Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

URL files deleted from IE Favorites folder when folder redirection is enabled.

KunalKunal Posts: 20
Hi,

My customer has a setup where he uses folder redirection for IE Favorites by Group Policy for their Active Directory. This means that for all the users in Active directory, the "favorites" folder is redirected to a file-server.
The customer has installed my filter driver on the file-server. The filter driver intercepts all the fileaccess requests and sends the file for scanning on a remote machine. Based on the scan results the file is allowed access or deleted.

When customer tries to save a URL from IE 11, the URL file automatically gets deleted from the file-server. But if he disables my filter driver and tries to save the URL, it is not deleted. Also this is not seen (i.e file not deleted) for URLs with favicon. Also the file is not deleted if it is a txt file (i.e only .url files are deleted from this folder).
From procmon data, I cannot see my driver deleteing the files. I could see srv2.sys and iexplorer deleteing the url files.

Who is actually deleting the files here? And why the file is not deleted without my driver? Why this occurs only with .URL files and not with other file types?

Observations:
=============
I ran procmon on the file-server and the user machine. From file-server procmon logs it looks like microsoft smb driver is marking the file for delete
(procmon results filtered by "Detail = Delete: True"):

----------------START-----------------------------------------
Process Name Operation Path Result Detail
System SetDispositionInformationFile C:\homes\nara1\Favorites\Nara 2.url SUCCESS Delete: True


0 fltmgr.sys FltpPerformPreCallbacks + 0x31a
1 fltmgr.sys FltpPassThroughInternal + 0x8c
2 fltmgr.sys FltpPassThrough + 0x2b5
3 fltmgr.sys FltpDispatch + 0x9e
4 ntoskrnl.exe NtSetInformationFile + 0x7fa
5 srv2.sys Smb2ExecuteSetInfoReal + 0xcd
6 srv2.sys SrvProcpWorkerThreadProcessWorkItems + 0x18b
7 srv2.sys SrvProcWorkerThreadCommon + 0xc2
8 ntoskrnl.exe ExpWorkerThread + 0x2b5
9 ntoskrnl.exe PspSystemThreadStartup + 0x58
10 ntoskrnl.exe KxStartSystemThread + 0x16
----------------END-------------------------------------------

Procmon from user-machine indicates that IE is marking the file for delete (procmon results filtered by "Detail = Delete: True"):

----------------START-----------------------------------------
Process Name Operation Path Result Detail
iexplore.exe SetDispositionInformationFile C:\Windows\CSC\v2.0.6\namespace\WIN-2012-CLIENT\homes\nara1\Favorites\Nara 6.url SUCCESS Delete: True
iexplore.exe SetDispositionInformationFile \\win-2012-client\homes\nara1\Favorites\Nara 6.url SUCCESS Delete: True
iexplore.exe SetDispositionInformationFile C:\Windows\CSC\v2.0.6\namespace\WIN-2012-CLIENT\homes\nara1\Favorites\Nara 6.url SUCCESS Delete: True


1st entry callstack:
fltmgr.sys FltpPerformPreCallbacks + 0x31a
fltmgr.sys FltpPassThroughInternal + 0x8c
fltmgr.sys FltpPassThrough + 0x2be
fltmgr.sys FltpDispatch + 0x9e
ntoskrnl.exe NtSetInformationFile + 0x7fa
ntoskrnl.exe KiSystemServiceCopyEnd + 0x13
ntoskrnl.exe KiServiceLinkage
csc.sys CscSrvOpenCloseStoreState + 0x511
csc.sys CscSrvOpenCloseStoreState + 0x1ef
ntoskrnl.exe KySwitchKernelStackCallout + 0x27
ntoskrnl.exe KiSwitchKernelStackContinue
ntoskrnl.exe KeExpandKernelStackAndCalloutInternal + 0x218
csc.sys CscStorepLowIoCreateFilePoster + 0x19c
csc.sys CscStorepLowIoSetInformationFilePoster + 0x81
csc.sys CscStorepLowIoSetDeleteDisposition + 0x1c
csc.sys CscEnpComputePqQueueCommand + 0x696
csc.sys ?? ::NNGAKEGL::`string' + 0x93e0
csc.sys CscEnFindOrCreateEntry + 0x56
csc.sys CscEnQueryInformationEntry + 0x481
csc.sys CscStoreFindOrCreateEntry + 0x45
csc.sys CscCreate + 0xea7
rdbss.sys RxCollapseOrCreateSrvOpen + 0x232
rdbss.sys RxCreateFromNetRoot + 0x1b0
rdbss.sys RxCommonCreate + 0x1bd
rdbss.sys RxFsdCommonDispatch + 0x56e
rdbss.sys RxFsdDispatch + 0xcf
mrxsmb.sys MRxSmbFsdDispatch + 0x83
mup.sys MupiCallUncProvider + 0xc2
mup.sys MupCreate + 0x5f8
fltmgr.sys FltpLegacyProcessingAfterPreCallbacksCompleted + 0x258
fltmgr.sys FltpCreate + 0x342
ntoskrnl.exe IopParseDevice + 0x7b3
ntoskrnl.exe ObpLookupObjectName + 0x6d8
ntoskrnl.exe ObOpenObjectByName + 0x1e3
ntoskrnl.exe IopCreateFile + 0x372
ntoskrnl.exe NtCreateFile + 0x78
ntoskrnl.exe KiSystemServiceCopyEnd + 0x13
ntdll.dll ZwCreateFile + 0xa
KERNELBASE.dll CreateFileInternal + 0x30a
KERNELBASE.dll CreateFileW + 0x66
IEFRAME.dll CInternetShortcutPropertyStore::SaveEx + 0xb2
IEFRAME.dll CInternetShortcut::SaveToFile + 0x45
IEFRAME.dll CInternetShortcut::Save + 0x106
IEFRAME.dll PersistShortcut + 0x3e
IEFRAME.dll CreateNewFavorite + 0xa2
IEFRAME.dll CreateShortcutInDirEx + 0x178
IEFRAME.dll AddToFavoritesEx + 0x4d0
IEFRAME.dll CShdocvwBroker::CAddToFavoritesEx::STAFunction + 0x8a
IEFRAME.dll CShdocvwBroker::CSTAWorkItem<tagOFNW>::_ThreadProc + 0x2d
KERNEL32.DLL BaseThreadInitThunk + 0xd
ntdll.dll RtlUserThreadStart + 0x1d


2nd entry callstack:
fltmgr.sys FltpPerformPreCallbacks + 0x31a
fltmgr.sys FltpPassThroughInternal + 0x8c
fltmgr.sys FltpPassThrough + 0x2be
fltmgr.sys FltpDispatch + 0x9e
ntoskrnl.exe NtSetInformationFile + 0x7fa
ntoskrnl.exe KiSystemServiceCopyEnd + 0x13
ntdll.dll ZwSetInformationFile + 0xa
KERNELBASE.dll BaseMarkFileForDelete + 0xa7
KERNELBASE.dll BasepCopyFileExW + 0x1329
KERNELBASE.dll CopyFileExW + 0xbc
KERNEL32.DLL CopyFileW + 0x22
IEFRAME.dll CInternetShortcut::Save + 0xf1
IEFRAME.dll CFaviconDownloader::_SaveInfoToFavorite + 0x26e45e
IEFRAME.dll CFaviconDownloader::_SaveInfoToStores + 0x51
IEFRAME.dll CFaviconDownloader::_DoUpdateIcon + 0xc5
IEFRAME.dll CFaviconDownloader::UpdateFavicon + 0x10d
IEFRAME.dll UpdateFavoriteIcon + 0xb1
IEFRAME.dll DownloadAndAddIcon + 0x156
IEFRAME.dll CreateNewFavorite + 0x19d
IEFRAME.dll CreateShortcutInDirEx + 0x178
IEFRAME.dll AddToFavoritesEx + 0x4d0
IEFRAME.dll CShdocvwBroker::CAddToFavoritesEx::STAFunction + 0x8a
IEFRAME.dll CShdocvwBroker::CSTAWorkItem<tagOFNW>::_ThreadProc + 0x2d
KERNEL32.DLL BaseThreadInitThunk + 0xd
ntdll.dll RtlUserThreadStart + 0x1d

3rd entry callstack:
fltmgr.sys FltpPerformPreCallbacks + 0x31a
fltmgr.sys FltpPassThroughInternal + 0x8c
fltmgr.sys FltpPassThrough + 0x2be
fltmgr.sys FltpDispatch + 0x9e
ntoskrnl.exe NtSetInformationFile + 0x7fa
ntoskrnl.exe KiSystemServiceCopyEnd + 0x13
ntoskrnl.exe KiServiceLinkage
csc.sys CscSrvOpenCloseStoreState + 0x511
csc.sys CscStorepLowIoCreateFilePoster + 0x1c3
csc.sys CscStorepLowIoSetInformationFilePoster + 0x81
csc.sys CscStorepLowIoSetDeleteDisposition + 0x1c
csc.sys CscEnpComputePqQueueCommand + 0x696
csc.sys ?? ::NNGAKEGL::`string' + 0x93e0
csc.sys CscEnFindOrCreateEntry + 0x56
csc.sys CscEnQueryInformationEntry + 0x481
csc.sys CscStoreFindOrCreateEntry + 0x45
csc.sys CscQueryDirOpenAndUpdateEntry + 0x2d2
csc.sys CscQueryDirStitchSingleEntry + 0x294
csc.sys CscQueryDirStitchRemoteBuffer + 0x50
csc.sys CscQueryDirOnlineAndUpdateCache + 0x155
csc.sys ?? ::NNGAKEGL::`string' + 0x791
rdbss.sys RxQueryDirectory + 0x3e8
rdbss.sys RxCommonDirectoryControl + 0x94
rdbss.sys RxFsdCommonDispatch + 0x56e
rdbss.sys RxFsdDispatch + 0xcf
mrxsmb.sys MRxSmbFsdDispatch + 0x83
mup.sys MupFsdIrpPassThrough + 0x1ee
fltmgr.sys FltpLegacyProcessingAfterPreCallbacksCompleted + 0x258
fltmgr.sys FltpDispatch + 0xb6
ntoskrnl.exe NtQueryDirectoryFile + 0x1c0
ntoskrnl.exe KiSystemServiceCopyEnd + 0x13
ntdll.dll ZwQueryDirectoryFile + 0xa
SHELL32.dll CEnumFiles::_InitEnumeration + 0x193
SHELL32.dll CFSFolder::ParseDisplayName + 0x7ec
IEFRAME.dll CNscChangeNotifyTask::_IdlRealFromIdlSimple + 0xda
IEFRAME.dll CNscChangeNotifyTask::InternalResumeRT + 0x19
IEFRAME.dll CRunnableTask::Run + 0x5f
IEFRAME.dll CShellTaskThread::ThreadProc + 0xac
IEFRAME.dll CShellTaskThread::s_ThreadProc + 0x22
IEFRAME.dll ExecuteWorkItemThreadProc + 0x3c
ntdll.dll RtlpTpWorkCallback + 0x121
ntdll.dll TppWorkerThread + 0x81a
KERNEL32.DLL BaseThreadInitThunk + 0xd
ntdll.dll RtlUserThreadStart + 0x1d
----------------END-------------------------------------------



Thanks for your time.
Kunal
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!