The condition you mentioned “if ( NULL == FileObject->SectionObjectPointer
|| NULL == FileObject->SectionObjectPointer->DataSection )” works fine for
intercepting IRP_MJ_WRITE.
But it is is not working properly for intercepting IRP_MJ_READ.
When a .jpg file is read by a photoviewer.dll , some IRP_MJ_READ s are
missed by the mini filter.
Please let me know a method to identify whether a IRP_MJ_READ is going to
disk or cache, for a network volume.
Thanks,
S Ramakrishnan
On Sun, Nov 20, 2016 at 11:46 AM, wrote:
>
> > Notepad uses a memory mapped file, this is analogues to file being cached. > When Memory Manager flushes dirty pages the filter receives paging IO. > >
> > The correct implementation requires an isolation filter like OSR Data > Modification Kit. > In your case you can try to intercept a cached IO for network FS and > process it as non cached(i.e. encrypt/decrypt) if ( NULL == FileObject->SectionObjectPointer > || NULL == FileObject->SectionObjectPointer->DataSection ). > > — > NTFSD is sponsored by OSR > > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at < > http://www.osronline.com/page.cfm?name=ListServer> ></http:>
I do not remember the exact conditions this particular advice was given and I am reading the list through the online version that jettisons the history.
You can only be sure that paging IO will not end up in the cache. All other cases are implementation dependent. With a good probability non-paging read is processed through the cache.
You can find a heuristic for a particular network FSD for some IO cases.
> > I do not remember the exact conditions this particular advice was given > and I am reading the list through the online version that jettisons the > history. > > You can only be sure that paging IO will not end up in the cache. All > other cases are implementation dependent. With a good probability > non-paging read is processed through the cache. > > You can find a heuristic for a particular network FSD for some IO cases. > > — > NTFSD is sponsored by OSR > > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at < > http://www.osronline.com/page.cfm?name=ListServer> ></http:>