Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Extended attributes and reparse points

GarethGriffithsGarethGriffiths Member Posts: 2

We have a filter providing an HSM via reparse point but we are finding increasing use of EAs by some anti-malware products. We propose to remove the EA when we 'stub' a file (remove primary data, and add reparse point) but replace the EA if the file is accessed causing us to 'unstub' the file (restore primary data and remove reparse point). Has anyone else tried this or see major issues with this.


  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 589
    via Email
    If you need to work with different AVs - you cannot imagine even 10% of
    Whatever can go wrong, will go wrong at the worst time - no logging, but
    data loss.

    I am surprised AVs/AMs use EAs. Does it remove a reparse tag?
    I can see quite a few reentry issues with AVs here, if you remove their
    tags even momentarily.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,631
  • GarethGriffithsGarethGriffiths Member Posts: 2

    @Scott_Noone_(OSR) We are seeing both. Kernel ones on Azure, but regular ones set by a security product (am I allowed to name vendors here?)

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,631

    Kernel Purge EAs are generally used by A/V's to avoid scanning files that haven't changed (e.g. across reboots). IMO it doesn't make sense to restore these given that the file may have changed "in the cloud" since the last local scan.

    For normal EAs there's no right answer...They're a pretty fragile mechanism for storing anything important given that they're lost when copying to file systems that don't support them (e.g. FAT32). I'd be inclined to just leave them on the local stub file/reparse point and not bother saving/restoring them.

    And, FWIW, having written two HSM filters we've never saved/deleted/restored EAs. This also appears to be the policy of the Cloud Filter, which doesn't necessarily mean it's "right" but just another example.


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 16-20 October 2023 Live, Online
Developing Minifilters 13-17 November 2023 Live, Online
Internals & Software Drivers 4-8 Dec 2023 Live, Online
Writing WDF Drivers 10-14 July 2023 Live, Online