I am a bit new to the FS world. And i started off by studying the book called Windows NT File system internals.
The task i have in hand is to develop an access control minifilter.
After doing some searching on this forum i realized that it is better to start with a basic minifilter.
So, I started off with minispy.
I observed the following and would really appreciate if someone could help me out:
There is a comment “// NOTE: By default, we use the query method
// FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP
// because MiniSpy would like to get the name as much as possible, but
// can cope if we can’t retrieve a name. For a debugging type filter,
// like Minispy, this is reasonable, but for most production filters
// who need names reliably, they should query the name at times when it
// is known to be safe and use the query method
// FLT_FILE_NAME_QUERY_DEFAULT.”
What should i do to ensure that i can always get the name? What are the various ways?
I have observed that FltGetFileNameInformation sometimes fails in Read, Write and Close callbacks.
Then i went back to the documentation and crosschecked that it was failing in case of Pagind I/O.
And there is something written that the name cannot be queried after the IRP_MJ_CLEANUP operation, so probably that is why it is failing in PreClose callback.
How can i get the name in PreRead (Paging), PreWrite (Paging) and PreClose?
I used to query it in create and than have it in some context. Not sure whether we did this because of what you mentioned or because of our architecture but it works.
Beware of the performance hit of calling FltGetFileNameInformation. It’s like attaching a 50 pound weight to your leg and then running a marathon. So, call that function as little as possible. I only call it for cases I can’t easily handle (short file names that I want normalized, etc).
You want to get the file name in pre-create b/c that’s the only place the FileName field of the FILE_OBJECT is guaranteed to be valid. IMHO, this allows you to avoid calling FltGetFileNameInformation for most cases. I find it faster to parse the FileName field myself than to call this function.
this thread http://www.osronline.com/showthread.cfm?link=158204 has a discussion about what the flag does. You should not try to get the name in every operation. When it is best to get the name depends on what your minifilter is trying to do. You mention you plan to write an access control minifilter so you probably will want to focus on the Create path. If you plan to deny file access based on name then you need get it in preCreate.
You cannot get the name in the paging path or in PreClose. The real question is why do you need the names in the paging path of in PreClose… If your minifilter is only for access control then the best strategy is to block all access to the files you don’t want access in the create path, which means you don’t have to worry about paging operations or PreClose and so on.
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.
Thank you Alexandru for your reply.
The final objective is to develop a access control minifilter.
But right now i am trying to understand minifilter concepts in a better way
so that i do not make mistakes later.
So i am trying to understand all the concepts involved in minispy. And hence
i asked how to get the names in cases where we cannot directly get names…
More broadly, the question could be what should i do if i am making a basic
profiling minifilter that traces all I/Os. Something like FileMon?
In that case, I need the file name in case of PreClose and Paging read and
write too. How should i get it?
Thanks,
Sam
On 8/21/09, Alexandru Carp wrote: > > 1. this thread http://www.osronline.com/showthread.cfm?link=158204 has a > discussion about what the flag does. You should not try to get the name in > every operation. When it is best to get the name depends on what your > minifilter is trying to do. You mention you plan to write an access control > minifilter so you probably will want to focus on the Create path. If you > plan to deny file access based on name then you need get it in preCreate. > > 2. You cannot get the name in the paging path or in PreClose. The real > question is why do you need the names in the paging path of in PreClose… If > your minifilter is only for access control then the best strategy is to > block all access to the files you don’t want access in the create path, > which means you don’t have to worry about paging operations or PreClose and > so on. > > Regards, > Alex. > This posting is provided “AS IS” with no warranties, and confers no rights. > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
“Sam G” wrote in message news:xxxxx@ntfsd… > Thank you Alexandru for your reply. > The final objective is to develop a access control minifilter. > But right now i am trying to understand minifilter concepts in a better > way > so that i do not make mistakes later. > So i am trying to understand all the concepts involved in minispy. And > hence > i asked how to get the names in cases where we cannot directly get > names… > More broadly, the question could be what should i do if i am making a > basic > profiling minifilter that traces all I/Os. Something like FileMon? > In that case, I need the file name in case of PreClose and Paging read and > write too. How should i get it? > > Thanks, > Sam > > > On 8/21/09, Alexandru Carp wrote: >> >> 1. this thread http://www.osronline.com/showthread.cfm?link=158204 has a >> discussion about what the flag does. You should not try to get the name >> in >> every operation. When it is best to get the name depends on what your >> minifilter is trying to do. You mention you plan to write an access >> control >> minifilter so you probably will want to focus on the Create path. If you >> plan to deny file access based on name then you need get it in preCreate. >> >> 2. You cannot get the name in the paging path or in PreClose. The real >> question is why do you need the names in the paging path of in PreClose… >> If >> your minifilter is only for access control then the best strategy is to >> block all access to the files you don’t want access in the create path, >> which means you don’t have to worry about paging operations or PreClose >> and >> so on. >> >> Regards, >> Alex. >> This posting is provided “AS IS” with no warranties, and confers no >> rights. >> >> — >> NTFSD is sponsored by OSR >> >> For our schedule of debugging and file system seminars >> (including our new fs mini-filter seminar) visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer >> > > > > Information from ESET NOD32 Antivirus, version of virus > signature database 4356 (20090821) > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > >
Information from ESET NOD32 Antivirus, version of virus signature database 4356 (20090821)
Thank you Don. I am currently looking at the Minispy sample and these doubts
are related to it.
On 8/21/09, Don Burn wrote: > > Look at FileSpy the sample in the WDK that does what you asked for. > > > – > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > > > “Sam G” wrote in message news:xxxxx@ntfsd… > > Thank you Alexandru for your reply. > > The final objective is to develop a access control minifilter. > > But right now i am trying to understand minifilter concepts in a better > > way > > so that i do not make mistakes later. > > So i am trying to understand all the concepts involved in minispy. And > > hence > > i asked how to get the names in cases where we cannot directly get > > names… > > More broadly, the question could be what should i do if i am making a > > basic > > profiling minifilter that traces all I/Os. Something like FileMon? > > In that case, I need the file name in case of PreClose and Paging read > and > > write too. How should i get it? > > > > Thanks, > > Sam > > > > > > On 8/21/09, Alexandru Carp wrote: > >> > >> 1. this thread http://www.osronline.com/showthread.cfm?link=158204 has > a > >> discussion about what the flag does. You should not try to get the name > >> in > >> every operation. When it is best to get the name depends on what your > >> minifilter is trying to do. You mention you plan to write an access > >> control > >> minifilter so you probably will want to focus on the Create path. If you > >> plan to deny file access based on name then you need get it in > preCreate. > >> > >> 2. You cannot get the name in the paging path or in PreClose. The real > >> question is why do you need the names in the paging path of in > PreClose… > >> If > >> your minifilter is only for access control then the best strategy is to > >> block all access to the files you don’t want access in the create path, > >> which means you don’t have to worry about paging operations or PreClose > >> and > >> so on. > >> > >> Regards, > >> Alex. > >> This posting is provided “AS IS” with no warranties, and confers no > >> rights. > >> > >> — > >> NTFSD is sponsored by OSR > >> > >> For our schedule of debugging and file system seminars > >> (including our new fs mini-filter seminar) visit: > >> http://www.osr.com/seminars > >> > >> To unsubscribe, visit the List Server section of OSR Online at > >> http://www.osronline.com/page.cfm?name=ListServer > >> > > > > > > > > Information from ESET NOD32 Antivirus, version of virus > > signature database 4356 (20090821) > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > Information from ESET NOD32 Antivirus, version of virus > signature database 4356 (20090821) > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
“Sam G” wrote in message news:xxxxx@ntfsd… > Thank you Don. I am currently looking at the Minispy sample and these > doubts > are related to it. > > On 8/21/09, Don Burn wrote: >> >> Look at FileSpy the sample in the WDK that does what you asked for. >> >> >> – >> Don Burn (MVP, Windows DKD) >> Windows Filesystem and Driver Consulting >> Website: http://www.windrvr.com >> Blog: http://msmvps.com/blogs/WinDrvr >> >> >> “Sam G” wrote in message news:xxxxx@ntfsd… >> > Thank you Alexandru for your reply. >> > The final objective is to develop a access control minifilter. >> > But right now i am trying to understand minifilter concepts in a better >> > way >> > so that i do not make mistakes later. >> > So i am trying to understand all the concepts involved in minispy. And >> > hence >> > i asked how to get the names in cases where we cannot directly get >> > names… >> > More broadly, the question could be what should i do if i am making a >> > basic >> > profiling minifilter that traces all I/Os. Something like FileMon? >> > In that case, I need the file name in case of PreClose and Paging read >> and >> > write too. How should i get it? >> > >> > Thanks, >> > Sam >> > >> > >> > On 8/21/09, Alexandru Carp wrote: >> >> >> >> 1. this thread http://www.osronline.com/showthread.cfm?link=158204 has >> a >> >> discussion about what the flag does. You should not try to get the >> >> name >> >> in >> >> every operation. When it is best to get the name depends on what your >> >> minifilter is trying to do. You mention you plan to write an access >> >> control >> >> minifilter so you probably will want to focus on the Create path. If >> >> you >> >> plan to deny file access based on name then you need get it in >> preCreate. >> >> >> >> 2. You cannot get the name in the paging path or in PreClose. The real >> >> question is why do you need the names in the paging path of in >> PreClose… >> >> If >> >> your minifilter is only for access control then the best strategy is >> >> to >> >> block all access to the files you don’t want access in the create >> >> path, >> >> which means you don’t have to worry about paging operations or >> >> PreClose >> >> and >> >> so on. >> >> >> >> Regards, >> >> Alex. >> >> This posting is provided “AS IS” with no warranties, and confers no >> >> rights. >> >> >> >> — >> >> NTFSD is sponsored by OSR >> >> >> >> For our schedule of debugging and file system seminars >> >> (including our new fs mini-filter seminar) visit: >> >> http://www.osr.com/seminars >> >> >> >> To unsubscribe, visit the List Server section of OSR Online at >> >> http://www.osronline.com/page.cfm?name=ListServer >> >> >> > >> > >> > >> > Information from ESET NOD32 Antivirus, version of virus >> > signature database 4356 (20090821) >> > >> > The message was checked by ESET NOD32 Antivirus. >> > >> > http://www.eset.com >> > >> > >> >> >> >> Information from ESET NOD32 Antivirus, version of virus >> signature database 4356 (20090821) >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> >> >> >> — >> NTFSD is sponsored by OSR >> >> For our schedule of debugging and file system seminars >> (including our new fs mini-filter seminar) visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer >> > > > > Information from ESET NOD32 Antivirus, version of virus > signature database 4356 (20090821) > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > >
Information from ESET NOD32 Antivirus, version of virus signature database 4356 (20090821)
Thank you Don.
I had thought of saving the file name in stream handle context.
But then i had to handle rename. I thought it was straight forward to handle
rename on that file. But what if the parent directory got renamed?
example:
i am tracking a file c:\dir\mydir\myfile.txt (i have saved its name in the
stream handle context).
But while this file is opened, the directory c:\dir\mydir got renamed to
c:\dir\newdir. How will i update this information in the stream handle
context for the file?
On 8/21/09, Don Burn wrote: > > So if you need the filename after the PreCreate, you should store it in the > StreamContext of the handle the get it from there. > > > – > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > > > “Sam G” wrote in message news:xxxxx@ntfsd… > > Thank you Don. I am currently looking at the Minispy sample and these > > doubts > > are related to it. > > > > On 8/21/09, Don Burn wrote: > >> > >> Look at FileSpy the sample in the WDK that does what you asked for. > >> > >> > >> – > >> Don Burn (MVP, Windows DKD) > >> Windows Filesystem and Driver Consulting > >> Website: http://www.windrvr.com > >> Blog: http://msmvps.com/blogs/WinDrvr > >> > >> > >> “Sam G” wrote in message news:xxxxx@ntfsd. > … > >> > Thank you Alexandru for your reply. > >> > The final objective is to develop a access control minifilter. > >> > But right now i am trying to understand minifilter concepts in a > better > >> > way > >> > so that i do not make mistakes later. > >> > So i am trying to understand all the concepts involved in minispy. And > >> > hence > >> > i asked how to get the names in cases where we cannot directly get > >> > names… > >> > More broadly, the question could be what should i do if i am making a > >> > basic > >> > profiling minifilter that traces all I/Os. Something like FileMon? > >> > In that case, I need the file name in case of PreClose and Paging read > >> and > >> > write too. How should i get it? > >> > > >> > Thanks, > >> > Sam > >> > > >> > > >> > On 8/21/09, Alexandru Carp wrote: > >> >> > >> >> 1. this thread http://www.osronline.com/showthread.cfm?link=158204has > >> a > >> >> discussion about what the flag does. You should not try to get the > >> >> name > >> >> in > >> >> every operation. When it is best to get the name depends on what your > >> >> minifilter is trying to do. You mention you plan to write an access > >> >> control > >> >> minifilter so you probably will want to focus on the Create path. If > >> >> you > >> >> plan to deny file access based on name then you need get it in > >> preCreate. > >> >> > >> >> 2. You cannot get the name in the paging path or in PreClose. The > real > >> >> question is why do you need the names in the paging path of in > >> PreClose… > >> >> If > >> >> your minifilter is only for access control then the best strategy is > >> >> to > >> >> block all access to the files you don’t want access in the create > >> >> path, > >> >> which means you don’t have to worry about paging operations or > >> >> PreClose > >> >> and > >> >> so on. > >> >> > >> >> Regards, > >> >> Alex. > >> >> This posting is provided “AS IS” with no warranties, and confers no > >> >> rights. > >> >> > >> >> — > >> >> NTFSD is sponsored by OSR > >> >> > >> >> For our schedule of debugging and file system seminars > >> >> (including our new fs mini-filter seminar) visit: > >> >> http://www.osr.com/seminars > >> >> > >> >> To unsubscribe, visit the List Server section of OSR Online at > >> >> http://www.osronline.com/page.cfm?name=ListServer > >> >> > >> > > >> > > >> > > >> > Information from ESET NOD32 Antivirus, version of virus > >> > signature database 4356 (20090821) > >> > > >> > The message was checked by ESET NOD32 Antivirus. > >> > > >> > http://www.eset.com > >> > > >> > > >> > >> > >> > >> Information from ESET NOD32 Antivirus, version of virus > >> signature database 4356 (20090821) > >> > >> The message was checked by ESET NOD32 Antivirus. > >> > >> http://www.eset.com > >> > >> > >> > >> > >> > >> — > >> NTFSD is sponsored by OSR > >> > >> For our schedule of debugging and file system seminars > >> (including our new fs mini-filter seminar) visit: > >> http://www.osr.com/seminars > >> > >> To unsubscribe, visit the List Server section of OSR Online at > >> http://www.osronline.com/page.cfm?name=ListServer > >> > > > > > > > > Information from ESET NOD32 Antivirus, version of virus > > signature database 4356 (20090821) > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > Information from ESET NOD32 Antivirus, version of virus > signature database 4356 (20090821) > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
If the file is open, or anything else in that directory, I don’t think you
will get a rename.
On Fri, Aug 21, 2009 at 1:26 PM, Sam G wrote:
> Thank you Don. > I had thought of saving the file name in stream handle context. > But then i had to handle rename. I thought it was straight forward to > handle rename on that file. But what if the parent directory got renamed? > example: > i am tracking a file c:\dir\mydir\myfile.txt (i have saved its name in the > stream handle context). > But while this file is opened, the directory c:\dir\mydir got renamed to > c:\dir\newdir. How will i update this information in the stream handle > context for the file? > > > On 8/21/09, Don Burn wrote: > >> So if you need the filename after the PreCreate, you should store it in >> the >> StreamContext of the handle the get it from there. >> >> >> – >> Don Burn (MVP, Windows DKD) >> Windows Filesystem and Driver Consulting >> Website: http://www.windrvr.com >> Blog: http://msmvps.com/blogs/WinDrvr >> >> >> “Sam G” wrote in message news:xxxxx@ntfsd… >> > Thank you Don. I am currently looking at the Minispy sample and these >> > doubts >> > are related to it. >> > >> > On 8/21/09, Don Burn wrote: >> >> >> >> Look at FileSpy the sample in the WDK that does what you asked for. >> >> >> >> >> >> – >> >> Don Burn (MVP, Windows DKD) >> >> Windows Filesystem and Driver Consulting >> >> Website: http://www.windrvr.com >> >> Blog: http://msmvps.com/blogs/WinDrvr >> >> >> >> >> >> “Sam G” wrote in message >> news:xxxxx@ntfsd… >> >> > Thank you Alexandru for your reply. >> >> > The final objective is to develop a access control minifilter. >> >> > But right now i am trying to understand minifilter concepts in a >> better >> >> > way >> >> > so that i do not make mistakes later. >> >> > So i am trying to understand all the concepts involved in minispy. >> And >> >> > hence >> >> > i asked how to get the names in cases where we cannot directly get >> >> > names… >> >> > More broadly, the question could be what should i do if i am making a >> >> > basic >> >> > profiling minifilter that traces all I/Os. Something like FileMon? >> >> > In that case, I need the file name in case of PreClose and Paging >> read >> >> and >> >> > write too. How should i get it? >> >> > >> >> > Thanks, >> >> > Sam >> >> > >> >> > >> >> > On 8/21/09, Alexandru Carp wrote: >> >> >> >> >> >> 1. this thread http://www.osronline.com/showthread.cfm?link=158204has >> >> a >> >> >> discussion about what the flag does. You should not try to get the >> >> >> name >> >> >> in >> >> >> every operation. When it is best to get the name depends on what >> your >> >> >> minifilter is trying to do. You mention you plan to write an access >> >> >> control >> >> >> minifilter so you probably will want to focus on the Create path. If >> >> >> you >> >> >> plan to deny file access based on name then you need get it in >> >> preCreate. >> >> >> >> >> >> 2. You cannot get the name in the paging path or in PreClose. The >> real >> >> >> question is why do you need the names in the paging path of in >> >> PreClose… >> >> >> If >> >> >> your minifilter is only for access control then the best strategy is >> >> >> to >> >> >> block all access to the files you don’t want access in the create >> >> >> path, >> >> >> which means you don’t have to worry about paging operations or >> >> >> PreClose >> >> >> and >> >> >> so on. >> >> >> >> >> >> Regards, >> >> >> Alex. >> >> >> This posting is provided “AS IS” with no warranties, and confers no >> >> >> rights. >> >> >> >> >> >> — >> >> >> NTFSD is sponsored by OSR >> >> >> >> >> >> For our schedule of debugging and file system seminars >> >> >> (including our new fs mini-filter seminar) visit: >> >> >> http://www.osr.com/seminars >> >> >> >> >> >> To unsubscribe, visit the List Server section of OSR Online at >> >> >> http://www.osronline.com/page.cfm?name=ListServer >> >> >> >> >> > >> >> > >> >> > >> >> > Information from ESET NOD32 Antivirus, version of virus >> >> > signature database 4356 (20090821) >> >> > >> >> > The message was checked by ESET NOD32 Antivirus. >> >> > >> >> > http://www.eset.com >> >> > >> >> > >> >> >> >> >> >> >> >> Information from ESET NOD32 Antivirus, version of virus >> >> signature database 4356 (20090821) >> >> >> >> The message was checked by ESET NOD32 Antivirus. >> >> >> >> http://www.eset.com >> >> >> >> >> >> >> >> >> >> >> >> — >> >> NTFSD is sponsored by OSR >> >> >> >> For our schedule of debugging and file system seminars >> >> (including our new fs mini-filter seminar) visit: >> >> http://www.osr.com/seminars >> >> >> >> To unsubscribe, visit the List Server section of OSR Online at >> >> http://www.osronline.com/page.cfm?name=ListServer >> >> >> > >> > >> > >> > Information from ESET NOD32 Antivirus, version of virus >> > signature database 4356 (20090821) >> > >> > The message was checked by ESET NOD32 Antivirus. >> > >> > http://www.eset.com >> > >> > >> >> >> >> Information from ESET NOD32 Antivirus, version of virus >> signature database 4356 (20090821) >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> >> >> >> — >> NTFSD is sponsored by OSR >> >> For our schedule of debugging and file system seminars >> (including our new fs mini-filter seminar) visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer >> > > — NTFSD is sponsored by OSR For our schedule of debugging and file system > seminars (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars To unsubscribe, visit the List Server section > of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I guess it all depends on how you formulate the questions you are trying to answer. Sometimes people get stuck on an implementation detail rather than focusing on the actual purpose. For example “How do I get the file name during a paging write?” is different from “How do I report to the user that a paging write happened on a certain file ?”. This is why we keep pushing for details on how you plan to use something.
One approach you can take is that during a paging operation you queue a worker thread that queries the file name and then writes the log entry (the worker thread will run at passive and will be able to get the file name; you can pass in some time stamp or an operation count or something similar to the worker thread so that operations can be ordered properly). Depending on how you plan to log these operations you might need to do this anyway for all paging operations because it might not be possible to log the operation in the paging path.
There are other things you need to consider, for example the name of the file in preWrite might be different from the file in postWrite (if it races with a rename). Also, because you are not the file system and you don’t serialize operations, you can’t know for sure the order in which operations complete in the file system. For example, assuming you see 3 renames going down on the same file object and you also see 2 writes going down (and you haven’t seen any of them complete yet), it is impossible for you to determine what the name of the file is at the time any of the writes actually happen on the file. Of course, you can say “well, it doesn’t matter, I only care about the name of the file BEFORE and AFTER the 3 renames, after all the user won’t care what the name of the file was for a couple of miliseconds” but this depends on the design of your solution.
Also, storing the name of the file in a stream context does not help in this case. It only works if you don’t care if it’s accurate at all or if you only want to reflect the name of the file when it was created. However, if you want to report the name of the file as best you can at the time operations happen then you have the issues you’ve already found and IMO you are better off using filter manager’s APIs all the time, because the name cache in filter manager is nothing but a stream handle context for the name, with a lot of optimizations.
So now we’ve come full circle :). FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP means ALWAYS look in the cache first, and if the name isn’t there then try to get it from the file system, which is exactly what you would end up implementing if you tried to have your own caching scheme.
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.
Thank you all.
I think i have to clear more basic stuff first.
Can a file be renamed by one process while it is in use by other
processes?
Can a parent directory be renamed if there is any file present within it
opened by some process?
Thanks,
Sam.
On Fri, Aug 21, 2009 at 11:19 PM, Alexandru Carp < xxxxx@microsoft.com> wrote:
I guess it all depends on how you formulate the questions you are trying
to answer. Sometimes people get stuck on an implementation detail rather
than focusing on the actual purpose. For example ?How do I get the file name
during a paging write?? is different from ?How do I report to the user that
a paging write happened on a certain file ??. This is why we keep pushing
for details on how you plan to use something.
One approach you can take is that during a paging operation you queue a
worker thread that queries the file name and then writes the log entry (the
worker thread will run at passive and will be able to get the file name; you
can pass in some time stamp or an operation count or something similar to
the worker thread so that operations can be ordered properly). Depending on
how you plan to log these operations you might need to do this anyway for
all paging operations because it might not be possible to log the operation
in the paging path.
There are other things you need to consider, for example the name of the
file in preWrite might be different from the file in postWrite (if it races
with a rename). Also, because you are not the file system and you don?t
serialize operations, you can?t know for sure the order in which operations
complete in the file system. For example, assuming you see 3 renames going
down on the same file object and you also see 2 writes going down (and you
haven?t seen any of them complete yet), it is impossible for you to
determine what the name of the file is at the time any of the writes
actually happen on the file. Of course, you can say ?well, it doesn?t
matter, I only care about the name of the file BEFORE and AFTER the 3
renames, after all the user won?t care what the name of the file was for a
couple of miliseconds? but this depends on the design of your solution.
Also, storing the name of the file in a stream context does not help in
this case. It only works if you don?t care if it?s accurate at all or if you
only want to reflect the name of the file when it was created. However, if
you want to report the name of the file as best you can at the time
operations happen then you have the issues you?ve already found and IMO you
are better off using filter manager?s APIs all the time, because the name
cache in filter manager is nothing but a stream handle context for the name,
with a lot of optimizations.
So now we?ve come full circle J.
FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP means ALWAYS look in the cache
first, and if the name isn?t there then try to get it from the file system,
which is exactly what you would end up implementing if you tried to have
your own caching scheme.
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
(1) Is certainly true that a file may be renamed. As an example, run
a program (“foo.exe”). Attempt to delete it - it will fail. Attempt to
rename it - it will succeed.
(2) This actually depends upon the file system. Some file systems
will not allow this, while others will. There can be complex scenarios
here - imagine a file that has hard links, or a file that has been
opened by ID. In those cases it can be quite challenging to define
behaviors here. It would be unwise to assume either “yes” or “no” as
the answer to this question.
Can a parent directory be renamed if there is any file present within
it opened by some process?
…
(2) This actually depends upon the file system. Some file systems
will not allow this, while others will. There can be complex scenarios
here – imagine a file that has hard links, or a file that has been
opened by ID. In those cases it can be quite challenging to define
behaviors here. It would be unwise to assume either “yes” or “no” as
the answer to this question.
Note that for NTFS, it will not allow renames to parent directories
while there are open handles but will do so when the handles are
closed. In other words, between IRP_MJ_CLEANUP and IRP_MJ_CLOSE for a
child file, a rename may occur on a parent component.
Note further that querying a name from the filesystem directly will not
eliminate this condition - it will return the name used to open the
object, which may not be its current name.