Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Hide some Directory Change Notification

bastien_thonnatbastien_thonnat Member Posts: 26

Hi !

When my minifilter apply change on file, obviously, the File System push some directory change notification,
1) Is there a way to tell the File System that my action need to be hidden ? (I guess I already know the answer from the FastFAT sample ...)

I think I could intercept IRP_MN_NOTIFY_CHANGE_DIRECTORY and try to remove my notifications, with countless difficulties , butI don't like this idea as it is error-prone.
2) If the user buffer is too small to catch this notifications, in the post operation, will the returned buffer length be 0 like ReadDirectoryChangesW or could I remove some notifications before that ?

Thank you !

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,198

    There's one very narrow option in that GUID_ECP_ATOMIC_CREATE allows you to suppress directory change notifications (DCN) of the newly created file. AFAIK this is TH2 + NTFS only.

    We once had a filter that triggered what I lovingly referred to as "DCN Hell": the simple act of someone opening a file caused our filter to trigger a DCN. Some apps (e.g. Visual Studio) use the DCN to determine if the file has been modified, so this caused an infinite loop as the app kept opening the file, triggering the DCN, and then opening the file again.

    Trying to parse the DCN buffer to remove the offending entry turned out to be a complete and total nightmare. The request comes in as METHOD_NEITHER and by the time it completes it can still be METHOD_NEITHER or converted to either METHOD_BUFFERED or METHOD_DIRECT by the FsRtl package (which was a big surprise). In the METHOD_NEITHER and METHOD_DIRECT cases you need to worry about TOCTOU as you walk the structure on completion. I definitely lost hairs over this...

    Just looked and that was in 2011-2012. I would never resurrect or write this code again...So, my question would be: is the fact that this triggers the app's DCN really that bad? Does the file look different from the app perspective after your modifications? If yes I'd say the DCN is a good thing.

    -scott
    OSR

  • bastien_thonnatbastien_thonnat Member Posts: 26

    Thank you Scott,

    I was afraid of this reply, I will play with GUID_ECP_ATOMIC_CREATE to see if my freeze come from the DCN, and if it come from the DCN, it will be my turn to lost my hairs...

  • bastien_thonnatbastien_thonnat Member Posts: 26

    And another question GUID_ECP_ATOMIC_CREATE is used in case of create, in case of modifications (write/flush/attributes/...) is there a way to not trig DCN ?

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,198

    My understanding is that it just doesn't trigger the DCN on the create, so I don't **think ** it hides further modifications to the file. I haven't explored that particular case though so not sure.

    Aside: we have a simple utility to watch DCNs on GitHub. Doesn't do anything special but saves you from having to write it yourself.

    -scott
    OSR

  • bastien_thonnatbastien_thonnat Member Posts: 26

    Yep, I will play with it and see what I get.

    Thank you Scott !

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE