Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

minispy filter IRP_MJ_Create called multiple times

supportsupport Posts: 2
Hi,
I'm extending minispyfilter driver part of WDK sample to monitor a folder and send notification as and when a file is opened.

The driver has registered only for IRP_MJ_CREATE,Cleanup and Write.

When I open a txt file using notepad, I immediately get a notification with Create and Cleanup. When I close the notepad again getting create and cleanup.

When I write something in the notepad and close the notepad and select save, I get multiple Create and Cleanup.

My requirement is simple. Whenever a user opens a file a notification has to be sent. Whenever the user closes a file again a notification has to be sent.

Appreciate if someone can help me on this.
Thanks

Comments

  • rod_widdowsonrod_widdowson Posts: 945
    Take a look at the stacks when you are called. You will see that everything
    from your driver up beats on create. A gazillion Win32 calls do opens.
    Explorer just has to get bored to do an open. Filters do opens.

    Procomon or Filespy will help insight...

    > My requirement is simple. Whenever a user opens a file a notification has
    > to be sent. Whenever the user closes a file again a notification has to be
    > sent.

    Sounds like you are meeting your requirements. If you are not getting what
    you expect you need to revisit your requirements, particularly what you mean
    by "user":

    - a Security Principal?
    - a logged on entity?
    - an application?
    - a "session"

    and maybe what you mean by "open": Open for read? Open for Write?

    Or perhaps "file": Do metadata channels (C:\$Extend) matter? What about
    directories? Systems files? executables?

    This is requirements 101.

    R
  • supportsupport Posts: 2
    R,

    Thanks for the reply. what I meant by the user is the logged in user who is
    trying to open a file by double-clicking on it.
    When double-clicking on a file it is opened for read/write. Any changes
    made to the file will be saved back.

    I understand IRP_MJ_CREATE in mini-filter called gazillion time. I would
    like to check a file in particular folder when it is opened and when it is
    closed.
    All I need is 2 events. The problem is when the file is opened I get

    (When Windows explorer launches notepad.exe with file d:\test\test.txt"
    IRP_MJ_CREATE
    IRP_MJ_CLEANUP

    (when notepad.exe is closed)
    IRP_MJ_CREATE
    IRP_MJ_CLEANUP

    When I write additional content in the file and save it I get more events.

    Is there any way to get fewer events. I see the same issue with FileSpy

    Thanks




    On Mon, May 7, 2018 at 2:41 PM, Rod Widdowson <
    xxxxx@lists.osr.com> wrote:

    > Take a look at the stacks when you are called. You will see that
    > everything from your driver up beats on create. A gazillion Win32 calls do
    > opens. Explorer just has to get bored to do an open. Filters do opens.
    >
    > Procomon or Filespy will help insight...
    >
    > My requirement is simple. Whenever a user opens a file a notification has
    >> to be sent. Whenever the user closes a file again a notification has to be
    >> sent.
    >>
    >
    > Sounds like you are meeting your requirements. If you are not getting
    > what you expect you need to revisit your requirements, particularly what
    > you mean by "user":
    >
    > - a Security Principal?
    > - a logged on entity?
    > - an application?
    > - a "session"
    >
    > and maybe what you mean by "open": Open for read? Open for Write?
    >
    > Or perhaps "file": Do metadata channels (C:\$Extend) matter? What about
    > directories? Systems files? executables?
    >
    > This is requirements 101.
    >
    > R
    >
    >
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Mike_BoucherMike_Boucher Posts: 13
    Not sure I understand the question, but maybe. Your point is that you are
    getting a create and cleanup twice, once when notepad is opened and again
    when notepad is closed. You would prefer to get a create when it is opened
    and a cleanup when it is closed, is that right?

    On Mon, May 7, 2018 at 8:03 PM, support <
    xxxxx@lists.osr.com> wrote:

    > R,
    >
    > Thanks for the reply. what I meant by the user is the logged in user who
    > is trying to open a file by double-clicking on it.
    > When double-clicking on a file it is opened for read/write. Any changes
    > made to the file will be saved back.
    >
    > I understand IRP_MJ_CREATE in mini-filter called gazillion time. I would
    > like to check a file in particular folder when it is opened and when it is
    > closed.
    > All I need is 2 events. The problem is when the file is opened I get
    >
    > (When Windows explorer launches notepad.exe with file d:\test\test.txt"
    > IRP_MJ_CREATE
    > IRP_MJ_CLEANUP
    >
    > (when notepad.exe is closed)
    > IRP_MJ_CREATE
    > IRP_MJ_CLEANUP
    >
    > When I write additional content in the file and save it I get more events.
    >
    > Is there any way to get fewer events. I see the same issue with FileSpy
    >
    > Thanks
    >
    >
    >
    >
    > On Mon, May 7, 2018 at 2:41 PM, Rod Widdowson <
    > xxxxx@lists.osr.com> wrote:
    >
    >> Take a look at the stacks when you are called. You will see that
    >> everything from your driver up beats on create. A gazillion Win32 calls do
    >> opens. Explorer just has to get bored to do an open. Filters do opens.
    >>
    >> Procomon or Filespy will help insight...
    >>
    >> My requirement is simple. Whenever a user opens a file a notification has
    >>> to be sent. Whenever the user closes a file again a notification has to be
    >>> sent.
    >>>
    >>
    >> Sounds like you are meeting your requirements. If you are not getting
    >> what you expect you need to revisit your requirements, particularly what
    >> you mean by "user":
    >>
    >> - a Security Principal?
    >> - a logged on entity?
    >> - an application?
    >> - a "session"
    >>
    >> and maybe what you mean by "open": Open for read? Open for Write?
    >>
    >> Or perhaps "file": Do metadata channels (C:\$Extend) matter? What about
    >> directories? Systems files? executables?
    >>
    >> This is requirements 101.
    >>
    >> R
    >>
    >>
    >>
    >> ---
    >> NTFSD is sponsored by OSR
    >>
    >>
    >> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    >> software drivers!
    >> Details at
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at <
    >> http://www.osronline.com/page.cfm?name=ListServer>;
    >>
    >
    > --- NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
    > WDF, Windows internals and software drivers! Details at To unsubscribe,
    > visit the List Server section of OSR Online at
  • NtDev_GeekNtDev_Geek Posts: 93
    Welcome to the most astonishing world of windows device driver. all you want is 2 event and you are getting a lot.this is normal behavior since you are not alone in the system. why not just try to focus on your open/r/w/close calls rest you can bypass. which is easy with minifilter.
    you need to learn a lot about how minifilter works and try to get used to procmon and filespy utils.

    ./nT
  • Gabriel_BerceaGabriel_Bercea Posts: 464
    <QUOTE>
    My requirement is simple. Whenever a user opens a file a notification has to be
    sent. Whenever the user closes a file again a notification has to be sent.
    </QUOTE>
    In windows "a user" usually means a security access token obtained after a successful user logon, which is the assigned to all the processes/threads that are created by that user. Winlogon.exe usually creates the first "user" process after you login. All of the processes coming from this, usually children of Wininit will have the same access token unless something like LogonUser/CreateProcessAsUser is done. Hence: " when a user opens a file" means all the processes/treads created with that access opens a file. A file open = a call to CreateFile. This happens all the time, at least on your Windows installation volume.
    What you are seeing at the filesystem filter level is simply threads requesting access to files on different volumes or even network.
    The fact that you have certain expectation to the number of CREATE/CLOSES that should come due to a interactive user-mode GUI action is simply wrong. You can expect sometimes double clicking a file to see 10 creates coming down ( indexing services, backgrounds processes, other filters, etc.. could decide to open the file as a result of the interactive user's action), sometimes none ( perhaps because of some form of caching ). You cannot make such assumptions when you are writing a filter or you will have a bad time.
    I would advise you to redesign your filter taking this into account.

    Cheers,
    Gabriel

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!