Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Any benefit on attaching to FLT_FSTYPE_RAW volumes in a minifilter?

brad_Hbrad_H Member Posts: 168
in NTFSD

We have a minifilter, that we basically need to get notified for every file access on the machine and potentially scan them.

My question is, What type of file accesses will we miss, if we don't attach to FLT_FSTYPE_RAW? Do we really need to also attach to FLT_FSTYPE_RAW?

And what type of volumes will become FLT_FSTYPE_RAW instead of something normal like FLT_FSTYPE_NTFS?

· Share on Facebook

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,590

    Device Objects for disk, tape, and CD-ROM devices have a Volume Parameter Block (VPB). The first time someone tries to open one of these devices the I/O Manager checks to see if there's currently a file system mounted over the device (VPB_MOUNTED set). If not, the I/O Manager goes through the file system recognition process.

    The I/O Manager calls the file systems one by one to see if the media is formatted with their file system. If it is, they create a new device object, wire it into the VPB, and set the mounted flag. Now the I/O requests go to the top of the file system stack instead of the media device stack.

    Now, what happens when no file system claims the device? Well, the I/O Manager has a "Raw File System" that claims the device if no one else does. This file system only supports device opens and not individual files.

    There are primarily two cases where you see this happening:

    1. An unformatted volume
    2. Someone opening a disk device directly (e.g. \.\PhysicalDrive0). This shows up as raw because the disk isn't formatted with a file system. Instead, the disk has partitions and those partitions have the file system.

    Lots of minifilters ignore raw and are OK doing so.

    -scott
    OSR

    · Share on Facebook
  • brad_Hbrad_H Member Posts: 168

    @Scott_Noone_(OSR) said:
    Device Objects for disk, tape, and CD-ROM devices have a Volume Parameter Block (VPB). The first time someone tries to open one of these devices the I/O Manager checks to see if there's currently a file system mounted over the device (VPB_MOUNTED set). If not, the I/O Manager goes through the file system recognition process.

    The I/O Manager calls the file systems one by one to see if the media is formatted with their file system. If it is, they create a new device object, wire it into the VPB, and set the mounted flag. Now the I/O requests go to the top of the file system stack instead of the media device stack.

    Now, what happens when no file system claims the device? Well, the I/O Manager has a "Raw File System" that claims the device if no one else does. This file system only supports device opens and not individual files.

    I've read about VPB many many times, and it always confused me, and this is the best explanation I've read regarding it. So thank you, now I finally get it.

    · Share on Facebook
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,590
    Excellent! Glad that helped.

    -scott
    OSR

    · Share on Facebook
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Sign In Register
Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 19-23 June 2023 Live, Online
Writing WDF Drivers 10-14 July 2023 Live, Online
Kernel Debugging 16-20 October 2023 Live, Online
Developing Minifilters 13-17 November 2023 Live, Online

Categories