Hi, I’m developping a encypt/decrypt mini-filter.
I encounted system crash after calling FltCancelFileOpen at post create callback function
DFS_FILE_SYSTEM
STOP : 0x00000082 (0xF83EAEA2,0xF83E993F,0x00000000,0x00000000)
Mup.sys - Address F83EAEA2 base at F83DF000, DateStamp 41107ef8
Mup.sys - Address F83E993F base at F83DF000, DateStamp 41107ef8
On Vista, My filter works well.
On XP sp2, If target file is on a local disk or windows server(Win2000,Win2003), it works well too.
On XP sp2 and target file is on samba-sever, system crashed.
My post create routine is like this…
ulProcID = FltGetRequestorProcessId(pData);
status = FltGetStreamContext(pFltObjects->Instance,pFltObjects->FileObject,(PFLT_CONTEXT *)&pStreamContext);
if(!NT_SUCCESS( status))
return FLT_POSTOP_FINISHED_PROCESSING;
ulProcIDAllowed = pStreamContext->procID;
FltReleaseContext(pStreamContext);
if(ulProcIDAllowed != ulProcID)
{
if(pFltObjects->FileObject->Flags & FO_HANDLE_CREATED)
DbgPrint(“PostCreate : FO_HANDLE_CREATED is set, Skip FltCancelFileOpen\n”);
else
FltCancelFileOpen(pFltObjects->Instance,pFltObjects->FileObject);
pData->IoStatus.Status = STATUS_ACCESS_DENIED;
pData->IoStatus.Information = 0;
FltSetCallbackDataDirty(pData);
}
return FLT_POSTOP_FINISHED_PROCESSING;
I want to cancel create operation when the object has STREAM context and
requestor process is not allowed to access to target stream.
For example, ulProcID is explorer.exe and ulProcIDAllowed is winword.exe.
I think file mapping and file cache are related, because notepad, ms-paint and adobereader have no problem.
winword, excel, powerpoint have problem.
(notepad is using file mapping but it works well, I don’t know why…)
Dose FltCancelFileOpen still have bugs?
Joe90 , Japan