IO_DEVICE_ERROR with FltWriteFile (plus bonus question)

Hello OSROnline.

Once again, I’m here asking for your help. As I said a few posts ago, my intention is to create a minifilter which backup a file if it has a determied extension and if it opened in WRITE mode (checking the DesiredAccess of the security context), at least every N seconds. That means that the first time I open a file to modify it, it is backupped in another folder (C:\Folder\file.txt gets backed up in C:\Backup\Folder.file.txt). If I open the file to modify it a second time one second later, for example, it is not backed up again since the backup is not “old enough” to justify another backup. At the moment a backup is “old enough” after 30 seconds.

What I’m doing is to check the existance of the backup file (FltCreateFileEx with FILE_OPEN flag). In case I manage to open it, I check for the basic information and in case the backup is old enough, I close it and open it again with FILE_OVERWRITE flag. Then, I proceed with the content copy. The code can be found here: http://pastebin.com/5Hxh9r7h.

Analyzing the whole thing with Procmon, I can see that almost everything is going fine. The problem arise when I test the thing with a very, very simple C program that just append to a file the current time every second. The code is so simple that I wouldn’t almost need pastebin, but I’m still using it for sake of… Well, it’s here: http://pastebin.com/K0eN3SFV.

The problem is that the first backup is created without any problem, but then when the “timer” expires and I want to create a new backup, FltWriteFile starts to return IO_DEVICE_ERROR. I didn’t manage to recreate the “bug” with notepad (manually saving the file each second until the “timer” expiration, increasing everytime the dimension of the file). Every other operation is fine: handle creation and cleanup returns SUCCESS, so I really can’t understand what’s not working here.

I thought about the fact that I’m using asynchronous IO writes that maybe can lead to some sort of problem (maybe the old writes are still there, waiting to be commited?). If I have to be honest, here I’m starting to not understand what I’m talking about, so I’d to ask not also to understand what can cause my error (that is like the main point), but also the difference between asynchronous and synchronous IO operations (I can easily imagine what’s the difference, but when is the latter preferable to the first one? And why?).

Thanks in advance to anyone willing to help me, even if this could be another really newbie question and I’m just missing something!

Well, I have un update: I forgot to specify that I used as COPY_READ_SIZE (length of read from original file / write to backup file) as 4096 byte. I noticed that using that small program I wrote, when the file reached a dimension of around 600 bytes, the error IO_DEVICE_ERROR was returned. I tried to reduce the dimension of a single read/write to 512 bytes, and even in that case now seems to be working. What I cannot understand is why this dimension should influence. I have no problem in backing up the same file if I use notepad, but with that small program, even if the file have not been created yet, the error is returned.

Another update: with 4096 bytes read/writes, when the file becomes greater than 4096 (thus the first write is exactly 4096 bytes) there’s no problem and the IO_DEVICE_ERROR is returned on the second write.

For example

File is 110 bytes
Read 110 bytes
Write 100 bytes - STATUS_SUCCESS

File is 715 bytes
Read 715 bytes
Write 715 bytes - IO_DEVICE_ERROR

File is 5000 bytes
Read 4096 bytes
Write 4096 bytes - STATUS_SUCCESS
Read 904 bytes (5000-4096 already read)
Write 904 bytes - IO_DEVICE_ERROR

What am I missing?

Ok, I managed to fix my multiple mistakes. As said in FltWriteFile, in case of non cached operation ByteOffset and Length must be multiple of sector size and the buffer must be sector aligned. I should read more carefully