter you can just call FltCreateFile, if you don’t want your
request to go to the top of the driver stack you can use the Instance
parameter.

/Daniel

“dummy” wrote in message news:xxxxx@ntfsd…
> Hi all,
>
> I’ve got a very small minifilter driver, which tests if a file exists or
> not
> using IoCreateFileSpecifyDeviceObjectHint() in PreCreate handler.
> Strangely
> InstanceTeardownStart() gets invoked but InstanceTeardownComplete()
> doesn’t
> get invoked on DriverUnload, which obviously suggests a hang on minifilter
> unload and of course the system goes nuts after this.
>
> I’ve got PostCreate, PreCleanUp and PreWrite routines which I stole from
> DDK scanner sample and they are nearly empty functions(I removed code from
> scanner sample). So the code snippet below is pretty much the whole code
> that I’ve got.
>
> Does anyone have a clue?
>
> The code snippet is as follows.
> (BTW, I also noticed FltCreateFile suffers the same problem with passed
> instance handle and without FILE_NON_DIRECTORY_FILE flag)
>
>
> FLT_PREOP_CALLBACK_STATUS PreCreate (
> IN OUT PFLT_CALLBACK_DATA Data,
> IN PCFLT_RELATED_OBJECTS FltObjects,
> OUT PVOID *CompletionContext
> )
> {
> PFLT_FILE_NAME_INFORMATION nameInfo;
> NTSTATUS status;
>
> //
> // Check if we are interested in this file.
> //
>
> status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED |
> FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo);
>
> if (!NT_SUCCESS( status )) {
> return FLT_PREOP_SUCCESS_WITH_CALLBACK;
> }
>
> FltParseFileNameInformation( nameInfo );
>
> PDEVICE_OBJECT pVolumeDev = NULL;
> status = FltGetDeviceObject(FltObjects->Volume, &pVolumeDev);
> if(NT_SUCCESS(status))
> {
> PDEVICE_OBJECT pBaseFsDev =
> IoGetDeviceAttachmentBaseRef(pVolumeDev);
> if(pBaseFsDev)
> {
> HANDLE hFile = NULL;
> IO_STATUS_BLOCK iostatus;
> OBJECT_ATTRIBUTES oa;
> InitializeObjectAttributes(&oa, &nameInfo->Name,
> OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
>
> status = IoCreateFileSpecifyDeviceObjectHint(
> &hFile, // File Handle
> FILE_READ_DATA | SYNCHRONIZE, //
> DesiredAccess
> &oa, // ObjectAttributes
> &iostatus, // IoStatusBlock
> NULL, // AllocationSize (OPTIONAL)
> FILE_ATTRIBUTE_NORMAL, // FileAttributes
> 0, // ShareAccess
> FILE_OPEN, // Disposition
> FILE_SYNCHRONOUS_IO_NONALERT, //
> CreateOptions
> NULL, // EaBuffer (OPTIONAL)
> 0, // EaLength
> CreateFileTypeNone, // CreateFileType
> NULL, // ExtraCreateParameters (OPTIONAL)
> IO_IGNORE_SHARE_ACCESS_CHECK, // Options
> pBaseFsDev
> );
>
> if(NT_SUCCESS(status) && hFile)
> {
> ZwClose(hFile);
> }
>
> ObDereferenceObject(pBaseFsDev); // release basefs device
> object
>
> DbgPrint(“CREATE: %wZ VolumeDev 0x%x BaseFsDev 0x%x hFile 0x%x
> (0x%x)\n”, &nameInfo->Name, pVolumeDev, pBaseFsDev, hFile, status);
> }
>
> ObDereferenceObject(pVolumeDev); // release volume device object }
> }
>
> FltReleaseFileNameInformation( nameInfo );
>
> return FLT_PREOP_SUCCESS_WITH_CALLBACK;
> }
>
>
>
>

Hi Daniel,

I did try FltCreateFile in the first place, which generated the same problem
as IoCreateFileSpecify…() approach. The symptom is obvious. fltmc unload
doesn’t return in command prompt, InstanceTeardownComplete doesn’t get
called, a newly launched process window doesn’t appear, etc.

sparky.

From: “Daniel Terhell”
>Reply-To: “Windows File Systems Devs Interest List”
>To: “Windows File Systems Devs Interest List”
>Subject: Re:[ntfsd] Minifilter unload hangs when
>IoCreateFileSpecifyDeviceObjectHint is used in PreCreate
>Date: Tue, 17 Jul 2007 12:30:17 +0200
>
>In a minifilter you can just call FltCreateFile, if you don’t want your
>request to go to the top of the driver stack you can use the Instance
>parameter.
>
>/Daniel
>
>
>
>
>“dummy” wrote in message news:xxxxx@ntfsd…
>>Hi all,
>>
>>I’ve got a very small minifilter driver, which tests if a file exists or
>>not
>>using IoCreateFileSpecifyDeviceObjectHint() in PreCreate handler.
>>Strangely
>>InstanceTeardownStart() gets invoked but InstanceTeardownComplete()
>>doesn’t
>>get invoked on DriverUnload, which obviously suggests a hang on minifilter
>>unload and of course the system goes nuts after this.
>>
>>I’ve got PostCreate, PreCleanUp and PreWrite routines which I stole from
>>DDK scanner sample and they are nearly empty functions(I removed code from
>>scanner sample). So the code snippet below is pretty much the whole code
>>that I’ve got.
>>
>>Does anyone have a clue?
>>
>>The code snippet is as follows.
>>(BTW, I also noticed FltCreateFile suffers the same problem with passed
>>instance handle and without FILE_NON_DIRECTORY_FILE flag)
>>
>>
>>FLT_PREOP_CALLBACK_STATUS PreCreate (
>>IN OUT PFLT_CALLBACK_DATA Data,
>>IN PCFLT_RELATED_OBJECTS FltObjects,
>>OUT PVOID *CompletionContext
>>)
>>{
>> PFLT_FILE_NAME_INFORMATION nameInfo;
>> NTSTATUS status;
>>
>> //
>> // Check if we are interested in this file.
>> //
>>
>> status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED |
>> FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo);
>>
>> if (!NT_SUCCESS( status )) {
>> return FLT_PREOP_SUCCESS_WITH_CALLBACK;
>> }
>>
>> FltParseFileNameInformation( nameInfo );
>>
>> PDEVICE_OBJECT pVolumeDev = NULL;
>> status = FltGetDeviceObject(FltObjects->Volume, &pVolumeDev);
>> if(NT_SUCCESS(status))
>> {
>> PDEVICE_OBJECT pBaseFsDev =
>>IoGetDeviceAttachmentBaseRef(pVolumeDev);
>> if(pBaseFsDev)
>> {
>> HANDLE hFile = NULL;
>> IO_STATUS_BLOCK iostatus;
>> OBJECT_ATTRIBUTES oa;
>> InitializeObjectAttributes(&oa, &nameInfo->Name,
>>OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
>>
>> status = IoCreateFileSpecifyDeviceObjectHint(
>> &hFile, // File Handle
>> FILE_READ_DATA | SYNCHRONIZE, //
>>DesiredAccess
>> &oa, // ObjectAttributes
>> &iostatus, // IoStatusBlock
>> NULL, // AllocationSize (OPTIONAL)
>> FILE_ATTRIBUTE_NORMAL, // FileAttributes
>> 0, // ShareAccess
>> FILE_OPEN, // Disposition
>> FILE_SYNCHRONOUS_IO_NONALERT, //
>>CreateOptions
>> NULL, // EaBuffer (OPTIONAL)
>> 0, // EaLength
>> CreateFileTypeNone, // CreateFileType
>> NULL, // ExtraCreateParameters (OPTIONAL)
>> IO_IGNORE_SHARE_ACCESS_CHECK, // Options
>> pBaseFsDev
>> );
>>
>> if(NT_SUCCESS(status) && hFile)
>> {
>> ZwClose(hFile);
>> }
>>
>> ObDereferenceObject(pBaseFsDev); // release basefs device
>>object
>>
>> DbgPrint(“CREATE: %wZ VolumeDev 0x%x BaseFsDev 0x%x hFile 0x%x
>>(0x%x)\n”, &nameInfo->Name, pVolumeDev, pBaseFsDev, hFile, status);
>> }
>>
>> ObDereferenceObject(pVolumeDev); // release volume device object }
>> }
>>
>> FltReleaseFileNameInformation( nameInfo );
>>
>> return FLT_PREOP_SUCCESS_WITH_CALLBACK;
>>}
>>
>>
>>
>>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

_________________________________________________________________
Advertisement: Search for local singles online at Lavalife
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9.ninemsn.com.au%2Fclickthru%2Fclickthru.act%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den_AU%26a%3D29555&_t=764581033&_r=email_taglines_Search&_m=EXT

Have you tried running this with the checked version of the filter manager? If there is some resource you have not released the free version will hang unloading your driver - the checked version will give more information that should point you to the problem.