Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

How to determine a file open event via mini filter?

CA_TanCA_Tan Posts: 10
I don't know why I cannot seem to find a straightforward answer to the question "How to determine file open event via mini filter?"

In Microsoft's docs (https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create), it is explained that :

"The I/O Manager sends the IRP_MJ_CREATE request when a new file or directory is being created, or when an existing file, device, directory, or volume is being opened."

In the same Microsoft doc on IRP_MJ_CREATE, it says:

"Irp->IoStatus Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the requested operation. The file system sets the Information member of this structure to one of the following values:

FILE_CREATED

FILE_DOES_NOT_EXIST

FILE_EXISTS

FILE_OPENED

FILE_OVERWRITTEN

FILE_SUPERSEDED"

How do I identify if the status of the event is FILE_OPENED? The question is, when IRP_MJ_CREATE is sent, can I determine if this is a result of an existing file being open? And if I can, can I therefore identify the name of the file that is being opened, and which AD account has opened it?

Thanks.

Comments

  • Don_Burn-2Don_Burn-2 Posts: 1,620
    Traditionally, the approach is to allow the open to proceed, then on the
    POST operation check the flag. You can get the filename and the SID of the
    user as part of the pre/post operations.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com



    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of
    xxxxx@gmail.com
    Sent: Monday, April 16, 2018 9:51 AM
    To: Windows File Systems Devs Interest List <xxxxx@lists.osr.com>
    Subject: [ntfsd] How to determine a file open event via mini filter?

    I don't know why I cannot seem to find a straightforward answer to the
    question "How to determine file open event via mini filter?"

    In Microsoft's docs
    (https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create
    ), it is explained that :

    "The I/O Manager sends the IRP_MJ_CREATE request when a new file or
    directory is being created, or when an existing file, device, directory, or
    volume is being opened."

    In the same Microsoft doc on IRP_MJ_CREATE, it says:

    "Irp->IoStatus Pointer to an IO_STATUS_BLOCK structure that receives the
    final completion status and information about the requested operation. The
    file system sets the Information member of this structure to one of the
    following values:

    FILE_CREATED

    FILE_DOES_NOT_EXIST

    FILE_EXISTS

    FILE_OPENED

    FILE_OVERWRITTEN

    FILE_SUPERSEDED"

    How do I identify if the status of the event is FILE_OPENED? The question
    is, when IRP_MJ_CREATE is sent, can I determine if this is a result of an
    existing file being open? And if I can, can I therefore identify the name of
    the file that is being opened, and which AD account has opened it?

    Thanks.

    ---
    NTFSD is sponsored by OSR


    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
  • CA_TanCA_Tan Posts: 10
    Thanks Don.

    I'm sorry that I am pretty new to filters. How do I check the flag on the
    POST operation? While I will attempt again to understand the minifilter
    documentation on Microsoft's github page, do you have a recommended
    tutorial or steps that I can use? Thanks.


    CA Tan

    On Mon, 16 Apr 2018, 10:01 PM Don Burn , <
    xxxxx@lists.osr.com> wrote:

    > Traditionally, the approach is to allow the open to proceed, then on the
    > POST operation check the flag. You can get the filename and the SID of
    > the
    > user as part of the pre/post operations.
    >
    >
    > Don Burn
    > Windows Driver Consulting
    > Website: http://www.windrvr.com
    >
    >
    >
    > -----Original Message-----
    > From: xxxxx@lists.osr.com
    > [mailto:xxxxx@lists.osr.com] On Behalf Of
    > xxxxx@gmail.com
    > Sent: Monday, April 16, 2018 9:51 AM
    > To: Windows File Systems Devs Interest List
    > Subject: [ntfsd] How to determine a file open event via mini filter?
    >
    > I don't know why I cannot seem to find a straightforward answer to the
    > question "How to determine file open event via mini filter?"
    >
    > In Microsoft's docs
    > (
    > https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create
    > ), it is explained that :
    >
    > "The I/O Manager sends the IRP_MJ_CREATE request when a new file or
    > directory is being created, or when an existing file, device, directory, or
    > volume is being opened."
    >
    > In the same Microsoft doc on IRP_MJ_CREATE, it says:
    >
    > "Irp->IoStatus Pointer to an IO_STATUS_BLOCK structure that receives the
    > final completion status and information about the requested operation. The
    > file system sets the Information member of this structure to one of the
    > following values:
    >
    > FILE_CREATED
    >
    > FILE_DOES_NOT_EXIST
    >
    > FILE_EXISTS
    >
    > FILE_OPENED
    >
    > FILE_OVERWRITTEN
    >
    > FILE_SUPERSEDED"
    >
    > How do I identify if the status of the event is FILE_OPENED? The question
    > is, when IRP_MJ_CREATE is sent, can I determine if this is a result of an
    > existing file being open? And if I can, can I therefore identify the name
    > of
    > the file that is being opened, and which AD account has opened it?
    >
    > Thanks.
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software
    > drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    >
    >
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
    >
  • NtDev_GeekNtDev_Geek Posts: 93
    use filetest utility and start playing with this awesome tool. put a break point using windbg in your precreate dispatch and see the cdb values there you an find all of your questions.

    better to start with pass through filter sample of ddk.

    hope this will help.

    ./nT
  • CA_TanCA_Tan Posts: 10
    Thanks nT. I downloaded filetest (
    http://www.zezula.net/en/fstools/filetest.html) and tried to use it. I'm
    not sure if I follow what you meant for me to use it for. Would it be the
    same effect if I simply opened a text file while having DbgView turned on?
    As for windbg, I'm not sure if I am thinking correctly that this might be
    an overkill. All I just want to know is how do I call out the flag of the
    POST operation (as per Don Burn's post). I guess the fault is really mine
    when I don't understand what you mean by "pass through filter sample of
    ddk". I did try to understand the passThrough filter sample on Microsoft's
    github, but I might have failed to understand the relation. Appreciate if
    you might have more specific directions as I am still trying to understand
    file systems and minifilters. Thanks.

    On Tue, Apr 17, 2018 at 3:37 PM, xxxxx@gmail.com
    wrote:

    > use filetest utility and start playing with this awesome tool. put a break
    > point using windbg in your precreate dispatch and see the cdb values there
    > you an find all of your questions.
    >
    > better to start with pass through filter sample of ddk.
    >
    > hope this will help.
    >
    > ./nT
    >
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >



    --
    Regards,
    CA
  • Hello CA,

    Please check documentation for FLT_CALLBACK_DATA structure which is passed as parameter to PostOperation callback in minifilter.

    In this structure, you will find IO_STATUS_BLOCK structure member and Information field of this structure will tell you whether existing file is opened or existing file is overwritten or new file is created.

    Hope this help you.

    Regards,
    Gaurav Khuntale
  • CA_TanCA_Tan Posts: 10
    Thank you Gaurav.

    I tried getting IoStatus.Information out from BOTH PreOperation (I know you
    said to do this on PostOperation only, but I wanted to see what happens if
    I attempt also on PreOperation) and PostOperation. On DbgViewer,
    PreOperation shows the IoStatus.Information to be (null). PostOperation
    does not print any data from my KdPrint line. If I do not ask to print
    IoStatus.Information on PostOperation, the KdPrint line prints fine.

    Here is my code in my PostOperation:

    FLT_POSTOP_CALLBACK_STATUS MiniPostCreate(PFLT_CALLBACK_DATA Data,
    PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext,
    FLT_POST_OPERATION_FLAGS Flags)
    {
    PFLT_FILE_NAME_INFORMATION FileNameInfo;
    NTSTATUS status;
    WCHAR Name[200] = { 0 };

    status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED |
    FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);

    if (NT_SUCCESS(status))
    {
    status = FltParseFileNameInformation(FileNameInfo);

    if (NT_SUCCESS(status))
    {

    if (FileNameInfo->Name.MaximumLength < 260)
    {
    RtlCopyMemory(Name, FileNameInfo->Name.Buffer,
    FileNameInfo->Name.MaximumLength);
    //KdPrint(("Post Create is running. File: %ws,
    IoStatus.Pointer:%ws\r\n", Name, Data->IoStatus.Pointer));
    KdPrint(("Post Create is running. File: %ws,
    IoStatus.Information is '%ws'\r\n",
    Name,
    Data->IoStatus.Information));

    }
    }

    FltReleaseFileNameInformation(FileNameInfo);
    }
    return FLT_POSTOP_FINISHED_PROCESSING;
    }

    Did I miss something? Thanks.

    On Fri, Apr 20, 2018 at 6:11 PM, xxxxx@gmail.com <
    xxxxx@lists.osr.com> wrote:

    > Hello CA,
    >
    > Please check documentation for FLT_CALLBACK_DATA structure which is passed
    > as parameter to PostOperation callback in minifilter.
    >
    > In this structure, you will find IO_STATUS_BLOCK structure member and
    > Information field of this structure will tell you whether existing file is
    > opened or existing file is overwritten or new file is created.
    >
    > Hope this help you.
    >
    > Regards,
    > Gaurav Khuntale
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >



    --
    Regards,
    CA
  • Hello CA,

    You are using wrong format specifier to print Data->IoStatus.Information. Please check data type of 'Information' member and use appropriate format specifier. You will get the data that you wanted.

    Regards,
    Gaurav
  • Scott_NooneScott_Noone Posts: 2,989
    Two additional things:

    1. The Information field is meaningless in PreCreate. The value is set by
    the file system as part of completing the open, at which point you're called
    at PostCreate

    2. A UNICODE_STRING.Buffer is not guaranteed to be NULL terminated, so the
    way you're copying and printing the buffer is invalid. You can print a
    PUNICODE_STRING with %wZ. So to print the path you can just:
    DbgPrint("%wZ\n", &FileNameInfo->Name);

    -scott
    OSR
    @OSRDrivers

    "%%merge inmail_.HdrFrom_%%" wrote in message news:xxxxx@ntfsd...

    Hello CA,

    You are using wrong format specifier to print Data->IoStatus.Information.
    Please check data type of 'Information' member and use appropriate format
    specifier. You will get the data that you wanted.

    Regards,
    Gaurav
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!