Hey guys, I'm trying to intercept I/O operations, but I want to exclude paging operations because every time I intercept I get a BSOD with MEMORY_MANAGEMENT. I've tried checking IRP_PAGING_IO, SL_PAGING_IO, and FO_PAGING_FILE to exclude paging, but every IRP I get has those flags and it's hard to distinguish the pagefile. I thought calculating the range of LBAs at boot time might be the best approach to find those ranges before interception, but I'm getting 0xC0000043 (STATUS_SHARING_VIOLATION) or sometimes 0xC0000034 (STATUS_OBJECT_NAME_NOT_FOUND).
My driver loads high in the stack, so it's very early, and the way I try to open the files is using ZwCreateFile inside IoRegisterDriverReinitialization. I was wondering if there's any stable way to grab these LBAs and exclude the pagefile.