Need a simple example for filter driver

Hello All,
Does anyone have an example of a filter driver that will block writes
or reads from
being passed on to the file system. I really need an example to go by. Any
help
would be appreciated !!!

David Mack

You will get a Filemonitor application on the site systeminternals.com
which a good example of filter driver, .
-----Original Message-----
From: David Mack
To: File Systems Developers
Date: Tuesday, April 11, 2000 10:25 PM
Subject: [ntfsd] Need a simple example for filter driver

>
>Hello All,
> Does anyone have an example of a filter driver that will block writes
>or reads from
>being passed on to the file system. I really need an example to go by.
Any
>help
>would be appreciated !!!
>
>David Mack
>
>
>—
>You are currently subscribed to ntfsd as: amitg@i3-micro.com
>To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>

I have looked at that filemon but it doesn’t really show me how to cancel a
write IRP.
I am definitely doing it wrong cause I’m getting blue screens randomly from
my driver.
If anyone has an example of that, maybe that would help.

What I am looking for is a snippet of code that will do the following.
Say I want to block all files that have the .dat extension from going to
hard disk.
When the IRP comes down to write, I want to check the extension and cancel
the IRP.

Even if the example doesn’t do this anything close would be of help.
Once again, thanks for the replies

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Amit Gorantiwar
Sent: Wednesday, April 12, 2000 5:07 AM
To: File Systems Developers
Subject: [ntfsd] Re: Need a simple example for filter driver

You will get a Filemonitor application on the site systeminternals.com
which a good example of filter driver, .
-----Original Message-----
From: David Mack
To: File Systems Developers
Date: Tuesday, April 11, 2000 10:25 PM
Subject: [ntfsd] Need a simple example for filter driver

>
>Hello All,
> Does anyone have an example of a filter driver that will block writes
>or reads from
>being passed on to the file system. I really need an example to go by.
Any
>help
>would be appreciated !!!
>
>David Mack
>
>
>—
>You are currently subscribed to ntfsd as: amitg@i3-micro.com
>To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>


You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

The time the write IRP is received is too late to look at the filename.
It is not guaranteed to be in the file object. Look at the filename
during the create IRP, and remember it somehow.

To avoid confusing applications hopelessly, you may want to check the
requested access permissions during the create, and fail the create IRP
if write access is requested. Allowing a file to be opened for write
access and then failing the writes is … unconventional?

I don’t know how you’re cancelling the IRP – just complete it with an
error status.

You may also have to hook the fast-IO path also – not all writes use IRPs.


Dave Cox
Hewlett-Packard Co.
HPSO/SSMO (Santa Barbara)
https://ecardfile.com/id/Dave+Cox

-----Original Message-----
From: David Mack [mailto:xxxxx@infoseerinc.com]
Sent: Wednesday, April 12, 2000 7:42 AM
To: File Systems Developers
Subject: [ntfsd] Re: Need a simple example for filter driver

I have looked at that filemon but it doesn’t really show me how to cancel a
write IRP.
I am definitely doing it wrong cause I’m getting blue screens randomly from
my driver.
If anyone has an example of that, maybe that would help.

What I am looking for is a snippet of code that will do the following.
Say I want to block all files that have the .dat extension from going to
hard disk.
When the IRP comes down to write, I want to check the extension and cancel
the IRP.

Even if the example doesn’t do this anything close would be of help.
Once again, thanks for the replies

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Amit Gorantiwar
Sent: Wednesday, April 12, 2000 5:07 AM
To: File Systems Developers
Subject: [ntfsd] Re: Need a simple example for filter driver

You will get a Filemonitor application on the site systeminternals.com
which a good example of filter driver, .
-----Original Message-----
From: David Mack
To: File Systems Developers
Date: Tuesday, April 11, 2000 10:25 PM
Subject: [ntfsd] Need a simple example for filter driver

>
>Hello All,
> Does anyone have an example of a filter driver that will block writes
>or reads from
>being passed on to the file system. I really need an example to go by.
Any
>help
>would be appreciated !!!
>
>David Mack
>
>
>—
>You are currently subscribed to ntfsd as: amitg@i3-micro.com
>To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>


You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)


You are currently subscribed to ntfsd as: david_cox2@hp.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

Is it possible to determine if a file is being copied as opposed to being
created from scratch in a driver. I will try looking at the create IRP and
see if that has what I need. I do appreciate everyone’s help. I am new to
driver development so if I am being unconventional it is unintentional I
assure you.

david Mack

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of COX,DAVID
(HP-Roseville,ex1)
Sent: Wednesday, April 12, 2000 12:20 PM
To: File Systems Developers
Subject: [ntfsd] Re: Need a simple example for filter driver

The time the write IRP is received is too late to look at the filename.
It is not guaranteed to be in the file object. Look at the filename
during the create IRP, and remember it somehow.

To avoid confusing applications hopelessly, you may want to check the
requested access permissions during the create, and fail the create IRP
if write access is requested. Allowing a file to be opened for write
access and then failing the writes is … unconventional?

I don’t know how you’re cancelling the IRP – just complete it with an
error status.

You may also have to hook the fast-IO path also – not all writes use IRPs.


Dave Cox
Hewlett-Packard Co.
HPSO/SSMO (Santa Barbara)
https://ecardfile.com/id/Dave+Cox

-----Original Message-----
From: David Mack [mailto:xxxxx@infoseerinc.com]
Sent: Wednesday, April 12, 2000 7:42 AM
To: File Systems Developers
Subject: [ntfsd] Re: Need a simple example for filter driver

I have looked at that filemon but it doesn’t really show me how to cancel a
write IRP.
I am definitely doing it wrong cause I’m getting blue screens randomly from
my driver.
If anyone has an example of that, maybe that would help.

What I am looking for is a snippet of code that will do the following.
Say I want to block all files that have the .dat extension from going to
hard disk.
When the IRP comes down to write, I want to check the extension and cancel
the IRP.

Even if the example doesn’t do this anything close would be of help.
Once again, thanks for the replies

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Amit Gorantiwar
Sent: Wednesday, April 12, 2000 5:07 AM
To: File Systems Developers
Subject: [ntfsd] Re: Need a simple example for filter driver

You will get a Filemonitor application on the site systeminternals.com
which a good example of filter driver, .
-----Original Message-----
From: David Mack
To: File Systems Developers
Date: Tuesday, April 11, 2000 10:25 PM
Subject: [ntfsd] Need a simple example for filter driver

>
>Hello All,
> Does anyone have an example of a filter driver that will block writes
>or reads from
>being passed on to the file system. I really need an example to go by.
Any
>help
>would be appreciated !!!
>
>David Mack
>
>
>—
>You are currently subscribed to ntfsd as: amitg@i3-micro.com
>To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>


You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)


You are currently subscribed to ntfsd as: david_cox2@hp.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)


You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

Hi,

SFILTER from Rajiv Nagar’s book “NT FileSystem Internals” can do this it
taps all the requests going to the mounted volumes.
All the requests will land on “SFilterDefaultDispatch” routine in dispatch.c
file.Probably you can filter all write requests and get the
filename from the fileobject.

Regards,
Kishore Inampudi

From: “David Mack”
>Reply-To: “File Systems Developers”
>To: “File Systems Developers”
>Subject: [ntfsd] Re: Need a simple example for filter driver
>Date: Wed, 12 Apr 2000 09:41:33 -0500
>
>I have looked at that filemon but it doesn’t really show me how to cancel a
>write IRP.
>I am definitely doing it wrong cause I’m getting blue screens randomly from
>my driver.
>If anyone has an example of that, maybe that would help.
>
>What I am looking for is a snippet of code that will do the following.
>Say I want to block all files that have the .dat extension from going to
>hard disk.
>When the IRP comes down to write, I want to check the extension and cancel
>the IRP.
>
>Even if the example doesn’t do this anything close would be of help.
>Once again, thanks for the replies
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com]On Behalf Of Amit Gorantiwar
>Sent: Wednesday, April 12, 2000 5:07 AM
>To: File Systems Developers
>Subject: [ntfsd] Re: Need a simple example for filter driver
>
>
>You will get a Filemonitor application on the site systeminternals.com
>which a good example of filter driver, .
>-----Original Message-----
>From: David Mack
>To: File Systems Developers
>Date: Tuesday, April 11, 2000 10:25 PM
>Subject: [ntfsd] Need a simple example for filter driver
>
>
> >
> >Hello All,
> > Does anyone have an example of a filter driver that will block
>writes
> >or reads from
> >being passed on to the file system. I really need an example to go by.
>Any
> >help
> >would be appreciated !!!
> >
> >David Mack
> >
> >
> >—
> >You are currently subscribed to ntfsd as: amitg@i3-micro.com
> >To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >
> >
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
>To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

I guess I’m talking about what you mean. If you want to cancel an IRP
you have to do this :
IRP->Status = STATUS_ACCESS_DENIED; // or some other error code
IoCompleteIrp(IRP);
return STATUS_ACCESS_DENIED;