I’m writing a filesystem filter driver for win2k that tracks files using
the method outlined on the OSR faq. That is, it queries the filename
during the create completion routine and hashes a context structure based
on fsContext. The structure is reference counted and it is not deleted
until the image and data section object pointers are null during close.
However, my driver can start and stop and I’m interested in tracking files
that were opened before my driver loads. I would also like to track
metadata files. Since I do not receive the IRP_MJ_CREATE irp for metadata
files and I miss the create for files opened before my driver loads, I
want to add a tracking entry during the read/write path for any unknown
file.
From searching list archives, I’ve learned that querying the filesystem
for a filename is not safe in all situations. In particular, when the
IRP_PAGING_IO flag is set or when the top level irp is not null.
However, filemon appears to query for names during the read/write irp
path. How is it avoiding potential deadlocks? Is there a method for
associating metadata reads/writes with a filename that succeeds in every
case?
Thanks for any insight,
Michael