Hello,
Is it possible that EvtFileCleanup callback is called before EvtDeviceQueryRemove
when a driver is disabled (standard way from the device manager) even without anyone explicitly closing the file object?
Thank you in advance,
Gregory
query remove does not close handles on behind the handle owner’s back ;). file cleanup is invoked in two case
- for a user mode handle owner, when a handle is closed, followed immediately by a close (usually)
- for a kernel mode handle owner, when a handle is closed. close comes when the caller ObDereferences the file object
you should assume no synchronization these 2 callbacks. what problem are you trying to resolve/
d
Actually, I just tried to understand if it’s it possible that EvtFileCleanup is called before EvtDeviceQueryRemove returned success - as I understood from your answer it is possible, right?
Thnaks!