I have a minifilter driver that is monitoring IRP_MJ_CREATE and IRP_MJ_WRITE
ops (amongst others) on specified paths/files - currently running on my
Windows XP Pro system. The filter is configured for ‘SERVICE_BOOT_START’.
On reboot I find I am seeing IRP_MJ_WRITE ops on a file object for which I
have not received an IRP_MJ_CREATE. The file is actually an Oracle, memory
mapped, file.
Thinking that I would always receive a create before anything else I believe
I must have a coding error. But I configured Ladislav Zezula’s excellent
FileSpy utility as a service (& its’ fspy driver to start on boot) to
monitor all requests on the offending file. It too misses the create op -
The first thing it logs for that file is an IRP_MJ_QUERY_INFORMATION
followed by two IRP_MJ_WRITE ops (IRP_NO_CACHE; IRP_PAGING_IO).
So am I wrong - Is it possible that a mini-filter may miss create ops on
startup? I am concerned that if the answer is yes then what else may it
miss? I seem to remember reading in the archives that it is possible for
kernel drivers to by-pass the filter manager stack (?) but I think I would
be surprised if that is what is happening here.
My wild guess is that Windows is loading the file into the cache very early
in the reboot sequence so that it will be ready and waiting when Oracle
starts up. (In which case I’m probably missing a IRP_MJ_CLEANUP).
Many thanks,
Gareth