> Question:
Is there an easy way to figure out the file object that the system thread
tries to write? This
would help finding out what files trigger the issue.
Its probably the second parameters to NtfsFspDispatch. Also Fat can
sometimes be instructive. Fat Isn’t NTFS but they were originally written
at the same time by a colleagues so
Requires_lock_held(Global_critical_region)
NTSTATUS
FatCommonWrite (
IN PIRP_CONTEXT IrpContext,
IN PIRP Irp
)
Maybe it’s also the second parameter to NtfsCommonWrite.
From there it’s “just” x64 calling standard. Good luck!
R