Hello -
I have a minifilter that I’ve written and has been in use for some time. It basically monitors certain applications doing certain disk I/O, and it works well for my purposes. However, I would now like to receive the same Pre (and Post) file system operations for files residing on various network shares that my driver is now receiving for the local harddrive.
I thought that by simply returning STATUS_SUCCESS in my PFLT_INSTANCE_SETUP_CALLBACK function that gets called whenever a new volume is mounted, that I would then start to receive notification in my Pre-* routines when those IRP requests went to files on one of the network volumes.
However, unless I’m missing something basic, I’m not receiving those notifications for accessing those network files.
I’ve used the Microsoft driver samples on GitHub, so assuming I’m missing something, is there a sample there that is trying to do something similar to what I’m looking for?
Thank you.
IIRC, that is enough. STATUS SUCCESS from InstanceSetup for all cases.
How do you tell whether you get PreOp calls for a network volume?
Just to emphasize what @Dejan_Maksimovic said.
If you attach at boot then MUP is usually the first volume to be announced to you. But (and you may not have realized this) you only get called once for all shares - you then need to decide on a case by case basis whether this is the share that interests you.
Thanks for the replies.
Yes, I was pretty sure based on reading and seeing what other drivers had been doing that simply returning STATUS_SUCCESS in my PFLT_INSTANCE_SETUP_CALLBACK should be enough.
I do have some filtering going on in my PreOp routines, where I filter out a good number of IRPs and just return FLT_PREOP_SUCCESS_NO_CALLBACK, indicating that I don’t need a notification in my PostOp. It may be that some of that filtering may have been setup incorrectly by me. I suppose for these purposes, I can remove all that and confirm that I then receive all events, even for network shares.
Is there a specific way in my PreOp or PostOp routine to tell explicitly what volume it’s coming from, or is the only way to do that is to get the filename using FltGetFileNameInformation?
You can check if the FileObject->DeviceObject->DeviceType ==
FILE_DEVICE_NETWORK_FILE_SYSTEM, in which case it is network I/O.
Note that I say “network I/O” and not “MUP”, since MUP is the most
common thing you would see, but far from the only redirector out
there. And you need to be able to handle others.
A simple example is HGFS, from VMWare, which you would see on both VMs
for testing, and on VMs for production. And it is NOT behaving nicely
with FltMgr in many areas.
E.g. at least on my current set up, you cannot use FltMgr’s contexts
I mean you can allocate them, but cannot associate them with a file
object.
Then there is Citrix, Xi, RDP, probably there is some Netware still out there…
OK, I actually was getting network events, but, there was some filtering upstream that had been in there forever that I’d forgotten about that was effectively filtering them out. So, my bad.
Thanks for the responses, though. I’m still somewhat shaky on driver things and the comments forced to me go reevaluate some things.