I have a driver that does file checking - think anti-virus scans for example. When a process reads a file, the driver intercepts IRP_MJ_READ, and if the read is from a few special processes (my scanner, other anti-virus scanners, Windows Defender, etc) they pass through immediately, otherwise a request is sent to my service first. Those requests to the service (via FltSendMessage with a timeout) might happen right there on the IRP_MJ_READ thread, or the request might get deferred and then handled in a worker thread. There are lots of protections and checks for all sorts of things (ignore the paging path, etc, etc).
That call to my service (via FltSendMessage) causes my application to open the file and scan it (thus sending in another IRP_MJ_READ, which should pass through my driver immediately).
Everything works perfectly 99.9% of the time, except that sometimes my process’ read seems to get stuck behind the first read (which may or may not have been deferred). I can tell this because my process Win32 ReadFile call will take the exact amount of time as the FltSendMessage timeout - if the timeout happens, the paused/deferred IRP_MJ_READ proceeds unhindered, and then the ReadFile finishes immediately. 99.9% of the time the ReadFile happens much, much faster than the timeout that is blocking the first IRP_MJ_READ.
I’m trying to understand what might cause my service’ read to get stuck behind the paused/deferred read. I’m guessing the I/O Manager is mixed up in this somehow. Also note that this can happen on small text files, so I wouldn’t think it involves paging.
Can anyone point me to some documentation or give me some hints what to look for?
Thanks everyone.