Should i use or not use FLTFL_IO_OPERATION_NON_CACHED in FltReadFile?

OSR_Community_User · May 4, 2012, 4:03am

Hello,

I?m trying to read from a file in a minifilter in postCreat method by using FltReadFile.
I have two questions, one that causes me BSOD and is concerning the flag FLTFL_IO_OPERATION_NON_CACHED

The other question is what read method should I use, FltReadFile or ZwReadFile?

First question is when I try to read the file without the flag FLTFL_IO_OPERATION_NON_CACHED from a network disk on XP and server 2003 I get a BSOD! But when I have this flag on no BSOD occurred. I first think it was an XP or Server 2003 issue but it maybe can occur on Windows 7, but I do not know because I do not know what it is that causing the BSOD. Should I always use this flag? The BSOD is pointing at rdbss.sys file.

Question two, I have heard that if there is an Flt method I shall use it, so therefore I use FltReadFile and not ZwReadFile. But is it true should I use the FltReadFile or could I use ZwReadFile?

Thanks
Mattias Lasu

OSR_Community_User · May 4, 2012, 10:29am

It is difficult to say why you observe a BSOD in the circumstances you describe. After all, performing cached I/O on files over the network certainly does work for others; thus it suggests there’s something specific to your implementation. Perhaps with a crash dump and a bit of time in the debugger I could tell, but with a vague description that’s not likely to happen.

You should use FltReadFile.

Tony
OSR

rod_widdowson · May 5, 2012, 4:42am

> First question is when I try to read the file without the flag

FLTFL_IO_OPERATION_NON_CACHED from
a network disk on XP and server 2003 I get a BSOD!

There is a possibility that you are being bitten by stack based file
objects. XP and 2K3 certainly used them a lot.

In PostCreate you should check the fileObject address with the result of
IoGetStackLimits and if it is on the stack be very wary of what you do (best
is to do nothing)

At the bottom of this article
(http://www.osronline.com/article.cfm?article=219) is a list of safe
operations.

Rod

OSR_Community_User · May 7, 2012, 5:47am

Thanks a lot Rod, that solves my issue

Is this a problem only on XP and 2K3 or can it happens on Vista or Windows 7 to?

Thanks again Rod
/Mattias

rod_widdowson · May 7, 2012, 7:47am

> Is this a problem only on XP and 2K3 or can it happens on Vista or Windows

7 to?

Certainly it might happen (although its more rare) in Vista. I have yet to
see it happen in Windows 7, but such uses can be hard to track down so my
approach has been to leave the tests in place.

Rod