Skip to content

Make IrqlTooLow's behavior consistent with IrqlTooHigh#199

Merged
NateD-MSFT merged 3 commits into
developmentfrom
user/nated-msft/irql-fixes-2601
Jan 23, 2026
Merged

Make IrqlTooLow's behavior consistent with IrqlTooHigh#199
NateD-MSFT merged 3 commits into
developmentfrom
user/nated-msft/irql-fixes-2601

Conversation

@NateD-MSFT
Copy link
Copy Markdown
Collaborator

@NateD-MSFT NateD-MSFT commented Jan 23, 2026

IrqlTooLow was missing a check that the max estimated IRQL value was too low for a given function call, so it was reporting false positives in cases where there was a wide range of estimated IRQL values.

Checklist for Pull Requests

  • Description is filled out.
  • Only one query or related query group is in this pull request.
  • The version number on changed queries has been increased via the @version comment in the file header.
  • All unit tests have been run: (Test README.md).
  • Commands codeql database create and codeql database analyze have completed successfully.
  • A .qhelp file has been added for any new queries or updated if changes have been made to an existing query.

Fixes #198

@NateD-MSFT NateD-MSFT added the bug Something isn't working label Jan 23, 2026
@NateD-MSFT NateD-MSFT requested a review from Copilot January 23, 2026 03:27
@NateD-MSFT NateD-MSFT changed the base branch from main to development January 23, 2026 03:28
@NateD-MSFT NateD-MSFT changed the title Make IrqlTooLow's behavior consistent with IRQLTooHigh Make IrqlTooLow's behavior consistent with IrqlTooHigh Jan 23, 2026
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes issue #198 by making the IrqlTooLow query's behavior consistent with IrqlTooHigh. The issue was that IrqlTooLow was reporting false positives when there was a wide range of estimated IRQL values, producing confusing error messages that claimed a function required IRQL 2 or higher but was being called at IRQL 15 (which is obviously not a violation).

Changes:

  • Updated query version from v2 to v3
  • Modified the IRQL check to use max(getPotentialExitIrqlAtCfn(prior)) instead of getPotentialExitIrqlAtCfn(prior), ensuring the query only reports violations when ALL potential IRQL values are too low

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@NateD-MSFT NateD-MSFT merged commit f64f2bf into development Jan 23, 2026
2 checks passed
@NateD-MSFT NateD-MSFT deleted the user/nated-msft/irql-fixes-2601 branch January 23, 2026 05:05
@NateD-MSFT NateD-MSFT mentioned this pull request Jan 23, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jacob-ronstadt jacob-ronstadt Awaiting requested review from jacob-ronstadt

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

IrqlTooLow query has false positives and confusing output

2 participants

@NateD-MSFT