Tracking transacted registry operations in MiniFilter - CmGetBoundTransaction?

Hey everyone -

First some context: I am writing a filesystem minifilter that also needs to support tracking of changes made to the registry, and knowing whether they are attached to a tranaction that might get rolled-back.

I have implemented code to do this for filesystem transactions in a manner similar to the minispy sample in the latest (6001.18002) WDK. My code uses Filter Manager managed Transaction Contexts to store some custom data that I use to help track the activities associated with transactions, and all is well there. (Enlists in transactions to get completion callbacks, etc.)

My filter also registers a callback with CmRegisterCallback in order to track registry operations. The documentation on Transacted Registry operations at the driver level seems to be pretty thin. It looks to me like the API CmGetBoundTransaction() will return a pointer to the transaction object (if there is one) that is related to that particular registry operation.

Two questions:

  1. Is CmGetBoundTransaction() the right way to do this? If so, I’ll get an opaque pointer to a transacion object in return. I could use this value in a call to FltGetTransactionContext() to get at my own tracking context for that particular transaction (if I have one yet), but in the context (sorry to keep using that word!) of that RegistryCallback(), what would be my PFLT_INSTANCE value? Is there some way to obtain that, or trick I should use (with the callback cookie or something) to store it? (It is normally passed in to most of the Filter Manager pre and post callbacks, but not in RegistryCallback from the configuration manager).

  2. Does my lack of a complete understanding of this stuff expose me as an idiot, in which case could somebody be so kind as to point me in the direction of information that might improve my condition?

Thanks in advance,

  • Andy