Which is the area where the sample lives?
/filesys/miniFilter/
Describe the issue
I set the StartType to 1 (SERVICE_SYSTEM_START). After installing the sample driver and rebooting the system:
In DfPostCreateCallback, if Data->Iopb->TargetFileObject->FileName is "\pagefile.sys" or "\swapfile.sys", the call to DfGetOrSetContext returns error 0xC00000BB (STATUS_NOT_SUPPORTED).
In this scenario, FltReleaseContext is not called to release the streamContext in either DfPostCreateCallback or DfGetOrSetContext. This causes the driver to fail to unload properly.
Checking with the WinDbg command !fltkd.filter <addr> 8 1 shows that two FLT_CONTEXT references remain unreleased:
Object usage/reference information:
References to FLT_CONTEXT : 2
Allocations of FLT_CALLBACK_DATA : 0
Allocations of FLT_DEFERRED_IO_WORKITEM : 0
Allocations of FLT_GENERIC_WORKITEM : 0
References to FLT_FILE_NAME_INFORMATION : 0
Open files : 0
References to FLT_OBJECT : 0
List of objects used/referenced::
FLT_VERIFIER_OBJECT: ffffb289c1607b90
Object: ffffe688e6d6d620 Type: FLT_CONTEXT RefCount: 00000001
FLT_VERIFIER_OBJECT: ffffb289c16072f0
Object: ffffe688e6d6f4c0 Type: FLT_CONTEXT RefCount: 00000001
Relevant code locations:
delete.inf#L95
delete.c#L2716
delete.c#L1241
delete.c#L2742
Which is the area where the sample lives?
/filesys/miniFilter/
Describe the issue
I set the
StartTypeto 1 (SERVICE_SYSTEM_START). After installing the sample driver and rebooting the system:In
DfPostCreateCallback, ifData->Iopb->TargetFileObject->FileNameis"\pagefile.sys"or"\swapfile.sys", the call toDfGetOrSetContextreturns error0xC00000BB(STATUS_NOT_SUPPORTED).In this scenario,
FltReleaseContextis not called to release thestreamContextin eitherDfPostCreateCallbackorDfGetOrSetContext. This causes the driver to fail to unload properly.Checking with the WinDbg command
!fltkd.filter <addr> 8 1shows that twoFLT_CONTEXTreferences remain unreleased:Relevant code locations:
delete.inf#L95
delete.c#L2716
delete.c#L1241
delete.c#L2742