Re[2]: Re[2]: FsMiniFilter - IRQL for PreOperationCallback for IRP_MJ_WRITE

Some redirectors and 3rd party file systems, in my experience, do call
FsRtlEnterFileSystem() (KeEnterCriticalRegion()) in their
pre-acquisition callbacks, thus raising the IRQL to APC. While this will
occasionally throw a verifier exception within these drivers, since
IoCompleteRequest() will directly call the release callback and
therefore the entry to exit IRQL does not match, assuming that pre-write
can be called at APC is not something which should be ignored within
filter drivers.


Kernel Drivers
Windows File System and Device Driver Consulting

------ Original Message ------
To: “Windows File Systems Devs Interest List”
Sent: 4/11/2017 8:17:23 AM
Subject: RE:[ntfsd] Re[2]: FsMiniFilter - IRQL for PreOperationCallback


>Resources acquired by FSDs(ERESOURCE) do not change IRQL. FSD must be
>specifically designed to acquire something like a fast mutex to rise
>IRQL in callbacks. Which is a strange design decision as the lock is
>not recursive and rises IRQL.
>NTFSD is sponsored by OSR
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>To unsubscribe, visit the List Server section of OSR Online at

All file systems use KeEnterCriticalRegion() as it is required before acquiring resources to disable normal kernel mode APCs that might recursively acquire the same resource or suspend a thread and break FSD’s logic or deadlock the system.

KeEnterCriticalRegion() doesn’t raise IRQL to APC_LEVEL it just disables normal APCs but doesn’t disable special kernel mode APC to allow IoCompleteRequest’s control flow with APC.

There is a difference between APC_LEVEL when all APCs are disabled and a code section inside KeEnterCriticalRegion(){ … }KeLeaveCriticalRegion() where special kernel mode APCs are allowed.