I am working on windows docker container where I need to figure out, from my filter driver (scanner sample application), whether the request is served from package layer or from scratch root (means new or modified file inside container). In order to do figure this I added an ECP (ECP_WCIFS_REDIRECTION) context in my pre-create hook and in post-create I look for whether the ECP is acknowledged or not. This works fine for the file which are already present in package layer. But when I create a new file inside container this ECP is not getting acknowledged
//
// Code for adding ECP inside pre-create hook
//
do {
status = FltGetEcpListFromCallbackData(ScannerData.Filter,
Data,
&pECPList);
if (!NT_SUCCESS(status)) {
DbgPrint(“ScannerAddContainerRedirectionECP: FltGetEcpListFromCallbackData retuned (0x%08x)\n”, status);
break;
}
if (NULL == pECPList) {
// There is no valid ECP list. Create one.
status = FltAllocateExtraCreateParameterList(ScannerData.Filter,
FSRTL_ALLOCATE_ECPLIST_FLAG_CHARGE_QUOTA,
&pECPList);
if (!NT_SUCCESS(status)) {
DbgPrint(“ScannerAddContainerRedirectionECP: FltAllocateExtraCreateParameterList retuned (0x%08x)\n”, status);
break;
}
//
// Set it into CBD.
//
status = FltSetEcpListIntoCallbackData(ScannerData.Filter,
Data,
pECPList);
if (!NT_SUCCESS(status)) {
DbgPrint(“ScannerAddContainerRedirectionECP: FltSetEcpListIntoCallbackData retuned (0x%08x)\n”, status);
break;
}
}
else {
//
// See if the ECP has already been added to the ECP list
// already.
//
status = FltFindExtraCreateParameter(ScannerData.Filter,
pECPList,
&GUID_ECP_WCIFS_REDIRECTION,
NULL,
NULL);
if (status != STATUS_NOT_FOUND) {
DbgPrint(“ScannerAddContainerRedirectionECP: redirection ECP is already present\n”);
break;
}
}
status = FltAllocateExtraCreateParameter(ScannerData.Filter,
&GUID_ECP_WCIFS_REDIRECTION,
sizeof(WCIFS_REDIRECTION_ECP_CONTEXT),
FSRTL_ALLOCATE_ECPLIST_FLAG_CHARGE_QUOTA,
NULL,
SCANNER_STRING_TAG,
&pECPContext);
if (!NT_SUCCESS(status)) {
DbgPrint(“FltAllocateExtraCreateParameter retuned (0x%08x)\n”, status);
break;
}
RtlZeroMemory(pECPContext, sizeof(WCIFS_REDIRECTION_ECP_CONTEXT));
status = FltInsertExtraCreateParameter(ScannerData.Filter,
pECPList, pECPContext);
if (!NT_SUCCESS(status)) {
DbgPrint(“FltInsertExtraCreateParameter retuned (0x%08x)\n”, status);
FltFreeExtraCreateParameter(ScannerData.Filter, pECPContext);
break;
}
} while (0);
//
// Code for checking ECP is acknowledged
//
do
{
status = FltGetEcpListFromCallbackData(ScannerData.Filter, Data, &pECPList);
if (NT_SUCCESS(status)) {
if (pECPList != NULL) {
status = FltFindExtraCreateParameter(ScannerData.Filter,
pECPList,
pEcpGuid,
&ecpContext,
NULL);
if (NT_SUCCESS(status)) {
if (FltIsEcpAcknowledged(ScannerData.Filter, ecpContext)) {
*Ecp = ecpContext;
*EcpSize = ecpContextSize;
} else {
status = STATUS_UNSUCCESSFUL;
}
}
} else {
status = STATUS_UNSUCCESSFUL;
}
}
} while (0);
Can someone please help to understand why the ECP context is not getting acknowledged for files which are newly created.