I'm assuming you're using a minifilter. The most interesting feature of this operation is that one of the parametersis an Irp. This is pretty much the only place in a minifilter where you willactually touch an IRP. That IRP is a fully initialized CREATE IRP and youcan use it for all your context needs (getting the PID and the user like youwould for any normal create). I don't remember about FltGetFileNameInformation, could be a bug or it couldbe something that simply doesn't make sense in this context. Regardless, I would suggest that you disallow this request (returnFLT_PREOP_DISALLOW_FASTIO in the preOp) and expect it will come on theregular create path, which is much easier to handle. As Rod pointed out,LUAFV (which is an inbox minifilter enabled by default on all Vista+ systemsas far as I remember) does it anyway so you're not gaining anything from aperformance perspective. And then there are other gotchas about thisoperation which IMO do not justify the extra effort.
FltGetFileNameInformation+VISTA+IRP_MJ_NETWORK_QUERY_OPEN+BSOD
最新推荐文章于 2023-09-01 00:12:11 发布