What is the meaning of FLTFL_IO_OPERATION_NON_CACHED in FltReadFile() ?
For each time I am using Microsoft Security Essentials with my minifilter driver with
FLTFL_IO_OPERATION_NON_CACHED set in FltReadFile(), it hangs the system
( Windows 7 x86 ) n the middle way during a Quick scan and I can’t find reason why.
QUESTIONS:
-
Is there any plain explanation ?
-
I can’t understand with MSDN document version of FltReadFile(), is there any other help, resource or link recommends ?
-
Is it neccessary to put FLTFL_IO_OPERATION_NON_CACHED flag in FltReadFile() ?
> 2. I can’t understand with MSDN document version of FltReadFile(), is
there any other help, resource or link recommends ?
This indicates that you probably need to start a few steps back. Do you
understand the difference between a cached and a non cached read? Do you
understand the difference between a paging and a non paging read. It is
absolutely essential that you do.
I suspect that you may be struggling because the kernel mode vocabulary can
be a bit weird - If you are coming from the Application side them
FILE_FLAG_NO_BUFFERING might be the mental clue.
I am not sure that *I* can help you since the MSDN documentation makes
perfect sense to me (one of those cases where knowing to much makes teaching
hard). Someone setting that flag is saying “Do not do this read via the
[Filesystem] cache. Go to the oxide and give me what is there”.
- Is there any plain explanation ?
There is an implication when this flag is set that the filesystem will also
flush the cache so as to (help to preserved) coherency. My guess that it
is this flush that is causing you problems.
- Is it neccessary to put FLTFL_IO_OPERATION_NON_CACHED flag in
FltReadFile() ?
Only if you want to read directly from the disk, and not use the cache.
There is a large number of reasons why you might want to do this (for
instance avoiding cache saturation) , although I’ll admit that it is more
commonly seen in associate with a write.
Rod