Hey guys, I'm trying to intercept I/O operations, but I want to exclude paging operations because every time I intercept I get a BSOD with MEMORY_MANAGEMENT. I've tried checking IRP_PAGING_IO, SL_PAGING_IO, and FO_PAGING_FILE to exclude paging, but every IRP I get has those flags and it's hard to distinguish the pagefile. I thought calculating the range of LBAs at boot time might be the best approach to find those ranges before interception, but I'm getting 0xC0000043 (STATUS_SHARING_VIOLATION) or sometimes 0xC0000034 (STATUS_OBJECT_NAME_NOT_FOUND).
My driver loads high in the stack, so it's very early, and the way I try to open the files is using ZwCreateFile inside IoRegisterDriverReinitialization. I was wondering if there's any stable way to grab these LBAs and exclude the pagefile.
You should check for SL_OPEN_PAGING_FILE in pre/post-create (pData->Iopb->OperationFlags) and completely ignore these files in other callbacks. I recommend setting FLT_STREAMHANDLE/FILE/STREAM_CONTEXT on the files you are interested in.
If you are actually a disk filter driver rather than a filesystem minifilter, then suggestions on various FLT_* constants and ‘pre/post-create do not apply.
I’ve written many disk filters and never had to exclude the paging file(s) due to MEMORY_MANAGEMENT crashes. So, I’d say you have a bug you’re just going to mask and you need to figure out what’s going on there.