Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

HELP DevIoCtrl to File System via Kernel Driver

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hi Everyone ,

I am tring to Dismount a volume via a kernel driver.

i found in a user mode a IOCTL called FSCTL_DISMOUNT_VOLUME.

i want to call this IOCTL via kernel driver because because i dont want to
be
limit to administrator user only.

so I open (let say) "\device\harddiskvolume2" (in windows 2000) and got
the
device object for it.

then sent it via IoBuildDeviceIoControlRequest . the answer i get for
return
is STATUS_NOT_IMPLEMENTED (C0000002)

someone please can help me with it ???

i try for a week and dont find any way to fix this problem.

thanks,
Elad Zucker
[email protected]

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Where you trying this on FAT? If so, forced dismount is not implemented.

    The correct sequence is: lock, dismount, unlock. A pure dismount is a
    "forced" dismount (which works even if files are open on the volume.)

    Regards,

    Tony Mason
    Consulting Partner
    OSR Open Systems Resources, Inc.
    http://www.osr.com


    -----Original Message-----
    From: [email protected] [mailto:[email protected]]
    Sent: Monday, February 28, 2000 8:14 AM
    To: File Systems Developers Interest List
    Subject: [ntfsd] HELP DevIoCtrl to File System via Kernel Driver


    Hi Everyone ,

    I am tring to Dismount a volume via a kernel driver.

    i found in a user mode a IOCTL called FSCTL_DISMOUNT_VOLUME.

    i want to call this IOCTL via kernel driver because because i dont want to
    be
    limit to administrator user only.

    so I open (let say) "\device\harddiskvolume2" (in windows 2000) and got
    the
    device object for it.

    then sent it via IoBuildDeviceIoControlRequest . the answer i get for
    return
    is STATUS_NOT_IMPLEMENTED (C0000002)

    someone please can help me with it ???

    i try for a week and dont find any way to fix this problem.

    thanks,
    Elad Zucker
    [email protected]


    ---
    You are currently subscribed to ntfsd as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Anonymous sources have advised me that FastFat does now (in very recent
    versions) support forced dismount.

    Regards,

    Tony Mason
    Consulting Partner
    OSR Open Systems Resources, Inc.
    http://www.osr.com


    -----Original Message-----
    From: Tony Mason [mailto:[email protected]]
    Sent: Monday, February 28, 2000 2:44 PM
    To: File Systems Developers Interest List
    Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    Where you trying this on FAT? If so, forced dismount is not implemented.

    The correct sequence is: lock, dismount, unlock. A pure dismount is a
    "forced" dismount (which works even if files are open on the volume.)

    Regards,

    Tony Mason
    Consulting Partner
    OSR Open Systems Resources, Inc.
    http://www.osr.com


    -----Original Message-----
    From: [email protected] [mailto:[email protected]]
    Sent: Monday, February 28, 2000 8:14 AM
    To: File Systems Developers Interest List
    Subject: [ntfsd] HELP DevIoCtrl to File System via Kernel Driver


    Hi Everyone ,

    I am tring to Dismount a volume via a kernel driver.

    i found in a user mode a IOCTL called FSCTL_DISMOUNT_VOLUME.

    i want to call this IOCTL via kernel driver because because i dont want to
    be
    limit to administrator user only.

    so I open (let say) "\device\harddiskvolume2" (in windows 2000) and got
    the
    device object for it.

    then sent it via IoBuildDeviceIoControlRequest . the answer i get for
    return
    is STATUS_NOT_IMPLEMENTED (C0000002)

    someone please can help me with it ???

    i try for a week and dont find any way to fix this problem.

    thanks,
    Elad Zucker
    [email protected]


    ---
    You are currently subscribed to ntfsd as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')

    ---
    You are currently subscribed to ntfsd as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    At least some of FSCTLs - don't remember what (get retrieval pointers?)-
    use parameter checking with things like ProbeForRead which makes it
    impossible to call them from the kmode code (to pass kmode addresses for
    buffers).

    Max

    ----- Original Message -----
    From: Tony Mason <[email protected]>
    To: File Systems Developers Interest List <[email protected]>
    Sent: Monday, February 28, 2000 10:51 PM
    Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    > Anonymous sources have advised me that FastFat does now (in very recent
    > versions) support forced dismount.
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Thanks for your speedy answer !
    I know that FastFat support pure Dismount on Win2K .

    There is an IOCTL called FSCTL_DISMOUNT_VOLUME (found on the Platform SDK)
    that do all the job.

    when i use it on user mode it worked just fine !
    you just use CreateFile on your drive (like \.\\C:) and use DeviceIoControl
    with the FSCTL_DISMOUNT_VOLUME.

    unforntaly to createfile with \.\\C: doesnt work without administrator
    privilages.

    so my soultion was to write a kernel driver that will do all the job .. and
    i did.
    I wrote a Kernel Driver that resolve the C: D: symbolic links and return
    \Device\HarddiskVolumex (that x represent the Volume Number).

    it work just find .. for my example I use \Device\HarddiskVolume2 is my D:
    drive .. and the drive i would like
    to unmount.. i also used \??\D:

    so i got the DeviceObject of Harddiskvolume2 and it also worked..

    FSCTL_UNMOUNT_DRIVE isnt decleared in the Win2k DDK. so i took my Win32
    IOCTL and decleared it my self ..

    till now everything look ok.
    but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the routine
    IoBuildDeviceIoControlRequest . the result was the error C0000002 means
    STATUS_NOT_IMPLEMENTED.

    i did everything right and i know it .. i think the problem is that FSCTL
    couldn't sent via IoBuildDeviceIoControlRequest. but it also cant sent via
    IoBuildFsdSyncRequest because its not an IRP_MJ_READ or IRP_MJ_WRITE.

    is there any way to get to the FSCTL in other way then that ? is it seems
    right what i'm saying ?

    I allmost giving up because i tried everything ... all I am doing now is
    Debugging into the Kernel Mode
    and it doesnt seems to have any answers ..

    I Heard from somewhere that i maybe should make my IRP myself ..

    But how those the FSCTL sents via Win32 DeviceIoControl and Work !! ?

    can you help me maybe ?

    Btw :
    You have a great book .. i learned alot from it !
    Thanks !
    Elad Zucker
    [email protected]

    -----Original Message-----
    From: Tony Mason <[email protected]>
    To: File Systems Developers Interest List <[email protected]>
    Date: Monday, February 28, 2000 9:55 PM
    Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    >Anonymous sources have advised me that FastFat does now (in very recent
    >versions) support forced dismount.
    >
    >Regards,
    >
    >Tony Mason
    >Consulting Partner
    >OSR Open Systems Resources, Inc.
    >http://www.osr.com
    >
    >
    >-----Original Message-----
    >From: Tony Mason [mailto:[email protected]]
    >Sent: Monday, February 28, 2000 2:44 PM
    >To: File Systems Developers Interest List
    >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    >Where you trying this on FAT? If so, forced dismount is not implemented.
    >
    >The correct sequence is: lock, dismount, unlock. A pure dismount is a
    >"forced" dismount (which works even if files are open on the volume.)
    >
    >Regards,
    >
    >Tony Mason
    >Consulting Partner
    >OSR Open Systems Resources, Inc.
    >http://www.osr.com
    >
    >
    >-----Original Message-----
    >From: [email protected] [mailto:[email protected]]
    >Sent: Monday, February 28, 2000 8:14 AM
    >To: File Systems Developers Interest List
    >Subject: [ntfsd] HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    >Hi Everyone ,
    >
    >I am tring to Dismount a volume via a kernel driver.
    >
    >i found in a user mode a IOCTL called FSCTL_DISMOUNT_VOLUME.
    >
    >i want to call this IOCTL via kernel driver because because i dont want to
    >be
    >limit to administrator user only.
    >
    >so I open (let say) "\device\harddiskvolume2" (in windows 2000) and got
    >the
    >device object for it.
    >
    >then sent it via IoBuildDeviceIoControlRequest . the answer i get for
    >return
    >is STATUS_NOT_IMPLEMENTED (C0000002)
    >
    >someone please can help me with it ???
    >
    >i try for a week and dont find any way to fix this problem.
    >
    >thanks,
    >Elad Zucker
    >[email protected]
    >
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    what do u mean by that ?

    is it impossible to do ?

    i have a code on usermode that work fine ;)
    it seems that it can be .. maybe with some tricks ..

    thanks,
    Elad Zucker
    -----Original Message-----
    From: Maxim S. Shatskih <[email protected]>
    To: File Systems Developers Interest List <[email protected]>
    Date: Monday, February 28, 2000 11:23 PM
    Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    >At least some of FSCTLs - don't remember what (get retrieval pointers?)-
    >use parameter checking with things like ProbeForRead which makes it
    >impossible to call them from the kmode code (to pass kmode addresses for
    >buffers).
    >
    > Max
    >
    >----- Original Message -----
    >From: Tony Mason <[email protected]>
    >To: File Systems Developers Interest List <[email protected]>
    >Sent: Monday, February 28, 2000 10:51 PM
    >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    >> Anonymous sources have advised me that FastFat does now (in very recent
    >> versions) support forced dismount.
    >
    >
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    >till now everything look ok.
    >but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the routine
    >IoBuildDeviceIoControlRequest . the result was the error C0000002 means
    >STATUS_NOT_IMPLEMENTED.
    >
    When you build the IRP with IoBuildDeviceIoControlRequest() you get a
    MajorFunction:IRP_MJ_DEVICE_CONTROL or IRP_MJ_INTERNAL_DEVICE_CONTROL, what
    you really need is an IRP with
    IRP_MJ_FILE_SYSTEM_CONTROL,IRP_MN_USER_FS_REQUEST and IoControlCode =
    FSCTL_DISMOUNT_VOLUME. The easiest is probably to use
    IoBuildDeviceIoControlRequest () and then change fields in the IRP. Run your
    user level utility, which works fine, put a breakpoint in
    FatDismountVolume() and check the IRP. Make sure that the IRP you created in
    your kernel driver is identical.
    If there is a kernel equivalent to NtFsControlFile() that it might be easier
    to just use it.

    Sara
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Shouldn't it go to the filesystem, instead of the disk driver. If a disk ntfs
    formatted then it is the ntfs
    driver which should be opened and the IRP should be sent there !!!!

    prokash

    [email protected] wrote:

    > Hi Everyone ,
    >
    > I am tring to Dismount a volume via a kernel driver.
    >
    > i found in a user mode a IOCTL called FSCTL_DISMOUNT_VOLUME.
    >
    > i want to call this IOCTL via kernel driver because because i dont want to
    > be
    > limit to administrator user only.
    >
    > so I open (let say) "\device\harddiskvolume2" (in windows 2000) and got
    > the
    > device object for it.
    >
    > then sent it via IoBuildDeviceIoControlRequest . the answer i get for
    > return
    > is STATUS_NOT_IMPLEMENTED (C0000002)
    >
    > someone please can help me with it ???
    >
    > i try for a week and dont find any way to fix this problem.
    >
    > thanks,
    > Elad Zucker
    > [email protected]
    >
    > ---
    > You are currently subscribed to ntfsd as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    -----Original Message-----
    From: Sara Abraham <[email protected]>
    To: File Systems Developers Interest List <[email protected]>
    Date: Tuesday, February 29, 2000 12:16 AM
    Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    >>till now everything look ok.
    >>but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the
    routine
    >>IoBuildDeviceIoControlRequest . the result was the error C0000002 means
    >>STATUS_NOT_IMPLEMENTED.
    >>
    >When you build the IRP with IoBuildDeviceIoControlRequest() you get a
    >MajorFunction:IRP_MJ_DEVICE_CONTROL or IRP_MJ_INTERNAL_DEVICE_CONTROL, what
    >you really need is an IRP with
    >IRP_MJ_FILE_SYSTEM_CONTROL,IRP_MN_USER_FS_REQUEST and IoControlCode =
    >FSCTL_DISMOUNT_VOLUME. The easiest is probably to use
    >IoBuildDeviceIoControlRequest () and then change fields in the IRP. Run
    your
    >user level utility, which works fine, put a breakpoint in
    >FatDismountVolume() and check the IRP. Make sure that the IRP you created
    in
    >your kernel driver is identical.
    >If there is a kernel equivalent to NtFsControlFile() that it might be
    easier
    >to just use it.
    >
    >Sara
    >

    Thanks Sara for your answer !

    I remember reading somewhere abour IRP_MJ_FILE_SYSTEM_CONROL but its not on
    the
    NTDDK.H ! is it in the IFS ?

    could u please give me the values of those IRPs ?
    second where is the IoControl and the and the Major /Minor .. i know they
    are in the stack
    but they are not fixed .. how can i get to change them manually ?

    are u sure this will solve the problem ?

    thanks you !
    Elad Zucker
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    It is in ntddk.h and defined as:
    #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
    #define IRP_MN_USER_FS_REQUEST 0x00
    FSCTL_DISMOUNT_VOLUME is defined in the ifskit, ntifs.h as:
    #define FSCTL_DISMOUNT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 8,
    METHOD_BUFFERED, FILE_ANY_ACCESS)

    I am pretty sure that all you'll have to do is issue a
    IoBuildDeviceIoControlRequest( IRP_MJ_DEVICE_CONTROL,....)
    and then:
    irpSp = IoGetNextIrpStackLocation( irp );
    irpSp->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
    irpSp->MinorFunction = IRP_MN_USER_FS_REQUEST;
    and then IoCallDriver().

    Sara



    -----Original Message-----
    From: Elad Zucker <[email protected]>
    To: File Systems Developers Interest List <[email protected]>; Sara
    Abraham <xx[email protected]>
    Date: Monday, February 28, 2000 2:35 PM
    Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    >
    >-----Original Message-----
    >From: Sara Abraham <[email protected]>
    >To: File Systems Developers Interest List <[email protected]>
    >Date: Tuesday, February 29, 2000 12:16 AM
    >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    >>>till now everything look ok.
    >>>but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the
    >routine
    >>>IoBuildDeviceIoControlRequest . the result was the error C0000002 means
    >>>STATUS_NOT_IMPLEMENTED.
    >>>
    >>When you build the IRP with IoBuildDeviceIoControlRequest() you get a
    >>MajorFunction:IRP_MJ_DEVICE_CONTROL or IRP_MJ_INTERNAL_DEVICE_CONTROL,
    what
    >>you really need is an IRP with
    >>IRP_MJ_FILE_SYSTEM_CONTROL,IRP_MN_USER_FS_REQUEST and IoControlCode =
    >>FSCTL_DISMOUNT_VOLUME. The easiest is probably to use
    >>IoBuildDeviceIoControlRequest () and then change fields in the IRP. Run
    >your
    >>user level utility, which works fine, put a breakpoint in
    >>FatDismountVolume() and check the IRP. Make sure that the IRP you created
    >in
    >>your kernel driver is identical.
    >>If there is a kernel equivalent to NtFsControlFile() that it might be
    >easier
    >>to just use it.
    >>
    >>Sara
    >>
    >
    >Thanks Sara for your answer !
    >
    >I remember reading somewhere abour IRP_MJ_FILE_SYSTEM_CONROL but its not on
    >the
    >NTDDK.H ! is it in the IFS ?
    >
    >could u please give me the values of those IRPs ?
    >second where is the IoControl and the and the Major /Minor .. i know they
    >are in the stack
    >but they are not fixed .. how can i get to change them manually ?
    >
    >are u sure this will solve the problem ?
    >
    >thanks you !
    >Elad Zucker
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Isn't DISMOUNT a user-mode FSCTL?


    > -----Original Message-----
    > From: [email protected]
    > [mailto:[email protected]]On Behalf Of Sara Abraham
    > Sent: Monday, February 28, 2000 4:02 PM
    > To: File Systems Developers Interest List
    > Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    > It is in ntddk.h and defined as:
    > #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
    > #define IRP_MN_USER_FS_REQUEST 0x00
    > FSCTL_DISMOUNT_VOLUME is defined in the ifskit, ntifs.h as:
    > #define FSCTL_DISMOUNT_VOLUME
    > CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 8,
    > METHOD_BUFFERED, FILE_ANY_ACCESS)
    >
    > I am pretty sure that all you'll have to do is issue a
    > IoBuildDeviceIoControlRequest( IRP_MJ_DEVICE_CONTROL,....)
    > and then:
    > irpSp = IoGetNextIrpStackLocation( irp );
    > irpSp->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
    > irpSp->MinorFunction = IRP_MN_USER_FS_REQUEST;
    > and then IoCallDriver().
    >
    > Sara
    >
    >
    >
    > -----Original Message-----
    > From: Elad Zucker <[email protected]>
    > To: File Systems Developers Interest List <[email protected]>; Sara
    > Abraham <[email protected]>
    > Date: Monday, February 28, 2000 2:35 PM
    > Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    > >
    > >-----Original Message-----
    > >From: Sara Abraham <[email protected]>
    > >To: File Systems Developers Interest List <[email protected]>
    > >Date: Tuesday, February 29, 2000 12:16 AM
    > >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    > >
    > >
    > >>>till now everything look ok.
    > >>>but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the
    > >routine
    > >>>IoBuildDeviceIoControlRequest . the result was the error C0000002 means
    > >>>STATUS_NOT_IMPLEMENTED.
    > >>>
    > >>When you build the IRP with IoBuildDeviceIoControlRequest() you get a
    > >>MajorFunction:IRP_MJ_DEVICE_CONTROL or IRP_MJ_INTERNAL_DEVICE_CONTROL,
    > what
    > >>you really need is an IRP with
    > >>IRP_MJ_FILE_SYSTEM_CONTROL,IRP_MN_USER_FS_REQUEST and IoControlCode =
    > >>FSCTL_DISMOUNT_VOLUME. The easiest is probably to use
    > >>IoBuildDeviceIoControlRequest () and then change fields in the IRP. Run
    > >your
    > >>user level utility, which works fine, put a breakpoint in
    > >>FatDismountVolume() and check the IRP. Make sure that the IRP
    > you created
    > >in
    > >>your kernel driver is identical.
    > >>If there is a kernel equivalent to NtFsControlFile() that it might be
    > >easier
    > >>to just use it.
    > >>
    > >>Sara
    > >>
    > >
    > >Thanks Sara for your answer !
    > >
    > >I remember reading somewhere abour IRP_MJ_FILE_SYSTEM_CONROL but
    > its not on
    > >the
    > >NTDDK.H ! is it in the IFS ?
    > >
    > >could u please give me the values of those IRPs ?
    > >second where is the IoControl and the and the Major /Minor .. i know they
    > >are in the stack
    > >but they are not fixed .. how can i get to change them manually ?
    > >
    > >are u sure this will solve the problem ?
    > >
    > >thanks you !
    > >Elad Zucker
    > >
    >
    >
    > ---
    > You are currently subscribed to ntfsd as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    I Tried your suggestion but it didnt work .. now i have a result code of :
    C000010 means STATUS_INVALID_DEVICE_REQUEST.

    do you know if in wondows 2000 the \Device\Hardvolume is the device i need
    to sent the FsCtl ? this is the Device that aliased to C:/D:/E: and when
    tring to sent it via user mode to C:/D:/E: it works.

    have any suggestions ?

    i did all you said to the IRP . and checked it .
    I also tried to sent in the MN the IRP_MN_MOUNT_VOLUME and it return the
    same error code ..

    Please if you can help me !

    Thanks,
    Elad Zucker
    [email protected]
    ----- Original Message -----
    From: Sara Abraham <[email protected]>
    To: File Systems Developers Interest List <[email protected]>
    Sent: Tuesday, February 29, 2000 2:02 AM
    Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    > It is in ntddk.h and defined as:
    > #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
    > #define IRP_MN_USER_FS_REQUEST 0x00
    > FSCTL_DISMOUNT_VOLUME is defined in the ifskit, ntifs.h as:
    > #define FSCTL_DISMOUNT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM,
    8,
    > METHOD_BUFFERED, FILE_ANY_ACCESS)
    >
    > I am pretty sure that all you'll have to do is issue a
    > IoBuildDeviceIoControlRequest( IRP_MJ_DEVICE_CONTROL,....)
    > and then:
    > irpSp = IoGetNextIrpStackLocation( irp );
    > irpSp->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
    > irpSp->MinorFunction = IRP_MN_USER_FS_REQUEST;
    > and then IoCallDriver().
    >
    > Sara
    >
    >
    >
    > -----Original Message-----
    > From: Elad Zucker <[email protected]>
    > To: File Systems Developers Interest List <[email protected]>; Sara
    > Abraham <[email protected]>
    > Date: Monday, February 28, 2000 2:35 PM
    > Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    > >
    > >-----Original Message-----
    > >From: Sara Abraham <[email protected]>
    > >To: File Systems Developers Interest List <[email protected]>
    > >Date: Tuesday, February 29, 2000 12:16 AM
    > >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    > >
    > >
    > >>>till now everything look ok.
    > >>>but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the
    > >routine
    > >>>IoBuildDeviceIoControlRequest . the result was the error C0000002 means
    > >>>STATUS_NOT_IMPLEMENTED.
    > >>>
    > >>When you build the IRP with IoBuildDeviceIoControlRequest() you get a
    > >>MajorFunction:IRP_MJ_DEVICE_CONTROL or IRP_MJ_INTERNAL_DEVICE_CONTROL,
    > what
    > >>you really need is an IRP with
    > >>IRP_MJ_FILE_SYSTEM_CONTROL,IRP_MN_USER_FS_REQUEST and IoControlCode =
    > >>FSCTL_DISMOUNT_VOLUME. The easiest is probably to use
    > >>IoBuildDeviceIoControlRequest () and then change fields in the IRP. Run
    > >your
    > >>user level utility, which works fine, put a breakpoint in
    > >>FatDismountVolume() and check the IRP. Make sure that the IRP you
    created
    > >in
    > >>your kernel driver is identical.
    > >>If there is a kernel equivalent to NtFsControlFile() that it might be
    > >easier
    > >>to just use it.
    > >>
    > >>Sara
    > >>
    > >
    > >Thanks Sara for your answer !
    > >
    > >I remember reading somewhere abour IRP_MJ_FILE_SYSTEM_CONROL but its not
    on
    > >the
    > >NTDDK.H ! is it in the IFS ?
    > >
    > >could u please give me the values of those IRPs ?
    > >second where is the IoControl and the and the Major /Minor .. i know they
    > >are in the stack
    > >but they are not fixed .. how can i get to change them manually ?
    > >
    > >are u sure this will solve the problem ?
    > >
    > >thanks you !
    > >Elad Zucker
    > >
    >
    >
    > ---
    > You are currently subscribed to ntfsd as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    > what do u mean by that ?

    Some FSCTLs cannot be called from kmode - only from umode.

    Max
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi Elad,

    It seems that the deviceobject you are sending the request to, is the media
    device and not the device that represents the fs mount. I think that you
    have some basic issues even before the issue of generating the correct IRP.
    Now I understand Tony's original reply:
    "The correct sequence is: lock, dismount, unlock". As Tony says, there are
    semantics that you need to follow when you issue a dismount. And since this
    is working for you in user mode, you need to do the same for the kernel mode
    implementation. You need to issue an open of \Device\HarddiskVolume2 , use
    the filehandle to issue a lock request, and only then you can do your
    dismount. You can issue the dismount by building the IRP as we discussed
    (with the fsmount device object). But it would be much simpler to just issue
    a NtFsControlFile() ( or it's Zw equivalent). which is is defined in as:

    NTSTATUS
    ZwFsControlFile(
    IN HANDLE FileHandle,
    IN HANDLE Event OPTIONAL,
    IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    IN PVOID ApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN ULONG IoControlCode,
    IN PVOID InputBuffer OPTIONAL,
    IN ULONG InputBufferLength,
    OUT PVOID OutputBuffer OPTIONAL,
    IN ULONG OutputBufferLength
    );

    So, what you are doing in your kernel thread is the equivalent of what you
    did in your user mode application.

    Sara

    -----Original Message-----
    From: Elad Zucker <[email protected]>
    To: Sara Abraham <[email protected]>; File Systems Developers Interest List
    <[email protected]>
    Date: Tuesday, February 29, 2000 2:56 AM
    Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    >I Tried your suggestion but it didnt work .. now i have a result code of :
    >C000010 means STATUS_INVALID_DEVICE_REQUEST.
    >
    >do you know if in wondows 2000 the \Device\Hardvolume is the device i need
    >to sent the FsCtl ? this is the Device that aliased to C:/D:/E: and when
    >tring to sent it via user mode to C:/D:/E: it works.
    >
    >have any suggestions ?
    >
    >i did all you said to the IRP . and checked it .
    >I also tried to sent in the MN the IRP_MN_MOUNT_VOLUME and it return the
    >same error code ..
    >
    >Please if you can help me !
    >
    >Thanks,
    >Elad Zucker
    >[email protected]
    >----- Original Message -----
    >From: Sara Abraham <[email protected]>
    >To: File Systems Developers Interest List <[email protected]>
    >Sent: Tuesday, February 29, 2000 2:02 AM
    >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    >> It is in ntddk.h and defined as:
    >> #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
    >> #define IRP_MN_USER_FS_REQUEST 0x00
    >> FSCTL_DISMOUNT_VOLUME is defined in the ifskit, ntifs.h as:
    >> #define FSCTL_DISMOUNT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM,
    >8,
    >> METHOD_BUFFERED, FILE_ANY_ACCESS)
    >>
    >> I am pretty sure that all you'll have to do is issue a
    >> IoBuildDeviceIoControlRequest( IRP_MJ_DEVICE_CONTROL,....)
    >> and then:
    >> irpSp = IoGetNextIrpStackLocation( irp );
    >> irpSp->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
    >> irpSp->MinorFunction = IRP_MN_USER_FS_REQUEST;
    >> and then IoCallDriver().
    >>
    >> Sara
    >>
    >>
    >>
    >> -----Original Message-----
    >> From: Elad Zucker <[email protected]>
    >> To: File Systems Developers Interest List <[email protected]>; Sara
    >> Abraham <[email protected]>
    >> Date: Monday, February 28, 2000 2:35 PM
    >> Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >>
    >>
    >> >
    >> >-----Original Message-----
    >> >From: Sara Abraham <[email protected]>
    >> >To: File Systems Developers Interest List <[email protected]>
    >> >Date: Tuesday, February 29, 2000 12:16 AM
    >> >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >> >
    >> >
    >> >>>till now everything look ok.
    >> >>>but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the
    >> >routine
    >> >>>IoBuildDeviceIoControlRequest . the result was the error C0000002
    means
    >> >>>STATUS_NOT_IMPLEMENTED.
    >> >>>
    >> >>When you build the IRP with IoBuildDeviceIoControlRequest() you get a
    >> >>MajorFunction:IRP_MJ_DEVICE_CONTROL or IRP_MJ_INTERNAL_DEVICE_CONTROL,
    >> what
    >> >>you really need is an IRP with
    >> >>IRP_MJ_FILE_SYSTEM_CONTROL,IRP_MN_USER_FS_REQUEST and IoControlCode =
    >> >>FSCTL_DISMOUNT_VOLUME. The easiest is probably to use
    >> >>IoBuildDeviceIoControlRequest () and then change fields in the IRP. Run
    >> >your
    >> >>user level utility, which works fine, put a breakpoint in
    >> >>FatDismountVolume() and check the IRP. Make sure that the IRP you
    >created
    >> >in
    >> >>your kernel driver is identical.
    >> >>If there is a kernel equivalent to NtFsControlFile() that it might be
    >> >easier
    >> >>to just use it.
    >> >>
    >> >>Sara
    >> >>
    >> >
    >> >Thanks Sara for your answer !
    >> >
    >> >I remember reading somewhere abour IRP_MJ_FILE_SYSTEM_CONROL but its not
    >on
    >> >the
    >> >NTDDK.H ! is it in the IFS ?
    >> >
    >> >could u please give me the values of those IRPs ?
    >> >second where is the IoControl and the and the Major /Minor .. i know
    they
    >> >are in the stack
    >> >but they are not fixed .. how can i get to change them manually ?
    >> >
    >> >are u sure this will solve the problem ?
    >> >
    >> >thanks you !
    >> >Elad Zucker
    >> >
    >>
    >>
    >> ---
    >> You are currently subscribed to ntfsd as: [email protected]
    >> To unsubscribe send a blank email to $subst('Email.Unsub')
    >>
    >>
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    From the IFS kit for Windows 2000 (FASTFAT):

    // A bit of historical comment is in order.
    //
    // In all versions prior to NT5, we only permitted dismount if the
    volume had
    // previously been locked. Now we must permit a forced dismount,
    meaning that
    // we grab ahold of the whole kit-n-kaboodle - regardless of activity,
    open
    // handles, etc. - to flush and invalidate the volume.
    //
    // Previously, dismount assumed that lock had come along earlier and
    done some
    // of the work that we are now going to do - i.e., flush, tear down the
    eas. All
    // we had to do here is flush the device out and kill off as many of
    the orphan
    // fcbs as possible. This now changes.
    //
    // In fact, everything is a forced dismount now. This changes one
    interesting
    // aspect, which is that it used to be the case that the handle used to
    dismount
    // could come back, read, and induce a verify/remount. This is just not
    possible
    // now. The point of forced dismount is that very shortly someone will
    come along
    // and be destructive to the possibility of using the media further -
    format, eject,
    // etc. By using this path, callers are expected to tolerate the
    consequences.
    //
    // Note that the volume can still be successfully unlocked by this
    handle.


    > -----Original Message-----
    > From: [email protected]
    > [mailto:[email protected]]On Behalf Of Sara Abraham
    > Sent: Tuesday, February 29, 2000 12:03 PM
    > To: File Systems Developers Interest List
    > Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    > Hi Elad,
    >
    > It seems that the deviceobject you are sending the request to,
    > is the media
    > device and not the device that represents the fs mount. I think that you
    > have some basic issues even before the issue of generating the
    > correct IRP.
    > Now I understand Tony's original reply:
    > "The correct sequence is: lock, dismount, unlock". As Tony says, there are
    > semantics that you need to follow when you issue a dismount. And
    > since this
    > is working for you in user mode, you need to do the same for the
    > kernel mode
    > implementation. You need to issue an open of \Device\HarddiskVolume2 , use
    > the filehandle to issue a lock request, and only then you can do your
    > dismount. You can issue the dismount by building the IRP as we discussed
    > (with the fsmount device object). But it would be much simpler to
    > just issue
    > a NtFsControlFile() ( or it's Zw equivalent). which is is defined in as:
    >
    > NTSTATUS
    > ZwFsControlFile(
    > IN HANDLE FileHandle,
    > IN HANDLE Event OPTIONAL,
    > IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    > IN PVOID ApcContext OPTIONAL,
    > OUT PIO_STATUS_BLOCK IoStatusBlock,
    > IN ULONG IoControlCode,
    > IN PVOID InputBuffer OPTIONAL,
    > IN ULONG InputBufferLength,
    > OUT PVOID OutputBuffer OPTIONAL,
    > IN ULONG OutputBufferLength
    > );
    >
    > So, what you are doing in your kernel thread is the equivalent of what you
    > did in your user mode application.
    >
    > Sara
    >
    > -----Original Message-----
    > From: Elad Zucker <[email protected]>
    > To: Sara Abraham <[email protected]>; File Systems Developers Interest List
    > <[email protected]>
    > Date: Tuesday, February 29, 2000 2:56 AM
    > Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    > >I Tried your suggestion but it didnt work .. now i have a result
    > code of :
    > >C000010 means STATUS_INVALID_DEVICE_REQUEST.
    > >
    > >do you know if in wondows 2000 the \Device\Hardvolume is the
    > device i need
    > >to sent the FsCtl ? this is the Device that aliased to C:/D:/E: and when
    > >tring to sent it via user mode to C:/D:/E: it works.
    > >
    > >have any suggestions ?
    > >
    > >i did all you said to the IRP . and checked it .
    > >I also tried to sent in the MN the IRP_MN_MOUNT_VOLUME and it return the
    > >same error code ..
    > >
    > >Please if you can help me !
    > >
    > >Thanks,
    > >Elad Zucker
    > >[email protected]
    > >----- Original Message -----
    > >From: Sara Abraham <[email protected]>
    > >To: File Systems Developers Interest List <[email protected]>
    > >Sent: Tuesday, February 29, 2000 2:02 AM
    > >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    > >
    > >
    > >> It is in ntddk.h and defined as:
    > >> #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
    > >> #define IRP_MN_USER_FS_REQUEST 0x00
    > >> FSCTL_DISMOUNT_VOLUME is defined in the ifskit, ntifs.h as:
    > >> #define FSCTL_DISMOUNT_VOLUME
    > CTL_CODE(FILE_DEVICE_FILE_SYSTEM,
    > >8,
    > >> METHOD_BUFFERED, FILE_ANY_ACCESS)
    > >>
    > >> I am pretty sure that all you'll have to do is issue a
    > >> IoBuildDeviceIoControlRequest( IRP_MJ_DEVICE_CONTROL,....)
    > >> and then:
    > >> irpSp = IoGetNextIrpStackLocation( irp );
    > >> irpSp->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
    > >> irpSp->MinorFunction = IRP_MN_USER_FS_REQUEST;
    > >> and then IoCallDriver().
    > >>
    > >> Sara
    > >>
    > >>
    > >>
    > >> -----Original Message-----
    > >> From: Elad Zucker <[email protected]>
    > >> To: File Systems Developers Interest List <[email protected]>; Sara
    > >> Abraham <[email protected]>
    > >> Date: Monday, February 28, 2000 2:35 PM
    > >> Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via
    > Kernel Driver
    > >>
    > >>
    > >> >
    > >> >-----Original Message-----
    > >> >From: Sara Abraham <[email protected]>
    > >> >To: File Systems Developers Interest List <[email protected]>
    > >> >Date: Tuesday, February 29, 2000 12:16 AM
    > >> >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    > >> >
    > >> >
    > >> >>>till now everything look ok.
    > >> >>>but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the
    > >> >routine
    > >> >>>IoBuildDeviceIoControlRequest . the result was the error C0000002
    > means
    > >> >>>STATUS_NOT_IMPLEMENTED.
    > >> >>>
    > >> >>When you build the IRP with IoBuildDeviceIoControlRequest() you get a
    > >> >>MajorFunction:IRP_MJ_DEVICE_CONTROL or
    > IRP_MJ_INTERNAL_DEVICE_CONTROL,
    > >> what
    > >> >>you really need is an IRP with
    > >> >>IRP_MJ_FILE_SYSTEM_CONTROL,IRP_MN_USER_FS_REQUEST and IoControlCode =
    > >> >>FSCTL_DISMOUNT_VOLUME. The easiest is probably to use
    > >> >>IoBuildDeviceIoControlRequest () and then change fields in
    > the IRP. Run
    > >> >your
    > >> >>user level utility, which works fine, put a breakpoint in
    > >> >>FatDismountVolume() and check the IRP. Make sure that the IRP you
    > >created
    > >> >in
    > >> >>your kernel driver is identical.
    > >> >>If there is a kernel equivalent to NtFsControlFile() that it might be
    > >> >easier
    > >> >>to just use it.
    > >> >>
    > >> >>Sara
    > >> >>
    > >> >
    > >> >Thanks Sara for your answer !
    > >> >
    > >> >I remember reading somewhere abour IRP_MJ_FILE_SYSTEM_CONROL
    > but its not
    > >on
    > >> >the
    > >> >NTDDK.H ! is it in the IFS ?
    > >> >
    > >> >could u please give me the values of those IRPs ?
    > >> >second where is the IoControl and the and the Major /Minor .. i know
    > they
    > >> >are in the stack
    > >> >but they are not fixed .. how can i get to change them manually ?
    > >> >
    > >> >are u sure this will solve the problem ?
    > >> >
    > >> >thanks you !
    > >> >Elad Zucker
    > >> >
    > >>
    > >>
    > >> ---
    > >> You are currently subscribed to ntfsd as: [email protected]
    > >> To unsubscribe send a blank email to $subst('Email.Unsub')
    > >>
    > >>
    > >
    >
    >
    > ---
    > You are currently subscribed to ntfsd as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi Sara,
    Thanks again for reply to me ..

    I Understand what u meant.

    but i have one big problem where is the ZwFsControlFile decleared ?
    i dont see it ?

    I have the all msdn .. is it in the IFS header files ?
    is the IFS Headers are in the MSDN (somewhere on the disks) ??

    Thanks Again ;)
    Elad Zucker

    -----Original Message-----
    From: Sara Abraham <[email protected]>
    To: File Systems Developers Interest List <[email protected]>
    Date: Tuesday, February 29, 2000 10:11 PM
    Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    >Hi Elad,
    >
    > It seems that the deviceobject you are sending the request to, is the
    media
    >device and not the device that represents the fs mount. I think that you
    >have some basic issues even before the issue of generating the correct IRP.
    >Now I understand Tony's original reply:
    >"The correct sequence is: lock, dismount, unlock". As Tony says, there are
    >semantics that you need to follow when you issue a dismount. And since this
    >is working for you in user mode, you need to do the same for the kernel
    mode
    >implementation. You need to issue an open of \Device\HarddiskVolume2 , use
    >the filehandle to issue a lock request, and only then you can do your
    >dismount. You can issue the dismount by building the IRP as we discussed
    >(with the fsmount device object). But it would be much simpler to just
    issue
    >a NtFsControlFile() ( or it's Zw equivalent). which is is defined in as:
    >
    >NTSTATUS
    >ZwFsControlFile(
    > IN HANDLE FileHandle,
    > IN HANDLE Event OPTIONAL,
    > IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    > IN PVOID ApcContext OPTIONAL,
    > OUT PIO_STATUS_BLOCK IoStatusBlock,
    > IN ULONG IoControlCode,
    > IN PVOID InputBuffer OPTIONAL,
    > IN ULONG InputBufferLength,
    > OUT PVOID OutputBuffer OPTIONAL,
    > IN ULONG OutputBufferLength
    > );
    >
    >So, what you are doing in your kernel thread is the equivalent of what you
    >did in your user mode application.
    >
    >Sara
    >
    >-----Original Message-----
    >From: Elad Zucker <[email protected]>
    >To: Sara Abraham <[email protected]>; File Systems Developers Interest List
    ><[email protected]>
    >Date: Tuesday, February 29, 2000 2:56 AM
    >Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    >>I Tried your suggestion but it didnt work .. now i have a result code of :
    >>C000010 means STATUS_INVALID_DEVICE_REQUEST.
    >>
    >>do you know if in wondows 2000 the \Device\Hardvolume is the device i need
    >>to sent the FsCtl ? this is the Device that aliased to C:/D:/E: and when
    >>tring to sent it via user mode to C:/D:/E: it works.
    >>
    >>have any suggestions ?
    >>
    >>i did all you said to the IRP . and checked it .
    >>I also tried to sent in the MN the IRP_MN_MOUNT_VOLUME and it return the
    >>same error code ..
    >>
    >>Please if you can help me !
    >>
    >>Thanks,
    >>Elad Zucker
    >>[email protected]
    >>----- Original Message -----
    >>From: Sara Abraham <[email protected]>
    >>To: File Systems Developers Interest List <[email protected]>
    >>Sent: Tuesday, February 29, 2000 2:02 AM
    >>Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >>
    >>
    >>> It is in ntddk.h and defined as:
    >>> #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
    >>> #define IRP_MN_USER_FS_REQUEST 0x00
    >>> FSCTL_DISMOUNT_VOLUME is defined in the ifskit, ntifs.h as:
    >>> #define FSCTL_DISMOUNT_VOLUME
    CTL_CODE(FILE_DEVICE_FILE_SYSTEM,
    >>8,
    >>> METHOD_BUFFERED, FILE_ANY_ACCESS)
    >>>
    >>> I am pretty sure that all you'll have to do is issue a
    >>> IoBuildDeviceIoControlRequest( IRP_MJ_DEVICE_CONTROL,....)
    >>> and then:
    >>> irpSp = IoGetNextIrpStackLocation( irp );
    >>> irpSp->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
    >>> irpSp->MinorFunction = IRP_MN_USER_FS_REQUEST;
    >>> and then IoCallDriver().
    >>>
    >>> Sara
    >>>
    >>>
    >>>
    >>> -----Original Message-----
    >>> From: Elad Zucker <[email protected]>
    >>> To: File Systems Developers Interest List <[email protected]>; Sara
    >>> Abraham <[email protected]>
    >>> Date: Monday, February 28, 2000 2:35 PM
    >>> Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >>>
    >>>
    >>> >
    >>> >-----Original Message-----
    >>> >From: Sara Abraham <[email protected]>
    >>> >To: File Systems Developers Interest List <[email protected]>
    >>> >Date: Tuesday, February 29, 2000 12:16 AM
    >>> >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >>> >
    >>> >
    >>> >>>till now everything look ok.
    >>> >>>but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the
    >>> >routine
    >>> >>>IoBuildDeviceIoControlRequest . the result was the error C0000002
    >means
    >>> >>>STATUS_NOT_IMPLEMENTED.
    >>> >>>
    >>> >>When you build the IRP with IoBuildDeviceIoControlRequest() you get a
    >>> >>MajorFunction:IRP_MJ_DEVICE_CONTROL or IRP_MJ_INTERNAL_DEVICE_CONTROL,
    >>> what
    >>> >>you really need is an IRP with
    >>> >>IRP_MJ_FILE_SYSTEM_CONTROL,IRP_MN_USER_FS_REQUEST and IoControlCode =
    >>> >>FSCTL_DISMOUNT_VOLUME. The easiest is probably to use
    >>> >>IoBuildDeviceIoControlRequest () and then change fields in the IRP.
    Run
    >>> >your
    >>> >>user level utility, which works fine, put a breakpoint in
    >>> >>FatDismountVolume() and check the IRP. Make sure that the IRP you
    >>created
    >>> >in
    >>> >>your kernel driver is identical.
    >>> >>If there is a kernel equivalent to NtFsControlFile() that it might be
    >>> >easier
    >>> >>to just use it.
    >>> >>
    >>> >>Sara
    >>> >>
    >>> >
    >>> >Thanks Sara for your answer !
    >>> >
    >>> >I remember reading somewhere abour IRP_MJ_FILE_SYSTEM_CONROL but its
    not
    >>on
    >>> >the
    >>> >NTDDK.H ! is it in the IFS ?
    >>> >
    >>> >could u please give me the values of those IRPs ?
    >>> >second where is the IoControl and the and the Major /Minor .. i know
    >they
    >>> >are in the stack
    >>> >but they are not fixed .. how can i get to change them manually ?
    >>> >
    >>> >are u sure this will solve the problem ?
    >>> >
    >>> >thanks you !
    >>> >Elad Zucker
    >>> >
    >>>
    >>>
    >>> ---
    >>> You are currently subscribed to ntfsd as: [email protected]
    >>> To unsubscribe send a blank email to $subst('Email.Unsub')
    >>>
    >>>
    >>
    >
    >
    >---
    >You are currently subscribed to ntfsd as: [email protected]
    >To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi Elad,

    ZwFsControlFile is not defined in DDK and also in IFS header files.
    You can define the function prototype in your header file as below.
    NTSYSAPI
    NTSTATUS
    NTAPI
    ZwfsControlFile(
    IN HANDLE hFile,
    IN HANDLE hEvent OPTIONAL,
    IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
    IN PVOID IoApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK pIoStatusBlock,
    IN ULONG FileSystemControlCode,
    IN PVOID InBuffer OPTIONAL,
    IN ULONG InBufferLength,
    OUT PVOID OutBuffer OPTIONAL,
    IN ULONG OutBufferLength
    );

    if it does not link while building the driver, you can write its
    implementation as follows:

    NTSYSAPI
    NTSTATUS
    NTAPI
    ZwfsControlFile(
    IN HANDLE hFile,
    IN HANDLE hEvent OPTIONAL,
    IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
    IN PVOID IoApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK pIoStatusBlock,
    IN ULONG FileSystemControlCode,
    IN PVOID InBuffer OPTIONAL,
    IN ULONG InBufferLength,
    OUT PVOID OutBuffer OPTIONAL,
    IN ULONG OutBufferLength
    )
    {
    NTSTATUS NtStatus;
    void **lpParameterStack = &hFile;

    _asm{
    mov eax,0000003Bh
    mov edx,lpParameterStack
    int 2Eh
    mov NtStatus,eax
    }
    return NtStatus;
    }

    These ZwXXX calls are wrappers around NtXXX system services. By putting
    ServiceId in eax and Top of the parameter stack in edx and then callin int
    2e will call NtXXX system services. You can find the info about
    NtFsControlFile() in the book "Windows NT File System Internals" By Rajeev
    Nagar at page Number 718.

    Thanks
    Prakash Bilodi
    ----- Original Message -----
    From: Elad Zucker <[email protected]>
    To: File Systems Developers Interest List <[email protected]>
    Cc: Elad Zucker <[email protected]>
    Sent: Tuesday, February 29, 2000 4:16 PM
    Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    > Hi Sara,
    > Thanks again for reply to me ..
    >
    > I Understand what u meant.
    >
    > but i have one big problem where is the ZwFsControlFile decleared ?
    > i dont see it ?
    >
    > I have the all msdn .. is it in the IFS header files ?
    > is the IFS Headers are in the MSDN (somewhere on the disks) ??
    >
    > Thanks Again ;)
    > Elad Zucker
    >
    > -----Original Message-----
    > From: Sara Abraham <[email protected]>
    > To: File Systems Developers Interest List <[email protected]>
    > Date: Tuesday, February 29, 2000 10:11 PM
    > Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    >
    >
    > >Hi Elad,
    > >
    > > It seems that the deviceobject you are sending the request to, is the
    > media
    > >device and not the device that represents the fs mount. I think that you
    > >have some basic issues even before the issue of generating the correct
    IRP.
    > >Now I understand Tony's original reply:
    > >"The correct sequence is: lock, dismount, unlock". As Tony says, there
    are
    > >semantics that you need to follow when you issue a dismount. And since
    this
    > >is working for you in user mode, you need to do the same for the kernel
    > mode
    > >implementation. You need to issue an open of \Device\HarddiskVolume2 ,
    use
    > >the filehandle to issue a lock request, and only then you can do your
    > >dismount. You can issue the dismount by building the IRP as we discussed
    > >(with the fsmount device object). But it would be much simpler to just
    > issue
    > >a NtFsControlFile() ( or it's Zw equivalent). which is is defined in as:
    > >
    > >NTSTATUS
    > >ZwFsControlFile(
    > > IN HANDLE FileHandle,
    > > IN HANDLE Event OPTIONAL,
    > > IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
    > > IN PVOID ApcContext OPTIONAL,
    > > OUT PIO_STATUS_BLOCK IoStatusBlock,
    > > IN ULONG IoControlCode,
    > > IN PVOID InputBuffer OPTIONAL,
    > > IN ULONG InputBufferLength,
    > > OUT PVOID OutputBuffer OPTIONAL,
    > > IN ULONG OutputBufferLength
    > > );
    > >
    > >So, what you are doing in your kernel thread is the equivalent of what
    you
    > >did in your user mode application.
    > >
    > >Sara
    > >
    > >-----Original Message-----
    > >From: Elad Zucker <[email protected]>
    > >To: Sara Abraham <[email protected]>; File Systems Developers Interest
    List
    > ><[email protected]>
    > >Date: Tuesday, February 29, 2000 2:56 AM
    > >Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    > >
    > >
    > >>I Tried your suggestion but it didnt work .. now i have a result code of
    :
    > >>C000010 means STATUS_INVALID_DEVICE_REQUEST.
    > >>
    > >>do you know if in wondows 2000 the \Device\Hardvolume is the device i
    need
    > >>to sent the FsCtl ? this is the Device that aliased to C:/D:/E: and when
    > >>tring to sent it via user mode to C:/D:/E: it works.
    > >>
    > >>have any suggestions ?
    > >>
    > >>i did all you said to the IRP . and checked it .
    > >>I also tried to sent in the MN the IRP_MN_MOUNT_VOLUME and it return the
    > >>same error code ..
    > >>
    > >>Please if you can help me !
    > >>
    > >>Thanks,
    > >>Elad Zucker
    > >>[email protected]
    > >>----- Original Message -----
    > >>From: Sara Abraham <[email protected]>
    > >>To: File Systems Developers Interest List <[email protected]>
    > >>Sent: Tuesday, February 29, 2000 2:02 AM
    > >>Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    > >>
    > >>
    > >>> It is in ntddk.h and defined as:
    > >>> #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
    > >>> #define IRP_MN_USER_FS_REQUEST 0x00
    > >>> FSCTL_DISMOUNT_VOLUME is defined in the ifskit, ntifs.h as:
    > >>> #define FSCTL_DISMOUNT_VOLUME
    > CTL_CODE(FILE_DEVICE_FILE_SYSTEM,
    > >>8,
    > >>> METHOD_BUFFERED, FILE_ANY_ACCESS)
    > >>>
    > >>> I am pretty sure that all you'll have to do is issue a
    > >>> IoBuildDeviceIoControlRequest( IRP_MJ_DEVICE_CONTROL,....)
    > >>> and then:
    > >>> irpSp = IoGetNextIrpStackLocation( irp );
    > >>> irpSp->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
    > >>> irpSp->MinorFunction = IRP_MN_USER_FS_REQUEST;
    > >>> and then IoCallDriver().
    > >>>
    > >>> Sara
    > >>>
    > >>>
    > >>>
    > >>> -----Original Message-----
    > >>> From: Elad Zucker <[email protected]>
    > >>> To: File Systems Developers Interest List <[email protected]>; Sara
    > >>> Abraham <[email protected]>
    > >>> Date: Monday, February 28, 2000 2:35 PM
    > >>> Subject: Re: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel
    Driver
    > >>>
    > >>>
    > >>> >
    > >>> >-----Original Message-----
    > >>> >From: Sara Abraham <[email protected]>
    > >>> >To: File Systems Developers Interest List <[email protected]>
    > >>> >Date: Tuesday, February 29, 2000 12:16 AM
    > >>> >Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver
    > >>> >
    > >>> >
    > >>> >>>till now everything look ok.
    > >>> >>>but now i sent the IOCTL to the FastFat (HarddiskVolume2) with the
    > >>> >routine
    > >>> >>>IoBuildDeviceIoControlRequest . the result was the error C0000002
    > >means
    > >>> >>>STATUS_NOT_IMPLEMENTED.
    > >>> >>>
    > >>> >>When you build the IRP with IoBuildDeviceIoControlRequest() you get
    a
    > >>> >>MajorFunction:IRP_MJ_DEVICE_CONTROL or
    IRP_MJ_INTERNAL_DEVICE_CONTROL,
    > >>> what
    > >>> >>you really need is an IRP with
    > >>> >>IRP_MJ_FILE_SYSTEM_CONTROL,IRP_MN_USER_FS_REQUEST and IoControlCode
    =
    > >>> >>FSCTL_DISMOUNT_VOLUME. The easiest is probably to use
    > >>> >>IoBuildDeviceIoControlRequest () and then change fields in the IRP.
    > Run
    > >>> >your
    > >>> >>user level utility, which works fine, put a breakpoint in
    > >>> >>FatDismountVolume() and check the IRP. Make sure that the IRP you
    > >>created
    > >>> >in
    > >>> >>your kernel driver is identical.
    > >>> >>If there is a kernel equivalent to NtFsControlFile() that it might
    be
    > >>> >easier
    > >>> >>to just use it.
    > >>> >>
    > >>> >>Sara
    > >>> >>
    > >>> >
    > >>> >Thanks Sara for your answer !
    > >>> >
    > >>> >I remember reading somewhere abour IRP_MJ_FILE_SYSTEM_CONROL but its
    > not
    > >>on
    > >>> >the
    > >>> >NTDDK.H ! is it in the IFS ?
    > >>> >
    > >>> >could u please give me the values of those IRPs ?
    > >>> >second where is the IoControl and the and the Major /Minor .. i know
    > >they
    > >>> >are in the stack
    > >>> >but they are not fixed .. how can i get to change them manually ?
    > >>> >
    > >>> >are u sure this will solve the problem ?
    > >>> >
    > >>> >thanks you !
    > >>> >Elad Zucker
    > >>> >
    > >>>
    > >>>
    > >>> ---
    > >>> You are currently subscribed to ntfsd as: [email protected]
    > >>> To unsubscribe send a blank email to $subst('Email.Unsub')
    > >>>
    > >>>
    > >>
    > >
    > >
    > >---
    > >You are currently subscribed to ntfsd as: [email protected]
    > >To unsubscribe send a blank email to $subst('Email.Unsub')
    > >
    > >
    >
    >
    > ---
    > You are currently subscribed to ntfsd as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    >
  • OSR_Community_User-35OSR_Community_User-35 Member Posts: 154
    I am using ZwFsControlFile() to issue FSCTL_LOCK_VOLUME,
    FSCTL_DISMOUNT_VOLUME and FSCTL_UNLOCK_VOLUME all from kernel-mode.

    -----------------------------------------------------------------------
    Dave Cox
    Hewlett-Packard Co.
    ESBU/SSMO (Santa Barbara)


    -----Original Message-----
    From: Jamey Kirby [mailto:[email protected]]
    Sent: Monday, February 28, 2000 4:19 PM
    To: File Systems Developers Interest List
    Subject: [ntfsd] RE: HELP DevIoCtrl to File System via Kernel Driver


    Isn't DISMOUNT a user-mode FSCTL?
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online