Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

Re: Minifilter not intercepting IRP_MJ_WRITE, when a file is copied

Hi,

The condition you mentioned "if ( NULL == FileObject->SectionObjectPointer
|| NULL == FileObject->SectionObjectPointer->DataSection )" works fine for
intercepting IRP_MJ_WRITE.
But it is is not working properly for intercepting IRP_MJ_READ.
When a .jpg file is read by a photoviewer.dll , some IRP_MJ_READ s are
missed by the mini filter.
Please let me know a method to identify whether a IRP_MJ_READ is going to
disk or cache, for a network volume.

Thanks,
S Ramakrishnan


On Sun, Nov 20, 2016 at 11:46 AM, wrote:

>
> If a notepad file is created inside the network volume, some data is typed
> and saved then the filter driver gets IRP_MJ_WRITE.
> But when a file is copied to the network volume, the filter driver does not
> get IRP_MJ_WRITE.
>
>
> Notepad uses a memory mapped file, this is analogues to file being cached.
> When Memory Manager flushes dirty pages the filter receives paging IO.
>
>
> Please let me know the way to intercept the write IRP and encrypt the file.
>
>
> The correct implementation requires an isolation filter like OSR Data
> Modification Kit.
> In your case you can try to intercept a cached IO for network FS and
> process it as non cached(i.e. encrypt/decrypt) if ( NULL == FileObject->SectionObjectPointer
> || NULL == FileObject->SectionObjectPointer->DataSection ).
>
> ---
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>;
>

Comments

  • <QUOTE>
    Please let me know a method to identify whether a IRP_MJ_READ is going to
    disk or cache, for a network volume.
    </QUOTE>

    I do not remember the exact conditions this particular advice was given and I am reading the list through the online version that jettisons the history.

    You can only be sure that paging IO will not end up in the cache. All other cases are implementation dependent. With a good probability non-paging read is processed through the cache.

    You can find a heuristic for a particular network FSD for some IO cases.
  • I already tried this.
    But non paging read is going to disk in case of word document and excel.

    On Thu, Jul 13, 2017 at 8:25 PM, xxxxx@hotmail.com
    wrote:

    >
    > Please let me know a method to identify whether a IRP_MJ_READ is going to
    > disk or cache, for a network volume.
    >
    >
    > I do not remember the exact conditions this particular advice was given
    > and I am reading the list through the online version that jettisons the
    > history.
    >
    > You can only be sure that paging IO will not end up in the cache. All
    > other cases are implementation dependent. With a good probability
    > non-paging read is processed through the cache.
    >
    > You can find a heuristic for a particular network FSD for some IO cases.
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!