Doron,
Thanks for the answers. (Sorry about the wraps, so I am reposting.)
I believe that your answer to number 3 explains what we are seeing.
Our driver is a file system filter driver and monitors each volume,
memory stick, CD, etc.
Given: File IRP’s with FileObject(A) in the context of Pid(X)
We observe: FileObject(A) sometimes used in the context Pid(Y)
Note: We are not talking about IRP completion path.
FileObject(A) is still valid and in-use for Pid(X)
(no IRP_MJ_CLEANUP’s or IRP_MJ_CLOSE’s)
Our guess: Confirmed by your answer to number 3, is that another
product is duplicating handles and therefore IRP’s in
another process context is “seen” as using the
same FileObject.
Do you agree?
Thanks,
Duane Souder
Doron Holan wrote:
- Each call to CreateFile will create a new PFILE_OBJECT
- 1:1
- If the handle is duplicated (in the process or out of process) the 2 handles share the same PFILE_OBJECT, so N:1
There are also “lite stream” file objects where you will see a cleanup/close without a create if you are a storage driver. This will have the flag FO_STREAM_FILE set in FileObject->Flags. What problems are you seeing and in which class/stack does your driver live in?
d