I have not worked with mini filter drivers for about six years. But here are some things I think may help:
1.) In your PFLT_PRE_OPERATION_CALLBACK[^] callback you should probably allow anything originating from kernelmode to pass through. You can do this with ExGetPreviousMode[^] which will return KernelMode for file operations originating from the Windows kernel.
2.) After you have allowed kernelmode file operations to pass unmolested you can get the process ID of the usermode process performing the i/o with PsGetCurrentProcessId[^] and filter out whatever you want to pass through.
I don't normally send anyone away from codeproject.com but since I know that at least half of the Devices and Drivers team are active on the site I will defer you over to the NTFSD forum over at community.osr.com[^] where they are working with minifilters on a daily basis.
However, if I post too many questions at once, I don't think I can get a proper answer, so I started posting questions like this.
That is a good approach. The more you put into a single question, the more time it takes for everyone to read, and the less likely it is you will get a useful answer.
However, it wouldn't hurt to mention that you are working on a larger problem and point to the related posts you made, so anyone willing to help can get a better look at the whole picture.
Also, I like how you approach the translation. You keep sentences short and concise, that makes it harder for the translation engine to mess up the meaning.
(Sorry, I can't help with your problem. But I still felt that it's worth congratulating you on doing a good job asking questions - that is a rare skill nowadays!)
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)
I am trying out VirtualDisk APIs, So far I am able to Open a VHDX file, get some of the properties by using GetVirtualDiskInformation. But I am not able to get RCT information and ChangedAreas.
1)Opendisk is done with VIRTUAL_DISK_ACCESS_GET_INFO flag.
a. Works fine when version flag is set to GET_VIRTUAL_DISK_INFO_SIZE, able to fetch sector size and other information
b. Gives ERROR_INSUFFICIENT_BUFFER(122) when version flag is set to GET_VIRTUAL_DISK_INFO_CHANGE_TRACKING_STATE to access diskInfo->ChangeTrackingState.MostRecentId
Many thanks for your inputs.
Tried your sample code in my environment, OpenVirtualDisk failed with 32 ERROR_SHARING_VIOLATION.
Steps I have followed till now,
1. Create a production snapshot on the VM.
2. Convert the snapshot to the reference point(snapshot gets merged automatically) using wmi commands.
3. Added some files to VM disk.
4. Create another production snapshot on the VM so that any changes in VM will be written to avhdx file.
5. Try to open the parent vhdx using VHD APIs.
6. Get a resilient change tracking identifier using ChangeTrackingState.MostRecentId
7. Query for changed areas using VHD API QueryChangesVirtualDisk.
So far I am able to get till step six by passing only VIRTUAL_DISK_ACCESS_GET_INFO flag for OpenVirtualDisk. step 7 gives ACCESS_DENIED.
OpenVirtualDisk failed with 32 ERROR_SHARING_VIOLATION.
That obviously means that the virtual disk is locked/mounted and being used by another process. Are you trying to read the change tracking on running Hyper-V virtual machine? I don't think you can do that.
If you can't read the change tracking information from an Administrator account with both SE_BACKUP_NAME and SE_MANAGE_VOLUME_NAME privileges then I don't think it will be possible. Also since the virtual drive is mounted you should change the access mask from VIRTUAL_DISK_ACCESS_ATTACH_RW to VIRTUAL_DISK_ACCESS_ATTACH_RO.
I am actually in a Hyper-V environment right now so if I get some time later today I will look into it more. The code sample I gave you is working for me on my offline virtual machines.