Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Local SMB request

Pavel_SPavel_S Member Posts: 78

Hi folks.

I have simple minifilter driver that is intercepting PreCreate.

  1. If one will use "local" UNC path to given sahe (e.g using loopback \ inside my minifilter I see two requests: one coming from application that is issuing NtCreateFile (which is obvious). My driver is intercepting this call.
    After that (here is my question to confirm it whether my understanding is correct) fltmgr will redirect this request to Mup (as parsed path will look MUP alike) and it will go thru SMB. in few cycles later I can see srv2 is opening same file, but this time file is properly resolved to local path. I understand right after "first" fltmgr call sytem is reparsing this request to use SMB - correct?

  2. As I can see request coming from SMB is in fact always executed in SYSTEM thread context. I understant this is because there is thread/pool of threads working on behalf of SMB that are serving incoming requests from outside - is that correct (srv2!RfspThreadPoolNodeWorkerRun)?

  3. I presume I know what will be the answer, but ;) ... is it possible to anyhow find ProcessId on behalf of which given (in fact local) SMB request is performing? (Im talking about really local SMB requests)?

Some explanation.
My minifilter is working just fine with pre-create on really local requests. Once I started to use loopback to access files some issues arised becuase I cannot find what is real accessed path - in other words - I cannot map UNC path to local drive (I guess having post callback woudl have it resolved already). If however I could process SMB requests which contains local path (but I cannot find real requestor ID) it would be enough.



Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online