Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Attaching to virtual volumes (how does subst.exe work?)

Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
Hello,

How does subst.exe work? I have imagined it creates a symbolic link in
DosDevices that points to drive:/directory, but I see no new symbolic
link that look like a drive letter in WinObj.

If I create a virtual volume with subst.exe, can I attach a file
system filter or minifilter to it?

Thanks

--
Aram Hăvărneanu

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    >How does subst.exe work? I have imagined it creates a symbolic link in
    >DosDevices that points to drive:/directory, but I see no new symbolic
    >link that look like a drive letter in WinObj.

    OK.

    C:\Users\maxim>subst q: .

    C:\Users\maxim>subst
    Q:\: => C:\Users\maxim

    Then in WinObj (run it as admin):

    Name: \Sessions\0\DosDevices\00000000-0006664f\Q:
    Type: SymbolicLink
    ...
    Link: \??\C:\Users\maxim

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,142
    "Aram Hăvărneanu" <xxxxx@mgk.ro> wrote in message news:xxxxx@ntfsd...
    > Hello,
    >
    > How does subst.exe work? I have imagined it creates a symbolic link in
    > DosDevices that points to drive:/directory, but I see no new symbolic
    > link that look like a drive letter in WinObj.

    This is indeed what it does, you must be looking in the wrong place. Mine is
    in \Sessions\0\DosDevices\AuthId\Q:

    -scott

    --
    Scott Noone
    Consulting Associate
    OSR Open Systems Resources, Inc.
    http://www.osronline.com


    "Aram Hăvărneanu" <xxxxx@mgk.ro> wrote in message news:xxxxx@ntfsd...
    > Hello,
    >
    > How does subst.exe work? I have imagined it creates a symbolic link in
    > DosDevices that points to drive:/directory, but I see no new symbolic
    > link that look like a drive letter in WinObj.
    >
    > If I create a virtual volume with subst.exe, can I attach a file
    > system filter or minifilter to it?
    >
    > Thanks
    >
    > --
    > Aram Hăvărneanu
    >
    >

    -scott
    OSR

  • Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
    On Thu, Aug 19, 2010 at 11:08 PM, Maxim S. Shatskih
    <xxxxx@storagecraft.com> wrote:
    > C:\Users\maxim>subst q: .
    >
    > C:\Users\maxim>subst
    > Q:\: => C:\Users\maxim
    >
    > Then in WinObj (run it as admin):
    >
    > Name: \Sessions\0\DosDevices\00000000-0006664f\Q:
    > Type: SymbolicLink
    > ...
    > Link: \??\C:\Users\maxim
    >

    Ok, it works the way I imagined it works, except for that AuthId
    stuff. I missed that. What's that AuthId stuff? Do I need to care
    about it if I write Windows filters?

    Unfortunately, if subst.exe works in this simple way, I understand
    that I can't filter only I/O that's done through that Win32 letter
    because there's a single `real' storage device object? What do you
    recommend to do in this case?

    Thanks,

    --
    Aram Hăvărneanu
  • Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
    On Thu, Aug 19, 2010 at 11:23 PM, Scott Noone <xxxxx@osr.com> wrote:
    > "Aram Hăvărneanu" <xxxxx@mgk.ro> wrote in message news:xxxxx@ntfsd...
    > This is indeed what it does, you must be looking in the wrong place. Mine is
    > in \Sessions\0\DosDevices\AuthId\Q:

    You are indeed correct. What do you recommend to do in this case if
    the desire is to filter only stuff that references that `virtual'
    letter?

    Thanks,

    --
    Aram Hăvărneanu
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    >Ok, it works the way I imagined it works, except for that AuthId
    >stuff. I missed that. What's that AuthId stuff?

    Logon ID.

    Can be queried by GetTokenInformation in user mode.

    >recommend to do in this case?

    Do you really want to filter the substed drive letter?

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    >You are indeed correct. What do you recommend to do in this case if
    >the desire is to filter only stuff that references that `virtual'
    >letter?

    If Q: -> C:\Users\maxim is substed, then your filter cannot distinguish the file open at Q:\path and at C:\Users\maxim\path

    Sorry. It is above your filter.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
    On Thu, Aug 19, 2010 at 11:46 PM, Maxim S. Shatskih
    <xxxxx@storagecraft.com> wrote:
    > Do you really want to filter the substed drive letter?

    I wish my filter to `act' only when I/O targets some directories. This
    could be done by checking the I/O operation target, doing something to
    it if the directory is correct and pass it untouched if it's a
    different directory, however, I have hoped for a more clean solution
    where I could have the filter code run only when needed (a.i. let
    Windows device if it should run my filter or not, instead of letting
    me doing the decision of weather I should `act' on the I/O or not).

    --
    Aram Hăvărneanu
  • Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
    On Thu, Aug 19, 2010 at 11:54 PM, Aram Hăvărneanu <xxxxx@mgk.ro> wrote:
    > On Thu, Aug 19, 2010 at 11:46 PM, Maxim S. Shatskih
    > <xxxxx@storagecraft.com> wrote:
    >> Do you really want to filter the substed drive letter?
    >
    > I wish my filter to `act' only when I/O targets some directories. This
    > could be done by checking the I/O operation target, doing something to
    > it if the directory is correct and pass it untouched if it's a
    > different directory, however, I have hoped for a more clean solution
    > where I could have the filter code run only when needed (a.i. let
    > Windows device if it should run my filter or not, instead of letting
    > me doing the decision of weather I should `act' on the I/O or not).

    I see that VSS creates `virtual' volumes. Is it feasible to create
    such a thing that will appear to the system as a virtual volume, and
    attach a filter to it that will redirect all I/O to the real volume?
    What documentation do I need to read in order to understand what is
    required to create a virtual volume?

    Thanks,

    --
    Aram Hăvărneanu
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    >I see that VSS creates `virtual' volumes.

    VolSnap is not "subst", it creates the virtual disk device.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • Aram_Havarneanu-2Aram_Havarneanu-2 Member Posts: 161
    On Fri, Aug 20, 2010 at 2:00 AM, Maxim S. Shatskih
    <xxxxx@storagecraft.com> wrote:
    >>I see that VSS creates `virtual' volumes.
    >
    > VolSnap is not "subst", it creates the virtual disk device.

    I know. That is why I am asking how does it accomplish this? Is it
    documented somewhere?

    Thanks,

    --
    Aram Hăvărneanu
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    I use a simple test for SUBST drive letters. If you try to obtain a GUID for the volume (GetVolumeNameForVolumeMountPoint) and it fails, it could be a SUBST drive letter. Works for my purposes.

    Ken


    -----Original Message-----
    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
    Sent: Thursday, August 19, 2010 2:48 PM
    To: Windows File Systems Devs Interest List
    Subject: Re:[ntfsd] Attaching to virtual volumes (how does subst.exe work?)

    >You are indeed correct. What do you recommend to do in this case if the
    >desire is to filter only stuff that references that `virtual'
    >letter?

    If Q: -> C:\Users\maxim is substed, then your filter cannot distinguish the file open at Q:\path and at C:\Users\maxim\path

    Sorry. It is above your filter.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com


    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars
    (including our new fs mini-filter seminar) visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA