Problem while using EvtFileCleanup

Neetu_Sand · October 25, 2010, 8:49am

Hi,

I have written a driver based on WDF. I have implemented EvtFileCleanup event which takes care of actions to be taken when a handle on driver is closed. I have not implemented EvtFileClose because documentation says that it can be called from arbitrary thread context. I want to receive it in the thread context which called “Create”.

Now here is what I am seeing in my driver:

Client opens a handle on this driver and EvtDeviceFileCreate event callback is triggered.
Just after this I see EvtFileCleanup event callback is triggered. Client has not called close but still it gets called!!!
If I implement EvtFileClose then it works as expected i.e. it is called only when client closes the handle to the driver.

Please note that the client here is another kernel driver. I appreciate any insight on this behavior.

cheers, Neetu.

Doron_Holan · October 25, 2010, 10:18am

Is it another driver that is opening the handle? What does the entire callstack look like when the cleanup callback is invoked?

d

dent from a phpne with no keynoard

-----Original Message-----
From: xxxxx@gmail.com
Sent: October 25, 2010 5:49 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem while using EvtFileCleanup

Hi,

I have written a driver based on WDF. I have implemented EvtFileCleanup event which takes care of actions to be taken when a handle on driver is closed. I have not implemented EvtFileClose because documentation says that it can be called from arbitrary thread context. I want to receive it in the thread context which called “Create”.

Now here is what I am seeing in my driver:
- Client opens a handle on this driver and EvtDeviceFileCreate event callback is triggered.
- Just after this I see EvtFileCleanup event callback is triggered. Client has not called close but still it gets called!!!
- If I implement EvtFileClose then it works as expected i.e. it is called only when client closes the handle to the driver.

Please note that the client here is another kernel driver. I appreciate any insight on this behavior.

cheers, Neetu.

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Neetu_Sand · October 27, 2010, 8:50am

Hi Doron,

Thanks for your response. I looked at the call stack when cleanup is called. Here is the what see:

IoGetDeviceObjectPointer from my WDM driver is called in order to establish the connection.
Just after this call, I see a ZwClose in the stack. There is no ZwOpen. So now I know why I get a Cleanup callback!
I searched on the list for IoGetDeviceObjectPointer and I saw posting where other people have run into it. I saw that you have suggested solution to them.
I implemented that solution and it worked.

Now there is one thing which is still not clear to me:
I read on list that IoGetDeviceObjectPointer results in Opening file handle, acquiring file object and device object, closing file handle. Why I don’t see calls to open file handle i.e. ZwOpenFile, instead directly see a close?

cheers, Neetu.

Maxim_S_Shatskih · October 27, 2010, 11:23am

> - IoGetDeviceObjectPointer from my WDM driver is called in order to establish the connection.

Just after this call, I see a ZwClose in the stack.

Internally called by IoGetDeviceObjectPointer.

device object, closing file handle. Why I don’t see calls to open file handle i.e. ZwOpenFile, instead
directly see a close?

Your bug. IoGetDeviceObjectPointer surely calls ZwOpenFile or at least ZwCreateFile.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Doron_Holan · October 27, 2010, 11:37am

It calls ZwCreateFile

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Wednesday, October 27, 2010 8:23 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Problem while using EvtFileCleanup

IoGetDeviceObjectPointer from my WDM driver is called in order to establish the connection.

Just after this call, I see a ZwClose in the stack.

Internally called by IoGetDeviceObjectPointer.

device object, closing file handle. Why I don’t see calls to open file
handle i.e. ZwOpenFile, instead directly see a close?

Your bug. IoGetDeviceObjectPointer surely calls ZwOpenFile or at least ZwCreateFile.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Neetu_Sand · October 28, 2010, 2:06am

Okay, I figured out. It was not a bug in my code - breakpoint on ZwCreatefile was not setup correctly, that’s why I missed it.

cheers, Neetu.