I make the next in IRP_MJ_WRITE preoperation callback:
FLT_PREOP_CALLBACK_STATUS PreWrite( PFLT_CALLBACK_DATA cbd,
PCFLT_RELATED_OBJECTS fltObjs, PVOID* ctx )
{
NTSTATUS st ;
PFLT_PARAMETERS par = &cbd->Iopb->Parameters ;
ULONG written ;
st = FltWriteFile( cbd->Iopb->TargetInstance, cbd->Iopb->TargetFileObject,
&par->Write.ByteOffset, par->Write.Length, par->Write.WriteBuffer, 0, &written, NULL, NULL ) ;
cbd->IoStatus.Status = st ;
cbd->IoStatus.Information = ( st == STATUS_SUCCESS ) ? written : 0 ;
return FLT_PREOP_COMPLETE ;
}
Then I make test in user mode by CreateFile(), WriteFile(), CloseHandle()
If file is absent before test then it seems that data is written to file. Neverthless after termination of test application I see that PreWrite is called infinitely every 2 seconds.
What should be done after calling of FltWriteFile that this does not take place?
If I had to hazard a guess, I’d guess you are taking paging I/O operations and converting them into cached I/O operations. So the memory manager writes the data out (non-cached paging I/O) and you perform a cached write, which writes to the pages. Since the pages are dirty, they get written again… and again.
Another possibility is that you get an error back from the FSD and since the pages aren’t clean, the memory manager keeps trying to write the pages back to the file system every few seconds.
My advice: break into your call in the debugger and look at the stack trace. That will tell you where the writes originate. Knowing that it will be easier to suggest what’s causing the repeated writes. Watch the error path - I suspect you’re getting an error back.
If my hypothesis is correct, you will need to handle paging I/O operations differently.