Hi,
If I open a file with FltCreateFile and then close the handle, just holding the reference to FILE_OBJECT, I can rename the directory in which the file name resides. But if I try to use this FO to FltReadFile, the operation fails with STATUS_FILE_CLOSED. If I mantain the handle opened, I can issue the read, but renaming the directory fails…
That said, my question is about how CC or MM deal with this situation. They might hold a reference to a FO, even when all handles to it have been closed. They can issue IO operations (IE: lazy writer) and at the same time, renaming the directory won’t cause any issues.
I’ve been googling and found some info about IoCreateStreamFileObject, which seems to be used by the CC. This function closes internally the created handle and the FO is marked with FO_STREAM_FILE… So, a FO opened this way can be used for IO as if it had been created with FltCreateFile? Is that the “trick” of CC?
The FltReadFile fails as expected since the handle is closed. If you
were to issue the read using the PAGING bit, then it would succeed,
ignoring that you need to hold the correct locks, etc. Paging IO can
come in after the handle is closed, that is after the cleanup is
processed on the file object but not top level, non-paging IO. Think
memory mapped IO; you can open a file, memory map it, close the file
handle but still perform memory mapped access on the file. The flushes
will occur after the handle has been closed but they will be all paging.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: “xxxxx@yahoo.es”
To: “Windows File Systems Devs Interest List”
Sent: 3/1/2018 2:31:00 PM
Subject: [ntfsd] Cache Manager file reference + directory renaming
>Hi,
>
>If I open a file with FltCreateFile and then close the handle, just
>holding the reference to FILE_OBJECT, I can rename the directory in
>which the file name resides. But if I try to use this FO to
>FltReadFile, the operation fails with STATUS_FILE_CLOSED. If I mantain
>the handle opened, I can issue the read, but renaming the directory
>fails…
>
>That said, my question is about how CC or MM deal with this situation.
>They might hold a reference to a FO, even when all handles to it have
>been closed. They can issue IO operations (IE: lazy writer) and at the
>same time, renaming the directory won’t cause any issues.
>
>I’ve been googling and found some info about IoCreateStreamFileObject,
>which seems to be used by the CC. This function closes internally the
>created handle and the FO is marked with FO_STREAM_FILE… So, a FO
>opened this way can be used for IO as if it had been created with
>FltCreateFile? Is that the “trick” of CC?
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>
Hi Pete,
Yes, doing some aditional research I found that using the paging flag the read success.
Thx for your answer.