What I need specifically is to be able to determine what files are being
copied
from my hard drive. I need to know the filename’s destination so I can
determine
if I want to allow it to be copied there. I am not sure where to hook or
what.
I know that is a tall order because any program can open a file read its
contents
and write it somewhere else but I am not really worried about that right
now.
I am more concerned about Explorer and command line “copy”, etc.
Jamey Kirby informed me that alot of times the files are opened as memory
mapped
files but not always. Somehow the operating system links those two files
(file being copied and new file being created) together at some point and if
there is a way to hook that,
so I can customize it, is what I need.
Patrik, I do appreciate the response, it’s not discouraging, just
challenging.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Patrik Floding
Sent: Friday, April 14, 2000 5:07 AM
To: File Systems Developers
Subject: [ntfsd] Re:Is it possible to determine if a file is being cop
ied …
David,
In general the kernel should not second-guess what a certain
operation is used for by a user level process. Using information
guessed in this manner can only really be used for things such as
optimisations, and even then it is important to be very careful
about what action you take based upon this guesswork.
If a user mode process can open a file for reading and another
file for writing, then it can copy a file. It doesn’t have to use any
special system calls, or flags, even if Win32 happens to provide
such things.
Even if you can figure out how a specific application, such as
Explorer, performs copies, there is nothing to say that another
application won’t do it in a different way, or that Explorer won’t
do it differently in the next version (or even in a different
situation!).
Sorry to sound discouraging, but perhaps if you tell us what you
want to do more precisely, we can be of more help!
Regards,
/Patrik
David Mack wrote:
Does anyone know if this flag FO_SEQUENTIAL_ONLY indicates a file is being
copied ?-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Ho Mun Chuen
Sent: Thursday, April 13, 2000 4:24 AM
To: File Systems Developers
Subject: [ntfsd] Re:Is it possible to determine if a file is being cop
ied …i don’t know if this is the right thing to do but i assume a flag of
FO_SEQUENTIAL_ONLY in the file obj to mean “copy and paste”…Ho Mun Chuen
@@ “Not everything that counts can be counted;
<” )~ and not everything that can be counted counts"
//\ … Albert Einstein
----- Original Message -----
From: Iñaki Castillo
> To: File Systems Developers
> Sent: Thursday, April 13, 2000 2:08 AM
> Subject: [ntfsd] Re:Is it possible to determine if a file is being cop ied
> …
>
> As you may copy a file using any method, what you want is not possible.
> There is a flag that indicates a file is being opened for backup but is
not
> used but in rare ocassions.
>
> However when using CopyFileEx, for example, the copy operation is made in
a
> particular
> way not used in every other copy method (although it might be used by any
> application, of course).
>
> CopyFileEx maps the entire source file and then writes to target file
using
> a
> write with mapped memory as source buffer. Also it creates the
> target file in exclusive mode (i.e.not shared writes or reads are allowed
> until closed).
>
> This behaviour is a good clue to guess this is a copy operation.
>
> Inaki.
>
> > -----Original Message-----
> > From: David Mack
> > Sent: miércoles 12 de abril de 2000 20:44
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Need a simple example for filter driver
> >
> > Is it possible to determine if a file is being copied as opposed to
being
> > created from scratch in a driver. I will try looking at the create IRP
> > and
> > see if that has what I need. I do appreciate everyone’s help. I am new
to
> > driver development so if I am being unconventional it is unintentional I
> > assure you.
> >
> > david Mack
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of COX,DAVID
> > (HP-Roseville,ex1)
> > Sent: Wednesday, April 12, 2000 12:20 PM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Need a simple example for filter driver
> >
> >
> > The time the write IRP is received is too late to look at the filename.
> > It is not guaranteed to be in the file object. Look at the filename
> > during the create IRP, and remember it somehow.
> >
> > To avoid confusing applications hopelessly, you may want to check the
> > requested access permissions during the create, and fail the create IRP
> > if write access is requested. Allowing a file to be opened for write
> > access and then failing the writes is … unconventional?
> >
> > I don’t know how you’re cancelling the IRP – just complete it with an
> > error status.
> >
> > You may also have to hook the fast-IO path also – not all writes use
> > IRPs.
> >
> > -----------------------------------------------------------------------
> > Dave Cox
> > Hewlett-Packard Co.
> > HPSO/SSMO (Santa Barbara)
> > https://ecardfile.com/id/Dave+Cox
> >
> >
> > -----Original Message-----
> > From: David Mack [mailto:xxxxx@infoseerinc.com]
> > Sent: Wednesday, April 12, 2000 7:42 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Need a simple example for filter driver
> >
> >
> > I have looked at that filemon but it doesn’t really show me how to
cancel
> > a
> > write IRP.
> > I am definitely doing it wrong cause I’m getting blue screens randomly
> > from
> > my driver.
> > If anyone has an example of that, maybe that would help.
> >
> > What I am looking for is a snippet of code that will do the following.
> > Say I want to block all files that have the .dat extension from going to
> > hard disk.
> > When the IRP comes down to write, I want to check the extension and
cancel
> > the IRP.
> >
> > Even if the example doesn’t do this anything close would be of help.
> > Once again, thanks for the replies
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Amit Gorantiwar
> > Sent: Wednesday, April 12, 2000 5:07 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Need a simple example for filter driver
> >
> >
> > You will get a Filemonitor application on the site systeminternals.com
> > which a good example of filter driver, .
> > -----Original Message-----
> > From: David Mack
> > To: File Systems Developers
> > Date: Tuesday, April 11, 2000 10:25 PM
> > Subject: [ntfsd] Need a simple example for filter driver
> >
> >
> > >
> > >Hello All,
> > > Does anyone have an example of a filter driver that will block
> > writes
> > >or reads from
> > >being passed on to the file system. I really need an example to go by.
> > Any
> > >help
> > >would be appreciated !!!
> > >
> > >David Mack
> > >
> > >
> > >—
> > >You are currently subscribed to ntfsd as: amitg@i3-micro.com
> > >To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> > >
> > >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >
> >
> > —
> > You are currently subscribed to ntfsd as: david_cox2@hp.com
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
> —
> You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
> —
> You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
> —
> You are currently subscribed to ntfsd as: xxxxx@dynas.se
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
—
You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
