trouble with FltSendMessage & FilterGetMessage

NTFSD
1

Hi,

I’m getting BSOD’s while sending I/O PFLT_PRE_OPERATION_CALLBACK and
PFLT_POST_OPERATION_CALLBACK trace info up to my user-mode application.
I’m probably overlooking something simple here. Here’s the pertinent
code:

Kernel:

// This the code that is called each time a IRP pre/post operation is
generated.

REPFS_IO_NOTIFICATION io_notification;

ULONG replyLength;

NTSTATUS status;

io_notification.Command = (preOp) ? cmd_IoPreOperation :
cmd_IoPostOperation;

io_notification.IrpFlags = Data->Iopb->IrpFlags;

io_notification.MajorFunction = Data->Iopb->MajorFunction;

io_notification.MinorFunction = Data->Iopb->MinorFunction;

io_notification.OperationFlags = Data->Iopb->OperationFlags;

io_notification.Reserved = 0;

replyLength = sizeof(REPFS_IO_REPLY);

status = FltSendMessage(g_FilterHandle, &g_ClientPort,

&io_notification, sizeof(REPFS_IO_NOTIFICATION),

&io_notification, &replyLength, NULL);

User-space:

// This is the thread worker function that gets all the messages from
the minifilter.

REPFS_IO_MESSAGE io_notification;

REPFS_IO_REPLY_MESSAGE io_reply;

HRESULT hResult = S_OK;

printf(“Entering the worker thread loop…\n”);

while (hResult == S_OK && g_quit_state == eRunning)

{

hResult = FilterGetMessage(data.hPort,
(PFILTER_MESSAGE_HEADER)&io_notification,

sizeof(REPFS_IO_MESSAGE), NULL);

if (hResult != S_OK && hResult != HRESULT_FROM_WIN32(ERROR_IO_PENDING))

break;

if (io_notification.Notification.Command == cmd_IoPreOperation)

{

printf(“I/O Pre-Operation: Major=%lu, Minor=%lu\n”,

io_notification.Notification.MajorFunction,

io_notification.Notification.MinorFunction);

}

else if (io_notification.Notification.Command ==
cmd_IoPostOperation)

{

printf(“I/O Post-Operation: Major=%lu, Minor=%lu\n”,

io_notification.Notification.MajorFunction,

io_notification.Notification.MinorFunction);

}

else

{

printf(“Unknown command!\n”);

}

if (io_notification.Notification.Command == cmd_IoPreOperation ||

io_notification.Notification.Command == cmd_IoPostOperation)

{

io_reply.Reply.NotificationReceived = TRUE;

printf(“Replying to message, NotificationReceived: %d\n”,

io_reply.Reply.NotificationReceived);

HRESULT hr = FilterReplyMessage(data.hPort,

(PFILTER_REPLY_HEADER)&io_reply,

sizeof(io_reply));

if (SUCCEEDED(hr))

printf(“Reply to message successful\n”);

else

printf(“Error replying to message: Error 0x%X\n”, hr);

}

}

printf(“Exiting the worker thread loop…\n”);

2

I guess your problem is that you call FltSendMessage on PostOp which may run
at DISPATCH_LEVEL. The doc for FltSendMessage says:

“Callers of FltSendMessage must be running at IRQL <= APC_LEVEL”

“Yourch, Chris” wrote news:xxxxx@ntfsd…
Hi,

I’m getting BSOD’s while sending I/O PFLT_PRE_OPERATION_CALLBACK and
PFLT_POST_OPERATION_CALLBACK trace info up to my user-mode application. I’m
probably overlooking something simple here. Here’s the pertinent code:

Kernel:
// This the code that is called each time a IRP pre/post operation is
generated.
REPFS_IO_NOTIFICATION io_notification;
ULONG replyLength;
NTSTATUS status;

io_notification.Command = (preOp) ? cmd_IoPreOperation :
cmd_IoPostOperation;
io_notification.IrpFlags = Data->Iopb->IrpFlags;
io_notification.MajorFunction = Data->Iopb->MajorFunction;
io_notification.MinorFunction = Data->Iopb->MinorFunction;
io_notification.OperationFlags = Data->Iopb->OperationFlags;
io_notification.Reserved = 0;

replyLength = sizeof(REPFS_IO_REPLY);

status = FltSendMessage(g_FilterHandle, &g_ClientPort,
&io_notification, sizeof(REPFS_IO_NOTIFICATION),
&io_notification, &replyLength, NULL);

User-space:
// This is the thread worker function that gets all the messages from the
minifilter.
REPFS_IO_MESSAGE io_notification;
REPFS_IO_REPLY_MESSAGE io_reply;
HRESULT hResult = S_OK;

printf(“Entering the worker thread loop…\n”);

while (hResult == S_OK && g_quit_state == eRunning)
{
hResult = FilterGetMessage(data.hPort,
(PFILTER_MESSAGE_HEADER)&io_notification,
sizeof(REPFS_IO_MESSAGE), NULL);

if (hResult != S_OK && hResult != HRESULT_FROM_WIN32(ERROR_IO_PENDING))
break;

if (io_notification.Notification.Command == cmd_IoPreOperation)
{
printf(“I/O Pre-Operation: Major=%lu, Minor=%lu\n”,
io_notification.Notification.MajorFunction,
io_notification.Notification.MinorFunction);
}
else if (io_notification.Notification.Command == cmd_IoPostOperation)
{
printf(“I/O Post-Operation: Major=%lu, Minor=%lu\n”,
io_notification.Notification.MajorFunction,
io_notification.Notification.MinorFunction);
}
else
{
printf(“Unknown command!\n”);
}

if (io_notification.Notification.Command == cmd_IoPreOperation ||
io_notification.Notification.Command == cmd_IoPostOperation)
{
io_reply.Reply.NotificationReceived = TRUE;
printf(“Replying to message, NotificationReceived: %d\n”,
io_reply.Reply.NotificationReceived);

HRESULT hr = FilterReplyMessage(data.hPort,
(PFILTER_REPLY_HEADER)&io_reply,
sizeof(io_reply));

if (SUCCEEDED(hr))
printf(“Reply to message successful\n”);
else
printf(“Error replying to message: Error 0x%X\n”, hr);
}
}

printf(“Exiting the worker thread loop…\n”);

3

How do I know what my IRQL level is? Is there a function I can call to
check this?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of frank
Sent: Saturday, June 02, 2007 4:51 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] trouble with FltSendMessage & FilterGetMessage

I guess your problem is that you call FltSendMessage on PostOp which may
run
at DISPATCH_LEVEL. The doc for FltSendMessage says:

“Callers of FltSendMessage must be running at IRQL <= APC_LEVEL”

“Yourch, Chris” wrote news:xxxxx@ntfsd…
Hi,

I’m getting BSOD’s while sending I/O PFLT_PRE_OPERATION_CALLBACK and
PFLT_POST_OPERATION_CALLBACK trace info up to my user-mode application.
I’m
probably overlooking something simple here. Here’s the pertinent code:

Kernel:
// This the code that is called each time a IRP pre/post operation is
generated.
REPFS_IO_NOTIFICATION io_notification;
ULONG replyLength;
NTSTATUS status;

io_notification.Command = (preOp) ? cmd_IoPreOperation :
cmd_IoPostOperation;
io_notification.IrpFlags = Data->Iopb->IrpFlags;
io_notification.MajorFunction = Data->Iopb->MajorFunction;
io_notification.MinorFunction = Data->Iopb->MinorFunction;
io_notification.OperationFlags = Data->Iopb->OperationFlags;
io_notification.Reserved = 0;

replyLength = sizeof(REPFS_IO_REPLY);

status = FltSendMessage(g_FilterHandle, &g_ClientPort,
&io_notification, sizeof(REPFS_IO_NOTIFICATION),
&io_notification, &replyLength, NULL);

User-space:
// This is the thread worker function that gets all the messages from
the
minifilter.
REPFS_IO_MESSAGE io_notification;
REPFS_IO_REPLY_MESSAGE io_reply;
HRESULT hResult = S_OK;

printf(“Entering the worker thread loop…\n”);

while (hResult == S_OK && g_quit_state == eRunning)
{
hResult = FilterGetMessage(data.hPort,
(PFILTER_MESSAGE_HEADER)&io_notification,
sizeof(REPFS_IO_MESSAGE), NULL);

if (hResult != S_OK && hResult != HRESULT_FROM_WIN32(ERROR_IO_PENDING))
break;

if (io_notification.Notification.Command == cmd_IoPreOperation)
{
printf(“I/O Pre-Operation: Major=%lu, Minor=%lu\n”,
io_notification.Notification.MajorFunction,
io_notification.Notification.MinorFunction);
}
else if (io_notification.Notification.Command ==
cmd_IoPostOperation)
{
printf(“I/O Post-Operation: Major=%lu, Minor=%lu\n”,
io_notification.Notification.MajorFunction,
io_notification.Notification.MinorFunction);
}
else
{
printf(“Unknown command!\n”);
}

if (io_notification.Notification.Command == cmd_IoPreOperation ||
io_notification.Notification.Command == cmd_IoPostOperation)
{
io_reply.Reply.NotificationReceived = TRUE;
printf(“Replying to message, NotificationReceived: %d\n”,
io_reply.Reply.NotificationReceived);

HRESULT hr = FilterReplyMessage(data.hPort,
(PFILTER_REPLY_HEADER)&io_reply,
sizeof(io_reply));

if (SUCCEEDED(hr))
printf(“Reply to message successful\n”);
else
printf(“Error replying to message: Error 0x%X\n”, hr);
}
}

printf(“Exiting the worker thread loop…\n”);


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@replicus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

“Yourch, Chris” wrote in message news:xxxxx@ntfsd…
How do I know what my IRQL level is? Is there a function I can call to
check this?

KeGetCurrentIrql()


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply