Receiving an unknown IRP. And an IRP storm.

Hello, thanks in advance for your help. Im working on a minifilter driver
for NT and XP. We currently have it set up just to watch logical drives and
record some information from the transactions. Im using FltSendMessage and
FilterGetMessage to do asynchronous communication between the user mode
process and the driver. It seems to work fine but with one exception:

Previously we were exploring a polling model straight out of microsofts DDK
samples for the minifilter. It seems very low CPU utilization. Now that
weve switched over to an asynchronous mode, the CPU utilization goes through
the ceiling. Even when the computer isnt doing anything it seems that we
just get scores of IRPs. Is it possible that SendMessage or Getmessage
somehow creates IRPs? Am I causing some type of recursion to occur?

Lastly, I find us receiving and IRP with a Major Code of F2. I cant seem to
find a reference. Does anybody know what this is?

Thanks again.
Robert

There is no IRP with a major function of F2. It sounds like you have at
least one bug in your filter.

It also sounds like there’s something wrong with your asynchronous I/O
handling - like it isn’t blocking it’s polling, and that’s leading to
your observed high CPU utilization. That would also fit why you are
seeing the F2 - it sounds like you’re signaling an IRP that isn’t
happening.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Robert Light
Sent: Monday, June 19, 2006 10:35 PM
To: ntfsd redirect
Subject: [ntfsd] Receiving an unknown IRP. And an IRP storm.

Hello, thanks in advance for your help. Im working on a minifilter
driver
for NT and XP. We currently have it set up just to watch logical drives
and
record some information from the transactions. Im using FltSendMessage
and
FilterGetMessage to do asynchronous communication between the user mode
process and the driver. It seems to work fine but with one exception:

Previously we were exploring a polling model straight out of microsofts
DDK
samples for the minifilter. It seems very low CPU utilization. Now
that
weve switched over to an asynchronous mode, the CPU utilization goes
through
the ceiling. Even when the computer isnt doing anything it seems that
we
just get scores of IRPs. Is it possible that SendMessage or Getmessage
somehow creates IRPs? Am I causing some type of recursion to occur?

Lastly, I find us receiving and IRP with a Major Code of F2. I cant
seem to
find a reference. Does anybody know what this is?

Thanks again.
Robert


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Could very well be the case. However, the actual filtering code hasnt been
touched since we installed the asynchronous code. of course, that doesnt
mean its not affecting something somewhere in memory though.

Anyway, Im kicking off a worker thread to handle the send message for the
driver from the post operation callback. From the user mode were not doing
a reply like they use in scanner.c. Could this be my problem?

Thanks!
Robert

“Tony Mason” wrote in message news:xxxxx@ntfsd…
There is no IRP with a major function of F2. It sounds like you have at
least one bug in your filter.

It also sounds like there’s something wrong with your asynchronous I/O
handling - like it isn’t blocking it’s polling, and that’s leading to
your observed high CPU utilization. That would also fit why you are
seeing the F2 - it sounds like you’re signaling an IRP that isn’t
happening.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Robert Light
Sent: Monday, June 19, 2006 10:35 PM
To: ntfsd redirect
Subject: [ntfsd] Receiving an unknown IRP. And an IRP storm.

Hello, thanks in advance for your help. Im working on a minifilter
driver
for NT and XP. We currently have it set up just to watch logical drives
and
record some information from the transactions. Im using FltSendMessage
and
FilterGetMessage to do asynchronous communication between the user mode
process and the driver. It seems to work fine but with one exception:

Previously we were exploring a polling model straight out of microsofts
DDK
samples for the minifilter. It seems very low CPU utilization. Now
that
weve switched over to an asynchronous mode, the CPU utilization goes
through
the ceiling. Even when the computer isnt doing anything it seems that
we
just get scores of IRPs. Is it possible that SendMessage or Getmessage
somehow creates IRPs? Am I causing some type of recursion to occur?

Lastly, I find us receiving and IRP with a Major Code of F2. I cant
seem to
find a reference. Does anybody know what this is?

Thanks again.
Robert


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Actually, in a minifilter, there is an F2 major function code. It is
IRP_MJ_NETWORK_QUERY_OPEN.

Filter manager uses the same callback mechanism for IRP based I/O and fast
I/O calls, so it uses negative IRP_MJ_ codes to identify the fast I/O calls.

  • Dan.

----- Original Message -----
From: “Tony Mason”
To: “Windows File Systems Devs Interest List”
Sent: Monday, June 19, 2006 8:48 PM
Subject: RE: [ntfsd] Receiving an unknown IRP. And an IRP storm.

There is no IRP with a major function of F2. It sounds like you have at
least one bug in your filter.

It also sounds like there’s something wrong with your asynchronous I/O
handling - like it isn’t blocking it’s polling, and that’s leading to
your observed high CPU utilization. That would also fit why you are
seeing the F2 - it sounds like you’re signaling an IRP that isn’t
happening.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Robert Light
Sent: Monday, June 19, 2006 10:35 PM
To: ntfsd redirect
Subject: [ntfsd] Receiving an unknown IRP. And an IRP storm.

Hello, thanks in advance for your help. Im working on a minifilter
driver
for NT and XP. We currently have it set up just to watch logical drives
and
record some information from the transactions. Im using FltSendMessage
and
FilterGetMessage to do asynchronous communication between the user mode
process and the driver. It seems to work fine but with one exception:

Previously we were exploring a polling model straight out of microsofts
DDK
samples for the minifilter. It seems very low CPU utilization. Now
that
weve switched over to an asynchronous mode, the CPU utilization goes
through
the ceiling. Even when the computer isnt doing anything it seems that
we
just get scores of IRPs. Is it possible that SendMessage or Getmessage
somehow creates IRPs? Am I causing some type of recursion to occur?

Lastly, I find us receiving and IRP with a Major Code of F2. I cant
seem to
find a reference. Does anybody know what this is?

Thanks again.
Robert


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Ah, true. I’d been thinking “field from the IRP” not “value reported
via minifilter”. My bad.

Then perhaps this gentleman is generating an IRP “storm” of some sort.
It still sounds like a bug in his filter - perhaps it is just coincident
with the addition of asynchronous I/O?

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Kyler
Sent: Tuesday, June 20, 2006 8:14 AM
To: ntfsd redirect
Subject: Re: [ntfsd] Receiving an unknown IRP. And an IRP storm.

Actually, in a minifilter, there is an F2 major function code. It is
IRP_MJ_NETWORK_QUERY_OPEN.

Filter manager uses the same callback mechanism for IRP based I/O and
fast
I/O calls, so it uses negative IRP_MJ_ codes to identify the fast I/O
calls.

  • Dan.

----- Original Message -----
From: “Tony Mason”
To: “Windows File Systems Devs Interest List”
Sent: Monday, June 19, 2006 8:48 PM
Subject: RE: [ntfsd] Receiving an unknown IRP. And an IRP storm.

There is no IRP with a major function of F2. It sounds like you have at
least one bug in your filter.

It also sounds like there’s something wrong with your asynchronous I/O
handling - like it isn’t blocking it’s polling, and that’s leading to
your observed high CPU utilization. That would also fit why you are
seeing the F2 - it sounds like you’re signaling an IRP that isn’t
happening.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Robert Light
Sent: Monday, June 19, 2006 10:35 PM
To: ntfsd redirect
Subject: [ntfsd] Receiving an unknown IRP. And an IRP storm.

Hello, thanks in advance for your help. Im working on a minifilter
driver
for NT and XP. We currently have it set up just to watch logical drives
and
record some information from the transactions. Im using FltSendMessage
and
FilterGetMessage to do asynchronous communication between the user mode
process and the driver. It seems to work fine but with one exception:

Previously we were exploring a polling model straight out of microsofts
DDK
samples for the minifilter. It seems very low CPU utilization. Now
that
weve switched over to an asynchronous mode, the CPU utilization goes
through
the ceiling. Even when the computer isnt doing anything it seems that
we
just get scores of IRPs. Is it possible that SendMessage or Getmessage
somehow creates IRPs? Am I causing some type of recursion to occur?

Lastly, I find us receiving and IRP with a Major Code of F2. I cant
seem to
find a reference. Does anybody know what this is?

Thanks again.
Robert


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Agreed on the storm. It could also be a user mode bug. There might be
something in the processing of the message that is generating a fast I/O
query network, resulting in recursive messages.

  • Dan.

----- Original Message -----
From: “Tony Mason”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, June 20, 2006 6:37 AM
Subject: RE: [ntfsd] Receiving an unknown IRP. And an IRP storm.

Ah, true. I’d been thinking “field from the IRP” not “value reported
via minifilter”. My bad.

Then perhaps this gentleman is generating an IRP “storm” of some sort.
It still sounds like a bug in his filter - perhaps it is just coincident
with the addition of asynchronous I/O?

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Kyler
Sent: Tuesday, June 20, 2006 8:14 AM
To: ntfsd redirect
Subject: Re: [ntfsd] Receiving an unknown IRP. And an IRP storm.

Actually, in a minifilter, there is an F2 major function code. It is
IRP_MJ_NETWORK_QUERY_OPEN.

Filter manager uses the same callback mechanism for IRP based I/O and
fast
I/O calls, so it uses negative IRP_MJ_ codes to identify the fast I/O
calls.

- Dan.

----- Original Message -----
From: “Tony Mason”
To: “Windows File Systems Devs Interest List”
Sent: Monday, June 19, 2006 8:48 PM
Subject: RE: [ntfsd] Receiving an unknown IRP. And an IRP storm.

There is no IRP with a major function of F2. It sounds like you have at
least one bug in your filter.

It also sounds like there’s something wrong with your asynchronous I/O
handling - like it isn’t blocking it’s polling, and that’s leading to
your observed high CPU utilization. That would also fit why you are
seeing the F2 - it sounds like you’re signaling an IRP that isn’t
happening.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Robert Light
Sent: Monday, June 19, 2006 10:35 PM
To: ntfsd redirect
Subject: [ntfsd] Receiving an unknown IRP. And an IRP storm.

Hello, thanks in advance for your help. Im working on a minifilter
driver
for NT and XP. We currently have it set up just to watch logical drives
and
record some information from the transactions. Im using FltSendMessage
and
FilterGetMessage to do asynchronous communication between the user mode
process and the driver. It seems to work fine but with one exception:

Previously we were exploring a polling model straight out of microsofts
DDK
samples for the minifilter. It seems very low CPU utilization. Now
that
weve switched over to an asynchronous mode, the CPU utilization goes
through
the ceiling. Even when the computer isnt doing anything it seems that
we
just get scores of IRPs. Is it possible that SendMessage or Getmessage
somehow creates IRPs? Am I causing some type of recursion to occur?

Lastly, I find us receiving and IRP with a Major Code of F2. I cant
seem to
find a reference. Does anybody know what this is?

Thanks again.
Robert


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Wow, thanks for all the replies. Ive partially solved the problem. The CPU
was being pinned at 100% usage. I took a look at my taskmanager and simply
assumed it was my minifilter that was directly responsible. Taking a closer
look, I discovered that the real culprit was an exectuable called
PROMon.exe. I looked and found some information on it, but just for testing
purposes I shut it down. Im still not sure why it doesnt play well with my
minifilter, but after shutting it down my CPU usage dropped to 0 and many of
the unwanted IRP messages stopped. Including F2. Secondly, I took a closer
look at what IRP_MJ messages we were registering for. It turns out we were
doing ALL of them. I insisted that we narrow them down to simply the ones
that we need for file monitoring.

There are still a few performance issues at hand. But Ill address those in
a seperate thread. Thanks again everyone!

“Dan Kyler” wrote in message news:xxxxx@ntfsd…
> Agreed on the storm. It could also be a user mode bug. There might be
> something in the processing of the message that is generating a fast I/O
> query network, resulting in recursive messages.
>
> - Dan.
>
> ----- Original Message -----
> From: “Tony Mason”
> To: “Windows File Systems Devs Interest List”
> Sent: Tuesday, June 20, 2006 6:37 AM
> Subject: RE: [ntfsd] Receiving an unknown IRP. And an IRP storm.
>
>
> Ah, true. I’d been thinking “field from the IRP” not “value reported
> via minifilter”. My bad.
>
> Then perhaps this gentleman is generating an IRP “storm” of some sort.
> It still sounds like a bug in his filter - perhaps it is just coincident
> with the addition of asynchronous I/O?
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Dan Kyler
> Sent: Tuesday, June 20, 2006 8:14 AM
> To: ntfsd redirect
> Subject: Re: [ntfsd] Receiving an unknown IRP. And an IRP storm.
>
> Actually, in a minifilter, there is an F2 major function code. It is
> IRP_MJ_NETWORK_QUERY_OPEN.
>
> Filter manager uses the same callback mechanism for IRP based I/O and
> fast
> I/O calls, so it uses negative IRP_MJ_ codes to identify the fast I/O
> calls.
>
> - Dan.
>
> ----- Original Message -----
> From: “Tony Mason”
> To: “Windows File Systems Devs Interest List”
> Sent: Monday, June 19, 2006 8:48 PM
> Subject: RE: [ntfsd] Receiving an unknown IRP. And an IRP storm.
>
>
> There is no IRP with a major function of F2. It sounds like you have at
> least one bug in your filter.
>
> It also sounds like there’s something wrong with your asynchronous I/O
> handling - like it isn’t blocking it’s polling, and that’s leading to
> your observed high CPU utilization. That would also fit why you are
> seeing the F2 - it sounds like you’re signaling an IRP that isn’t
> happening.
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Robert Light
> Sent: Monday, June 19, 2006 10:35 PM
> To: ntfsd redirect
> Subject: [ntfsd] Receiving an unknown IRP. And an IRP storm.
>
> Hello, thanks in advance for your help. Im working on a minifilter
> driver
> for NT and XP. We currently have it set up just to watch logical drives
> and
> record some information from the transactions. Im using FltSendMessage
> and
> FilterGetMessage to do asynchronous communication between the user mode
> process and the driver. It seems to work fine but with one exception:
>
> Previously we were exploring a polling model straight out of microsofts
> DDK
> samples for the minifilter. It seems very low CPU utilization. Now
> that
> weve switched over to an asynchronous mode, the CPU utilization goes
> through
> the ceiling. Even when the computer isnt doing anything it seems that
> we
> just get scores of IRPs. Is it possible that SendMessage or Getmessage
> somehow creates IRPs? Am I causing some type of recursion to occur?
>
> Lastly, I find us receiving and IRP with a Major Code of F2. I cant
> seem to
> find a reference. Does anybody know what this is?
>
> Thanks again.
> Robert
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@osr.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
> ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@osr.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>