Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


FltGetFileNameInformation failed with 0xc000003a

NtDev_GeekNtDev_Geek Member - All Emails Posts: 128

FltGetFileNameInformation failed with PreCreate: failed with status = 0xc000003a when trying to open notepad.exe in precreate().
The same is working fine on Windows 11. On Windows 10, it's not.
Trying to figure out why? I changed the name options flags as per MSDN and tried combinations of different flags, but the issue persists.
What else could be tried here? Can anyone please help me with some pointers?
I can see that on Win10, the path to Notepad.exe is C:\Windows\system32\notepad.exe, while on Win11, it is not.

I appreciate any help you can provide.
Thank you.

Comments

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 636
    via Email
    Do you have ProcMon output perhaps?

    Are you sure it is the actual open? What is FileName in the
    Data->TargetFileObject exactly?
  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 128

    ProcMon output: not showing notpad.exe.
    Can't see "IRP_MJ_CREATE " for c:\Windows\System32\notepad.exe rather than notepad.exe.local(what is it?), failed with the name not found.

    I am trying to block Exe, not particularly Notepad, based on some user-defined policy.
    What I did, in precreate (), checked the abs path, and if that path contains that exe, access is denied. Code works fine on Win11 for any app of defined policy, but on win10, the code fails for every policy path. Is it something related to query IRP?

    I haven't been able to figure out what I am doing wrong. I suspect to handle memory mapped IO also to make it work. But why. maybe this will not work here with a path match.

    Thank you for the help.
    Best Regards.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 636
    What fails with path not found then, according to ProcMon?
    We need more info to even guess. That error code is quite specific, the open is for a non existant path, and it will fail anyway.

    So you are looking at the wrong open, or already corrupted the memory.

    Memory mapping has nothing to do with file names during open.

    .local is some metadata file, that rarely exists. Also not related to file name query in your case.

    Dejan.
  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 128

    Thank you for the help.
    I figured out that the problem was not with FltGet*** but with case sensitivity in my comparison.

    Thank you.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online