IRP_MJ_NETWORK_QUERY_OPEN on W2K8/Win7

I seem to be having a problem filtering IRP_MJ_NETWORK_QUERY_OPEN in my mini-filter on W2K8 and Win7. This same code has worked fine for months on W2K3 and XP.

From the pre callback I call FltCreateFileEx for FILE_READ_ATTRIBUTES to see if the file exists and to determine if it is a file or folder. If it does not exist I want to do something about it.

The problem I am having is that the second call to FltCreateFileEx below tends to lead to a stack overflow due to infinite recursion. I have not seen it BSOD for a file yet.

Am I doing something silly?
Why is this happening only on W2K8 and Win7?
How do I prevent the recursive calls?

I call FltCreateFileEx as shown below and I have verified that Instance is valid. I do not see any legecy filters on the stack. Only my minifilter, Filter Manager, nt, and ntdll.

InitializeObjectAttributes(&oa, pFileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

status = FltCreateFileEx(g_FilterHandle,
Instance,
&hFileHandle,
NULL,
SYNCHRONIZE, //FILE_READ_ATTRIBUTES,
&oa,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE,
NULL,
0,
0);

if(status == STATUS_FILE_IS_A_DIRECTORY){
//
// This is a folder
//
if(pbIsFolder != NULL){
*pbIsFolder = TRUE;
}

status = FltCreateFileEx(g_FilterHandle,
Instance,
&hFileHandle,
NULL,
FILE_READ_ATTRIBUTES,
&oa,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
FILE_DIRECTORY_FILE,
NULL,
0,
0);
}

Thanks in advance for any help anyone can offer.

Erik

Please note a correction on the first call to FltCreateFileEx. I really do pass FILE_READ_ATTRIBUTES, not SYNCHRONIZE.

Sorry for the typo.

>The problem I am having is that the second call to FltCreateFileEx below

tends to lead to a stack overflow due to infinite recursion.

If you post the stack at the time of the overflow you might get more people
taking a shot at what the problem could be. Don’t forget to increase the
default stack depth (I usually do “.kframes 1000”, which sets it to the max
depth).

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@ntfsd…
>I seem to be having a problem filtering IRP_MJ_NETWORK_QUERY_OPEN in my
>mini-filter on W2K8 and Win7. This same code has worked fine for months on
>W2K3 and XP.
>
> From the pre callback I call FltCreateFileEx for FILE_READ_ATTRIBUTES to
> see if the file exists and to determine if it is a file or folder. If it
> does not exist I want to do something about it.
>
> The problem I am having is that the second call to FltCreateFileEx below
> tends to lead to a stack overflow due to infinite recursion. I have not
> seen it BSOD for a file yet.
>
> Am I doing something silly?
> Why is this happening only on W2K8 and Win7?
> How do I prevent the recursive calls?
>
> I call FltCreateFileEx as shown below and I have verified that Instance is
> valid. I do not see any legecy filters on the stack. Only my minifilter,
> Filter Manager, nt, and ntdll.
>
> InitializeObjectAttributes(&oa, pFileName, OBJ_CASE_INSENSITIVE |
> OBJ_KERNEL_HANDLE, NULL, NULL);
>
> status = FltCreateFileEx(g_FilterHandle,
> Instance,
> &hFileHandle,
> NULL,
> SYNCHRONIZE, //FILE_READ_ATTRIBUTES,
> &oa,
> &Iosb,
> NULL,
> FILE_ATTRIBUTE_NORMAL,
> FILE_SHARE_READ | FILE_SHARE_WRITE |
> FILE_SHARE_DELETE,
> FILE_OPEN,
> FILE_NON_DIRECTORY_FILE,
> NULL,
> 0,
> 0);
>
> if(status == STATUS_FILE_IS_A_DIRECTORY){
> //
> // This is a folder
> //
> if(pbIsFolder != NULL){
> *pbIsFolder = TRUE;
> }
>
> status = FltCreateFileEx(g_FilterHandle,
> Instance,
> &hFileHandle,
> NULL,
> FILE_READ_ATTRIBUTES,
> &oa,
> &Iosb,
> NULL,
> FILE_ATTRIBUTE_NORMAL,
> FILE_SHARE_READ | FILE_SHARE_WRITE |
> FILE_SHARE_DELETE,
> FILE_OPEN,
> FILE_DIRECTORY_FILE,
> NULL,
> 0,
> 0);
> }
>
>
> Thanks in advance for any help anyone can offer.
>
> Erik
>

As requested:

For stack limits:

kd> !thread
THREAD 8fdcb358 Cid 04a4.08f0 Teb: 7ffd8000 Win32Thread: fe8191c0 RUNNING on processor 0
Not impersonating
DeviceMap 8e58f020
Owning Process 0 Image:
Attached Process 8fd2e970 Image: explorer.exe
Wait Start TickCount 27727 Ticks: 0
Context Switch Count 1157
UserTime 00:00:00.031
KernelTime 00:00:00.531
Win32 Start Address BROWSEUI!BrowserNewThreadProc (0x723e0455)
Stack Init 8ec63fe0 Current 8ec625a0 Base 8ec64000 Limit 8ec61000 Call 42c
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5

At point of stack overflow:

nt!MiDoReplacement+0x14
816b09ed 53 push ebx

kd> .kframes 1000
Default stack trace depth is 0n4096 frames
kd> kbn
# ChildEBP RetAddr Args to Child
00 81736bbc 81711257 00000003 aa0182f7 00000000 nt!RtlpBreakWithStatusInstruction
01 81736c0c 81711d3d 00000003 8fd2e970 00000000 nt!KiBugCheckDebugBreak+0x1c
02 81736fdc 8169db3e 0000007f 00000008 80154000 nt!KeBugCheck2+0x66d
03 81736fdc 816b09ed 0000007f 00000008 80154000 nt!KiTrap08+0x75
04 8ec6100c 816b087c 00000000 82ab9020 8fdcb358 nt!MiDoReplacement+0x14
05 8ec61034 81714f8b c04a3110 82ab9020 00000000 nt!MiAllocateWsle+0x33
06 8ec61058 816db9c4 00000000 8175c7e0 00000ff0 nt!MiMakeSpecialPoolPaged+0xa5
07 8ec61138 81692a9b 00000034 4c4f5452 00000041 nt!MmAllocateSpecialPool+0x8a4
08 8ec61160 81927f2a 00000041 00000034 4c4f5452 nt!ExAllocatePoolWithTagPriority+0x2f
09 8ec61194 81927afd 00000041 00000034 4c4f5452 nt!VeAllocatePoolWithTagPriority+0x13c
0a 8ec611b4 90c758f1 00000001 00000030 4c4f5452 nt!VerifierExAllocatePoolWithTag+0x41
0b 8ec611f4 821cb34c 9046d3e8 8ec61254 8ec61274 MyDriver!PreNetQueryOpen+0x291 [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\netqueryopen.c @ 102]
0c 8ec61234 821a8809 0046d3e8 8ec61254 8ec61274 fltmgr!FltvPreOperation+0x60
0d 8ec61290 821aac6a 8ec612cc 8ec61648 94636e70 fltmgr!FltpPerformPreCallbacks+0x2e5
0e 8ec612a8 821bdcab 00c612cc 8ec61580 94636fdc fltmgr!FltpPassThroughFastIo+0x3c
0f 8ec612ec 81864a9a 94636e70 8ec61648 862cb528 fltmgr!FltpFastIoQueryOpen+0xe7
10 8ec613c8 8188a3cf 862cbb98 00000000 9046d5b0 nt!IopParseDevice+0xd24
11 8ec61458 818620c6 00000000 8ec614b0 00000240 nt!ObpLookupObjectName+0x5a8
12 8ec614bc 818982a3 8ec61a7c 00000000 9046da00 nt!ObOpenObjectByName+0x13c
13 8ec61614 81897d6b 00000080 9046da00 8ec61640 nt!IopFastQueryNetworkAttributes+0xfb
14 8ec61684 81864f86 9046da00 a5b4f9a3 9046dadc nt!IopQueryNetworkAttributes+0x3f
15 8ec61758 8188a3cf 862cbb98 00000000 9046da38 nt!IopParseDevice+0x1204
16 8ec617e8 818620c6 00000000 8ec61840 00000240 nt!ObpLookupObjectName+0x5a8
17 8ec61848 81863bc3 8ec61a7c 00000000 821b6b00 nt!ObOpenObjectByName+0x13c
18 8ec618bc 8186a51d 8ec61a9c 00000080 8ec61a7c nt!IopCreateFile+0x63b
19 8ec61918 821c07dc 8ec61a9c 00000080 8ec61a7c nt!IoCreateFileEx+0x9d
1a 8ec6199c 821c0911 904103d8 904134d0 8ec61a9c fltmgr!FltCreateFileEx2+0xae
1b 8ec619e4 821cd249 904103d8 904134d0 8ec61a9c fltmgr!FltCreateFileEx+0x39
1c 8ec61a34 90c5d6a7 9046c390 904134d0 8ec61a9c fltmgr!FltvCreateFileEx+0x4b
1d 8ec61aa0 90c7608c 947cefe4 904134d0 8ec61abb MyDriver!FileExists+0xe7 [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\fileutils.c @ 601]
1e 8ec61abc 90c75c75 9046d068 947cebb0 947dafa0 MyDriver!MyNetGetFile+0x8c [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\netqueryopen.c @ 358]
1f 8ec61afc 821cb34c 9046d068 8ec61b5c 8ec61b7c MyDriver!PreNetQueryOpen+0x615 [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\netqueryopen.c @ 253]
20 8ec61b3c 821a8809 0046d068 8ec61b5c 8ec61b7c fltmgr!FltvPreOperation+0x60
21 8ec61b98 821aac6a 8ec61bd4 8ec61f50 94664e70 fltmgr!FltpPerformPreCallbacks+0x2e5
22 8ec61bb0 821bdcab 00c61bd4 8ec61e88 94664fdc fltmgr!FltpPassThroughFastIo+0x3c
23 8ec61bf4 81864a9a 94664e70 8ec61f50 862cb528 fltmgr!FltpFastIoQueryOpen+0xe7
24 8ec61cd0 8188a3cf 862cbb98 00000000 9046c810 nt!IopParseDevice+0xd24
25 8ec61d60 818620c6 00000000 8ec61db8 00000240 nt!ObpLookupObjectName+0x5a8
26 8ec61dc4 818982a3 8ec62384 00000000 9046ca00 nt!ObOpenObjectByName+0x13c
27 8ec61f1c 81897d6b 00000080 9046ca00 8ec61f48 nt!IopFastQueryNetworkAttributes+0xfb
28 8ec61f8c 81864f86 9046ca00 a5b4ce9b 9046cb9c nt!IopQueryNetworkAttributes+0x3f
29 8ec62060 8188a3cf 862cbb98 00000000 9046caf8 nt!IopParseDevice+0x1204
2a 8ec620f0 818620c6 00000000 8ec62148 00000240 nt!ObpLookupObjectName+0x5a8
2b 8ec62150 81863bc3 8ec62384 00000000 821b6b00 nt!ObOpenObjectByName+0x13c
2c 8ec621c4 8186a51d 8ec623a4 00000080 8ec62384 nt!IopCreateFile+0x63b
2d 8ec62220 821c07dc 8ec623a4 00000080 8ec62384 nt!IoCreateFileEx+0x9d
2e 8ec622a4 821c0911 904103d8 904134d0 8ec623a4 fltmgr!FltCreateFileEx2+0xae
2f 8ec622ec 821cd249 904103d8 904134d0 8ec623a4 fltmgr!FltCreateFileEx+0x39
30 8ec6233c 90c5d6a7 9046a318 904134d0 8ec623a4 fltmgr!FltvCreateFileEx+0x4b
31 8ec623a8 90c7608c 947a8fe4 904134d0 8ec623c3 MyDriver!FileExists+0xe7 [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\fileutils.c @ 601]
32 8ec623c4 90c75c75 9046ce40 947a8bb0 947defa0 MyDriver!MyNetGetFile+0x8c [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\netqueryopen.c @ 358]
33 8ec62404 821cb34c 9046ce40 8ec62464 8ec62484 MyDriver!PreNetQueryOpen+0x615 [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\netqueryopen.c @ 253]
34 8ec62444 821a8809 0046ce40 8ec62464 8ec62484 fltmgr!FltvPreOperation+0x60
35 8ec624a0 821aac6a 8ec624dc 8ec62858 9475ee70 fltmgr!FltpPerformPreCallbacks+0x2e5
36 8ec624b8 821bdcab 00c624dc 8ec62790 9475efdc fltmgr!FltpPassThroughFastIo+0x3c
37 8ec624fc 81864a9a 9475ee70 8ec62858 862cb528 fltmgr!FltpFastIoQueryOpen+0xe7
38 8ec625d8 8188a3cf 862cbb98 00000000 9046c008 nt!IopParseDevice+0xd24
39 8ec62668 818620c6 00000000 8ec626c0 00000240 nt!ObpLookupObjectName+0x5a8
3a 8ec626cc 818982a3 8ec62c8c 00000000 9046b500 nt!ObOpenObjectByName+0x13c
3b 8ec62824 81897d6b 00000080 9046b500 8ec62850 nt!IopFastQueryNetworkAttributes+0xfb
3c 8ec62894 81864f86 9046b500 a5b4c793 9046b5cc nt!IopQueryNetworkAttributes+0x3f
3d 8ec62968 8188a3cf 862cbb98 00000000 9046b528 nt!IopParseDevice+0x1204
3e 8ec629f8 818620c6 00000000 8ec62a50 00000240 nt!ObpLookupObjectName+0x5a8
3f 8ec62a58 81863bc3 8ec62c8c 00000000 821b6b00 nt!ObOpenObjectByName+0x13c
40 8ec62acc 8186a51d 8ec62cac 00000080 8ec62c8c nt!IopCreateFile+0x63b
41 8ec62b28 821c07dc 8ec62cac 00000080 8ec62c8c nt!IoCreateFileEx+0x9d
42 8ec62bac 821c0911 904103d8 904134d0 8ec62cac fltmgr!FltCreateFileEx2+0xae
43 8ec62bf4 821cd249 904103d8 904134d0 8ec62cac fltmgr!FltCreateFileEx+0x39
44 8ec62c44 90c5d6a7 90469750 904134d0 8ec62cac fltmgr!FltvCreateFileEx+0x4b
45 8ec62cb0 90c7608c 94720fe4 904134d0 8ec62ccb MyDriver!FileExists+0xe7 [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\fileutils.c @ 601]
46 8ec62ccc 90c75c75 9046bb58 94720bb0 94776fa0 MyDriver!MyNetGetFile+0x8c [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\netqueryopen.c @ 358]
47 8ec62d0c 821cb34c 9046bb58 8ec62d6c 8ec62d8c MyDriver!PreNetQueryOpen+0x615 [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\netqueryopen.c @ 253]
48 8ec62d4c 821a8809 0046bb58 8ec62d6c 8ec62d8c fltmgr!FltvPreOperation+0x60
49 8ec62da8 821aac6a 8ec62de4 8ec63160 94752e70 fltmgr!FltpPerformPreCallbacks+0x2e5
4a 8ec62dc0 821bdcab 00c62de4 8ec63098 94752fdc fltmgr!FltpPassThroughFastIo+0x3c
4b 8ec62e04 81864a9a 94752e70 8ec63160 862cb528 fltmgr!FltpFastIoQueryOpen+0xe7
4c 8ec62ee0 8188a3cf 862cbb98 00000000 9046bd20 nt!IopParseDevice+0xd24
4d 8ec62f70 818620c6 00000000 8ec62fc8 00000240 nt!ObpLookupObjectName+0x5a8
4e 8ec62fd4 818982a3 8ec63594 00000000 9046b000 nt!ObOpenObjectByName+0x13c
4f 8ec6312c 81897d6b 00000080 9046b000 8ec63158 nt!IopFastQueryNetworkAttributes+0xfb
50 8ec6319c 81864f86 9046b000 a5b4dc8b 9046b0ac nt!IopQueryNetworkAttributes+0x3f
51 8ec63270 8188a3cf 862cbb98 00000000 9046b008 nt!IopParseDevice+0x1204
52 8ec63300 818620c6 00000000 8ec63358 00000240 nt!ObpLookupObjectName+0x5a8
53 8ec63360 81863bc3 8ec63594 00000000 821b6b00 nt!ObOpenObjectByName+0x13c
54 8ec633d4 8186a51d 8ec635b4 00000080 8ec63594 nt!IopCreateFile+0x63b
55 8ec63430 821c07dc 8ec635b4 00000080 8ec63594 nt!IoCreateFileEx+0x9d
56 8ec634b4 821c0911 904103d8 904134d0 8ec635b4 fltmgr!FltCreateFileEx2+0xae
57 8ec634fc 821cd249 904103d8 904134d0 8ec635b4 fltmgr!FltCreateFileEx+0x39
58 8ec6354c 90c5d6a7 904081d8 904134d0 8ec635b4 fltmgr!FltvCreateFileEx+0x4b
59 8ec635b8 90c7608c 94710fe4 904134d0 8ec635d3 MyDriver!FileExists+0xe7 [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\fileutils.c @ 601]
5a 8ec635d4 90c75c75 9046a870 94710bb0 94744fa0 MyDriver!MyNetGetFile+0x8c [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\netqueryopen.c @ 358]
5b 8ec63614 821cb34c 9046a870 8ec63674 8ec63694 MyDriver!PreNetQueryOpen+0x615 [c:\src\MyProduct\2.1\2.1.0.12\MyDriver\netqueryopen.c @ 253]
5c 8ec63654 821a8809 0046a870 8ec63674 8ec63694 fltmgr!FltvPreOperation+0x60
5d 8ec636b0 821aac6a 8ec636ec 8ec63a68 9478ce70 fltmgr!FltpPerformPreCallbacks+0x2e5
5e 8ec636c8 821bdcab 00c636ec 8ec639a0 9478cfdc fltmgr!FltpPassThroughFastIo+0x3c
5f 8ec6370c 81864a9a 9478ce70 8ec63a68 862cb528 fltmgr!FltpFastIoQueryOpen+0xe7
60 8ec637e8 8188a3cf 862cbb98 00000000 9046aa38 nt!IopParseDevice+0xd24
61 8ec63878 818620c6 00000000 8ec638d0 00000040 nt!ObpLookupObjectName+0x5a8
62 8ec638dc 818982a3 032cdb10 00000000 9046ad01 nt!ObOpenObjectByName+0x13c
63 8ec63a34 81897d6b 00100080 9046ad01 8ec63a60 nt!IopFastQueryNetworkAttributes+0xfb
64 8ec63aa4 81864f86 9046ad01 a5b4d583 9046adc4 nt!IopQueryNetworkAttributes+0x3f
65 8ec63b78 8188a3cf 862cbb98 00000000 9046ad20 nt!IopParseDevice+0x1204
66 8ec63c08 818620c6 00000000 8ec63c60 00000040 nt!ObpLookupObjectName+0x5a8
67 8ec63c68 81863bc3 032cdb10 00000000 81861401 nt!ObOpenObjectByName+0x13c
68 8ec63cdc 81854627 032cdb40 00100080 032cdb10 nt!IopCreateFile+0x63b
69 8ec63d24 8169ba1a 032cdb40 00100080 032cdb10 nt!NtOpenFile+0x2a
6a 8ec63d24 772c9a94 032cdb40 00100080 032cdb10 nt!KiFastCallEntry+0x12a
6b 032cdaa8 772c87f4 762dcbe6 032cdb40 00100080 ntdll!KiFastSystemCallRet
6c 032cdaac 762dcbe6 032cdb40 00100080 032cdb10 ntdll!ZwOpenFile+0xc
6d 032cdf58 762ca238 032cdfb4 032ce270 032ce1bc kernel32!GetDriveTypeW+0x2f4
6e 032cdf78 762ca1c0 032cdfb4 032ce1bc 00000032 kernel32!BasepGetVolumeNameForVolumeMountPoint+0x66
6f 032cdf94 7652e3f0 032cdfb4 032ce1bc 00000032 kernel32!GetVolumeNameForVolumeMountPointW+0x27
70 032ce22c 763d6f96 043f9740 032ce270 00000104 SHELL32!CFSFolder::_GetMountingPointInfo+0x8e
71 032ce47c 764235fc 043f9740 043f9740 032ce988 SHELL32!CFSFolder::_GetSize+0x49
72 032ce4a4 76423741 00000001 043f9740 043f9740 SHELL32!CFSFolder::_GetInnateDetailsFromHelper+0x72
73 032ce4d4 764253f3 00000001 043f9740 032ce9a8 SHELL32!CFSFolder::_GetInnateDetailsWithHandlerExceptions+0x61
74 032ce508 74485bdf 0440b148 032ce9a8 032ce988 SHELL32!CFSFolderPropertyStore::GetValue+0x4a
75 032ce550 74485bdf 04374d70 032ce9a8 032ce988 PROPSYS!CMultiplexPropertyStore::GetValue+0xa6
76 032ce598 74485a80 043f93c8 032ce9a8 032ce988 PROPSYS!CMultiplexPropertyStore::GetValue+0xa6
77 032ce5c8 744859e5 032ce9a8 032ce988 00000000 PROPSYS!CPropertyProvider::_GetValue+0x7f
78 032ce5f4 763c878f 043f9020 032ce9a8 032ce988 PROPSYS!CPropertyProvider::GetValue+0x58
79 032ce638 763c8611 032ce9a8 00000000 00000000 SHELL32!ItemStore_ExtractProperty+0x11d
7a 032ce6c0 764c17f6 0437224c 032ce9a8 00000002 SHELL32!ItemStore_GetCachedProperty+0x2cf
7b 032ce6f4 764c17c3 0437224c 032ce9a8 00000002 SHELL32!ItemStore_GetCachedPropertyWithNoBatching+0x2a
7c 032ce724 764c177a 0437224c 032ce9a8 00000002 SHELL32!ItemStore_GetCachedPropertyWithPropStoreOnly+0x20
7d 032ce75c 764c16b6 04374c50 032ce9a8 00000002 SHELL32!CCachedShellItem::GetValue+0xaa
7e 032ce7a4 763c8611 032ce9a8 00f0df20 043e1da8 SHELL32!ItemStore_ExtractProperty+0x165
7f 032ce82c 763df145 0437224c 032ce9a8 00000000 SHELL32!ItemStore_GetCachedProperty+0x2cf
80 032ce890 763df08a 00f0df20 043e1da8 032ce9a8 SHELL32!ItemStore_GetProperty+0x92
81 032ce8e8 763df316 00f0df20 043e1da8 00000000 SHELL32!CDefView::_GetItemProperty+0x75
82 032ce924 763defd0 043e1da8 032ce9a8 00000003 SHELL32!CDefView::_GetItemPropertyForDisplay+0xae
83 032ce9c0 763de83b 032cf280 04820428 032cf280 SHELL32!CDefView::_GetDisplayInfo+0x1bc
84 032cee10 763ddedd 032cf280 00000120 04820428 SHELL32!CDefView::_OnLVNotify+0x57e
85 032cee24 763ec377 032cf280 0001016e 04820428 SHELL32!CDefView::_OnNotify+0x63
86 032ceea8 763ec2b6 0001016e 0000004e 00000001 SHELL32!CDefView::WndProc+0xb1f
87 032ceed4 76eef8d2 0001016e 0000004e 00000001 SHELL32!CDefView::s_WndProc+0x70
88 032cef00 76eef794 763ec256 0001016e 0000004e USER32!InternalCallWinProc+0x23
89 032cef78 76ef06f6 001d5e04 763ec256 0001016e USER32!UserCallWinProcCheckWow+0x14b
8a 032cefa8 76ef069c 763ec256 0001016e 0000004e USER32!CallWindowProcAorW+0x97
8b 032cefc8 74852d51 763ec256 0001016e 0000004e USER32!CallWindowProcW+0x1b
8c 032ceff8 76eef8d2 00000000 0000004e 00000001 DUser!WndBridge::RawWndProc+0xad
8d 032cf024 76eef794 030a0f20 0001016e 0000004e USER32!InternalCallWinProc+0x23
8e 032cf09c 76ef0a05 001d5e04 030a0f20 0001016e USER32!UserCallWinProcCheckWow+0x14b
8f 032cf0dc 76ef0afa 00276d08 0126a0d8 00000001 USER32!SendMessageWorker+0x4b7
90 032cf0fc 746e6b27 0001016e 0000004e 00000001 USER32!SendMessageW+0x7c
91 032cf194 746c0bc8 0024d2c4 ffffff4f 032cf280 comctl32!CCSendNotify+0xbfb
92 032cf2cc 747360a5 032cf3d8 75d76100 032cf6b4 comctl32!CLVItemStore::OnGetItem+0x57e
93 032cf634 746c0209 032cf6b4 00000004 00000004 comctl32!CLVReportView::v_DrawItem+0x208
94 032cf654 746da853 00000000 0024d290 04367fe0 comctl32!CLVDrawItemManager::DrawItem+0x38d
95 032cf76c 746dad04 cf010250 032cf82c 04367fe0 comctl32!CLVDrawManager::_PaintItems+0x26d
96 032cf7a8 746daa92 14010094 032cf82c 0024d290 comctl32!CLVDrawManager::_PaintWorkArea+0xa9
97 032cf7f4 746daa16 14010094 032cf82c 04367fe0 comctl32!CLVDrawManager::_OnPaintWorkAreas+0xd8
98 032cf868 746da971 00000000 0000000f 0024d290 comctl32!CLVDrawManager::_OnPaint+0xea
99 032cf87c 746daafa 00000000 00000000 0024d290 comctl32!CLVDrawManager::OnPaint+0x69
9a 032cf9f0 746df0ec 00010170 0000000f 00000000 comctl32!CListView::WndProc+0xb78
9b 032cfa18 76eef8d2 00010170 0000000f 00000000 comctl32!CListView::s_WndProc+0x4e8
9c 032cfa44 76eef794 746df0b4 00010170 0000000f USER32!InternalCallWinProc+0x23
9d 032cfabc 76ef06f6 001d5e04 746df0b4 00010170 USER32!UserCallWinProcCheckWow+0x14b
9e 032cfaec 76ef069c 746df0b4 00010170 0000000f USER32!CallWindowProcAorW+0x97
9f 032cfb0c 746ecef4 746df0b4 00010170 0000000f USER32!CallWindowProcW+0x1b
a0 032cfb28 746ed073 00010170 0000000f 00000000 comctl32!CallOriginalWndProc+0x1a
a1 032cfb8c 746ed027 043713c0 00010170 0000000f comctl32!CallNextSubclassProc+0x3d
a2 032cfbb0 763df535 00010170 0000000f 00000000 comctl32!DefSubclassProc+0x46
a3 032cfc18 746ed073 00010170 0000000f 00000000 SHELL32!CDefView::s_ListViewSubclassWndProc+0x192
a4 032cfc7c 746ed118 043713c0 00010170 0000000f comctl32!CallNextSubclassProc+0x3d
a5 032cfcdc 76eef8d2 00010170 0000000f 00000000 comctl32!MasterSubclassProc+0x54
a6 032cfd08 76eef794 746ed0d4 00010170 0000000f USER32!InternalCallWinProc+0x23
a7 032cfd80 76ef0817 001d5e04 746ed0d4 00010170 USER32!UserCallWinProcCheckWow+0x14b
a8 032cfddc 76ef0a65 01276dc8 0000000f 00000000 USER32!DispatchClientMessage+0xda
a9 032cfe04 772c99ce 032cfe1c 00000018 032cfe6c USER32! fnDWORD+0x24
aa 032cfe30 76ef02c5 76eea104 032cfea4 2002affb ntdll!KiUserCallbackDispatcher+0x2e
ab 032cfe34 76eea104 032cfea4 2002affb 00000001 USER32!NtUserDispatchMessage+0xc
ac 032cfe7c 76ef0060 746ed0d4 00000000 032cfec8 USER32!DispatchMessageWorker+0x38c
ad 032cfe8c 723df38b 032cfea4 00000002 00000000 USER32!DispatchMessageW+0xf
ae 032cfec8 723e03ae 00000000 00000000 00258418 BROWSEUI!CBrowserFrame::FrameMessagePump+0x14f
af 032cfedc 723e0498 042a5238 00000000 00000000 BROWSEUI!BrowserThreadProc+0x5e
b0 032cfef4 762f4911 042a5238 032cff40 772ae4b6 BROWSEUI!BrowserNewThreadProc+0x43
b1 032cff00 772ae4b6 042a5238 741e4dd4 00000000 kernel32!BaseThreadInitThunk+0xe
b2 032cff40 772ae489 723e0455 042a5238 ffffffff ntdll! RtlUserThreadStart+0x23
b3 032cff58 00000000 723e0455 042a5238 00000000 ntdll!_RtlUserThreadStart+0x1b

Assuming you are passing a valid instance to FltCreateFileEx (to force the create to go below you) this looks like an OS bug to me. The create is generating a query open in the IO manager which is getting bounced back to you.

Correct. This is indeed a bug in the infrastructure that is causing the IRP_MJ_NETWORK_QUERY_OPEN sent while procesing
the FltCreateFile to not be targetted correctly below the caller of FltCreateFile.

The workaround for this for now would be to return FLT_PREOP_DISALLOW_FASTIO from the pre-op callback from
IRP_MJ_NETWORK_QUERY_OPEN if you want to do a create from within that callback. That way, the system will send this down
the IRP path where the create IRP would be targeted right.

Also, important to note, if you are doing a FltCreate or IoCreate to service a IRP_MJ_NETWORK_QUERY_OPEN fast IO request
, you are better off just letting IO manager do this for you by returning FLT_PREOP_DISALLOW_FASTIO.

Regards,
Sarosh.
File System Filter Lead
Microsoft Corp

This posting is provided “AS IS” with no warranties, and confers no Rights

xxxxx@yahoo.com wrote:

Assuming you are passing a valid instance to FltCreateFileEx (to force the create to go below you) this looks like an OS bug to me. The create is generating a query open in the IO manager which is getting bounced back to you.