Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

Cache Manager file reference + directory renaming

Hi,

If I open a file with FltCreateFile and then close the handle, just holding the reference to FILE_OBJECT, I can rename the directory in which the file name resides. But if I try to use this FO to FltReadFile, the operation fails with STATUS_FILE_CLOSED. If I mantain the handle opened, I can issue the read, but renaming the directory fails...

That said, my question is about how CC or MM deal with this situation. They might hold a reference to a FO, even when all handles to it have been closed. They can issue IO operations (IE: lazy writer) and at the same time, renaming the directory won't cause any issues.

I've been googling and found some info about IoCreateStreamFileObject, which seems to be used by the CC. This function closes internally the created handle and the FO is marked with FO_STREAM_FILE... So, a FO opened this way can be used for IO as if it had been created with FltCreateFile? Is that the "trick" of CC?

Comments

  • Peter_ScottPeter_Scott Posts: 738
    The FltReadFile fails as expected since the handle is closed. If you
    were to issue the read using the PAGING bit, then it would succeed,
    ignoring that you need to hold the correct locks, etc. Paging IO can
    come in after the handle is closed, that is after the cleanup is
    processed on the file object but not top level, non-paging IO. Think
    memory mapped IO; you can open a file, memory map it, close the file
    handle but still perform memory mapped access on the file. The flushes
    will occur after the handle has been closed but they will be all paging.

    Pete

    --
    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    ------ Original Message ------
    From: "xxxxx@yahoo.es" <xxxxx@lists.osr.com>
    To: "Windows File Systems Devs Interest List" <xxxxx@lists.osr.com>
    Sent: 3/1/2018 2:31:00 PM
    Subject: [ntfsd] Cache Manager file reference + directory renaming

    >Hi,
    >
    >If I open a file with FltCreateFile and then close the handle, just
    >holding the reference to FILE_OBJECT, I can rename the directory in
    >which the file name resides. But if I try to use this FO to
    >FltReadFile, the operation fails with STATUS_FILE_CLOSED. If I mantain
    >the handle opened, I can issue the read, but renaming the directory
    >fails...
    >
    >That said, my question is about how CC or MM deal with this situation.
    >They might hold a reference to a FO, even when all handles to it have
    >been closed. They can issue IO operations (IE: lazy writer) and at the
    >same time, renaming the directory won't cause any issues.
    >
    >I've been googling and found some info about IoCreateStreamFileObject,
    >which seems to be used by the CC. This function closes internally the
    >created handle and the FO is marked with FO_STREAM_FILE... So, a FO
    >opened this way can be used for IO as if it had been created with
    >FltCreateFile? Is that the "trick" of CC?
    >
    >---
    >NTFSD is sponsored by OSR
    >
    >
    >MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    >software drivers!
    >Details at <http://www.osr.com/seminars>;
    >
    >To unsubscribe, visit the List Server section of OSR Online at
    ><http://www.osronline.com/page.cfm?name=ListServer>;

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

  • Hi Pete,

    Yes, doing some aditional research I found that using the paging flag the read success.

    Thx for your answer.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!