Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

First File System Filter Driver - Legacy or Filter Manager

David_F.David_F. Posts: 161
Hi,

So I'm going to write a small simple free utility using a file system filter driver, first file system driver (done device filters and legacy driver in past), looked years ago at legacy sample and seemed straight forward for basic stuff. Looking things up now they say something about a "Filter Manager", is that the way to go now? Are there samples using that as well?

TIA!!

Comments

  • Don_Burn-2Don_Burn-2 Posts: 1,620
    All of the samples are now minifilters using the Filter Manager, it is
    definitely the way to go.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com



    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of
    xxxxx@terabyteunlimited.com
    Sent: Monday, October 02, 2017 6:46 PM
    To: Windows File Systems Devs Interest List <xxxxx@lists.osr.com>
    Subject: [ntfsd] First File System Filter Driver - Legacy or Filter Manager

    Hi,

    So I'm going to write a small simple free utility using a file system filter
    driver, first file system driver (done device filters and legacy driver in
    past), looked years ago at legacy sample and seemed straight forward for
    basic stuff. Looking things up now they say something about a "Filter
    Manager", is that the way to go now? Are there samples using that as well?

    TIA!!


    ---
    NTFSD is sponsored by OSR


    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
  • Scott_NooneScott_Noone Posts: 2,989
    Legacy filters are dead, you want to write a Filter Manager Minifilter. Samples are here:

    https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter

    If you give a high level description of what you?re trying to do we might be able to guide you further.

    -scott
    OSR
    @OSRDrivers
  • David_F.David_F. Posts: 161
    basically make existing files in a directory read-only (abort any attempted open that isn't read only, including delete requests), but allow new files to be created. Then a way to allow deletes when wanted.
  • > basically make existing files in a directory read-only (abort any
    > attempted open that
    > isn't read only, including delete requests), but allow new files to be
    > created. Then
    > a way to allow deletes when wanted.

    I'd absolutely suggest that you do this with a minifilter, but this is
    almost a perfect example of something which appears really easy (look at the
    desired access and respond) and turns out to have a whole bunch of issues...

    https://xkcd.com/1425/

    What you want to do is (of course) possible but you need to think about the
    following:

    - What are you going to do about dispositions like FILE_OPEN_IF ? (create a
    file if it doesn't exist). It may seem that there is a trick you can play
    by looking at the Information field in post create and if the file hasn't
    been created cancel the create. But lower filters will have seen the open
    and may have already written to the file. Also, read on.

    - What are you going to do about the destructive dispositions? Are they
    write access (as I recall they do not require write access).

    - FILE_OVERWRITE_IF combines both these problems. A successful open of an
    existing file will have erased it so doing a FltCancelOpen is too late.

    - Delete on close is another case to worry about.

    - And then there all the ways of deleting a file which do not involved
    opening it for write (destructive link creation and rename spring to mind
    but there may be others)

    - Finally you might be surprised by the bone headed way many applications
    work. Several will create a file, close it and then reopen it for write.
    By your rules the second open will be denied, but I'll bet you that the
    application will complain. Often enough you'll discover that it won't even
    check that the second open worked...

    So, this is all possible to do, but it will involved a great deal of work
    and I'll bet you end up hitting performance (so add some "allowable
    performance" metrics to your requirements.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!