Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Unknown FSCTL FILE_DEVICE_FILE_SYSTEM/239 on OneDrive

Alex_FunkyAlex_Funky Posts: 133
Hello everyone!
I try logging of operation on filesystem introduced by OneDrive but encountered with the problem : after I send an incoming file to OneDrive via Internet, in my mini-filter driver I see only one OPEN_FILE request and two FSCTL_ with code:239 to OneDrive storage and then file appeared in storage...
I find topic https://www.osronline.com/showthread.cfm?link=286466 with the same problem.
What is magic code 239 and how it works?
Thank you!

Comments

  • I still have the same questions as last time:

    What is the call stack when you see this FSCTL? Be sure to do a .reload /user before getting the call stack.

    Are you above or below CldFlt?

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • Alex_FunkyAlex_Funky Posts: 133
    I'm above CldFlt.
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Posts: 3,004
    OK, I put this under Process Monitor and checked a few call stacks. Looks
    like the FSCTL 0x903bc (9/239/0) is the *one* FSCTL used for all Cloud
    Filter APIs from user mode. For example here's one stack:

    NtFsControlFile + 0x14
    DeviceIoControl + 0x111
    DeviceIoControlImplementation + 0x80
    IssueHsmControl + 0x119
    CfHydratePlaceholder + 0xa4
    <lambda_b9c59366b7b72eef8885827a75bce7b9>::operator() + 0x124
    <lambda_e14dae719a439946fdc25bf9b67195ed>::operator() + 0x144
    <lambda_96f1580a475abedb5b0ccd0a97f888b6>::operator() + 0x105

    (Aside: man do I hate other people's lambdas...)

    And another:

    NtFsControlFile + 0x14
    DeviceIoControl + 0x111
    DeviceIoControlImplementation + 0x80
    IssueHsmControl + 0x119
    CfSetCorrelationVector + 0xd7
    <lambda_b9c59366b7b72eef8885827a75bce7b9>::operator() + 0x95
    <lambda_e14dae719a439946fdc25bf9b67195ed>::operator() + 0x144

    You can find documentation on the CfXxx APIs here:

    https://msdn.microsoft.com/en-us/library/windows/desktop/mt827575(v=vs.85).aspx

    Based on the call stack, if I needed to give this FSCTL a name I'd call it
    FSCTL_ISSUE_HSM_CONTROL. Though that doesn't really tell you anything as it
    clearly does lots of different things depending on the associated control
    structure.

    You'll need to sit beneath the Cloud Filter if you want to see the writes.

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!