Some redirectors and 3rd party file systems, in my experience, do call
FsRtlEnterFileSystem() (KeEnterCriticalRegion()) in their
pre-acquisition callbacks, thus raising the IRQL to APC. While this will
occasionally throw a verifier exception within these drivers, since
IoCompleteRequest() will directly call the release callback and
therefore the entry to exit IRQL does not match, assuming that pre-write
can be called at APC is not something which should be ignored within
filter drivers.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@hotmail.com
To: “Windows File Systems Devs Interest List”
Sent: 4/11/2017 8:17:23 AM
Subject: RE:[ntfsd] Re[2]: FsMiniFilter - IRQL for PreOperationCallback
for IRP_MJ_WRITE
>
>
>Resources acquired by FSDs(ERESOURCE) do not change IRQL. FSD must be
>specifically designed to acquire something like a fast mutex to rise
>IRQL in callbacks. Which is a strange design decision as the lock is
>not recursive and rises IRQL.
>
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>