Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Object manager refusing to reparse

ntdeveloper31ntdeveloper31 Member Posts: 43

Hi Folks,

I'm writing a classic cross-volume file system mini-filter driver that redirects all I/O requests from one volume (C:) to another (say, X:). I achieve this by using the famous reparse approach i.e.

// Change filename in Data->Iopb->TargetFileObject using IoReplaceFileObjectName
// So e.g. replacing L"\??\Volume{dd9d0273-0000-0000-0000-602200000000}\Users\Admin" with L"\??\Volume{e53ce0d4-0000-0000-0000-100000000000}\Users\Admin"
Data->IoStatus.Information = IO_REPARSE;
Data->IoStatus.Status = STATUS_REPARSE;
Data->Iopb->TargetFileObject->RelatedFileObject = NULL;
FltSetCallbackDataDirty(Data);
return FLT_PREOP_COMPLETE;

This seems to be working fine until I launch Microsoft edge. The browser gets launched but it fails to load home page contents, suggestions etc.
After putting in long debugging / investigation hours here's what I see in the Procmon:

MicrosoftEdgeCP.exe (FAILURE LOGS)

MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded
MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded
MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded
MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded
MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded

MicrosoftEdge.exe (SUCCESS LOGS)

MicrosoftEdge.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Disallow Exclusive, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Superseded
MicrosoftEdge.exe CreateFile X:\Users\Admin SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Disallow Exclusive, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
MicrosoftEdge.exe CloseFile X:\Users\Admin SUCCESS
MicrosoftEdge.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Superseded
MicrosoftEdge.exe CreateFile X:\Users\Admin SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
MicrosoftEdge.exe CloseFile X:\Users\Admin SUCCESS

In the Procmon, there's simply no entry corresponding to IRP_MJ_CREATE for X:\Users\Admin for EdgeCP.exe whereas that's not the case with Edge.exe.
Its literally like IO manager / object manager has not re-issued a new IRP_MJ_CREATE for the new filename.

So what are those mysterious circumstances during which IO manager / object manager decides to do this.

Thanks

Comments

  • ntdeveloper31ntdeveloper31 Member Posts: 43
    Any idea guys why reparse might be failing? I'm not making changes anywhere apart from the filename in the target file object.

    Thanks
  • ntdeveloper31ntdeveloper31 Member Posts: 43
    edited September 2019

    Here's the simplified version of procmon logs with my fs redirection mini-filter loaded:

    MicrosoftEdgeCP.exe (FAILURE LOGS)

    MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE
    MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE
    MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE
    MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE
    MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE

    MicrosoftEdge.exe (SUCCESS LOGS)

    MicrosoftEdge.exe CreateFile C:\Users\Admin REPARSE
    MicrosoftEdge.exe CreateFile X:\Users\Admin SUCCESS
    MicrosoftEdge.exe CloseFile X:\Users\Admin SUCCESS
    MicrosoftEdge.exe CreateFile C:\Users\Admin REPARSE
    MicrosoftEdge.exe CreateFile X:\Users\Admin SUCCESS
    MicrosoftEdge.exe CloseFile X:\Users\Admin SUCCESS

    During the debugging session, I debugged the call stack backwards meaning I put the break-point wherein I receive the original Create request and change its IoStatus.Status to STATUS_REPARSE and then executed 1 instruction at a time. I can see that in the stack, Filter manager's PerformPreCallback is never called again for the corresponding new Create request.

    Does anyone have any insights on this?

    Thanks in advance.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    Does anyone have any insights on this

    No, but you might want to set a break on read access breakpoint in Iosb->Status

  • ntdeveloper31ntdeveloper31 Member Posts: 43

    Thanks rod_widdowson for getting back.

    @rod_widdowson said:

    Does anyone have any insights on this

    No, but you might want to set a break on read access breakpoint in Iosb->Status

    Can you please elaborate a bit more on this?

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    When you have set STATUS_REPARSE, find the address and do a ba r 4 <Address>

    Windbg will then stop every time that (virtual) address is accessed. That might be a faster way to detect when the working flow diverges from the failing one and thus work out whats happening and why....

    Just a thought tho'

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA