I thought I might try to save someone in the future some pain by sharing
this information.
Platform: Vista (RTM) X86, Filtermanager, NTFS
During an UnInstall I see the following series of IRPs come down for a
specific (the same) file object.
SetFileInformation (FileRenameInformation);
SetFileInformation (FileBasicInformation);
For reasons which are irelevant to this note I do a FltQueryInformation (for
FileBasicInformation) before both operations and the values returned are
different: In particular (at least) CreationTime look suspiciously like the
time when the file was renamed.
If I crash the system between the NTFS getting the rename IRP and it getting
the BasicInfoIrp then on reboot the freshly renamed file turns up with the
correct CreationTime. So I would hazard that, under some odd circumstance
which I’m exercising, NTFS is doing the right thing on disk, but not to the
in memory state (are these fields link-specific, directory-specific or
file-specific?)
Knowing that date information is sometimes setup/firmed up in CLEANUP I
tried an open/close in the PostCall for the rename, but that made no
difference. Doing a FltsetFileInformation did the trick however (YMMV -
another thread might be doing a SetBasicInformation at the same time as the
your one during PostRename).
Rod Widdowson
Steading System Software
http://www.steadingsoftware.com