How to determine a file open event via mini filter?

I don’t know why I cannot seem to find a straightforward answer to the question “How to determine file open event via mini filter?”

In Microsoft’s docs (https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create), it is explained that :

“The I/O Manager sends the IRP_MJ_CREATE request when a new file or directory is being created, or when an existing file, device, directory, or volume is being opened.”

In the same Microsoft doc on IRP_MJ_CREATE, it says:

"Irp->IoStatus Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the requested operation. The file system sets the Information member of this structure to one of the following values:

FILE_CREATED

FILE_DOES_NOT_EXIST

FILE_EXISTS

FILE_OPENED

FILE_OVERWRITTEN

FILE_SUPERSEDED"

How do I identify if the status of the event is FILE_OPENED? The question is, when IRP_MJ_CREATE is sent, can I determine if this is a result of an existing file being open? And if I can, can I therefore identify the name of the file that is being opened, and which AD account has opened it?

Thanks.

Traditionally, the approach is to allow the open to proceed, then on the
POST operation check the flag. You can get the filename and the SID of the
user as part of the pre/post operations.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Monday, April 16, 2018 9:51 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] How to determine a file open event via mini filter?

I don’t know why I cannot seem to find a straightforward answer to the
question “How to determine file open event via mini filter?”

In Microsoft’s docs
(https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create
), it is explained that :

“The I/O Manager sends the IRP_MJ_CREATE request when a new file or
directory is being created, or when an existing file, device, directory, or
volume is being opened.”

In the same Microsoft doc on IRP_MJ_CREATE, it says:

“Irp->IoStatus Pointer to an IO_STATUS_BLOCK structure that receives the
final completion status and information about the requested operation. The
file system sets the Information member of this structure to one of the
following values:

FILE_CREATED

FILE_DOES_NOT_EXIST

FILE_EXISTS

FILE_OPENED

FILE_OVERWRITTEN

FILE_SUPERSEDED”

How do I identify if the status of the event is FILE_OPENED? The question
is, when IRP_MJ_CREATE is sent, can I determine if this is a result of an
existing file being open? And if I can, can I therefore identify the name of
the file that is being opened, and which AD account has opened it?

Thanks.


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:>

Thanks Don.

I’m sorry that I am pretty new to filters. How do I check the flag on the
POST operation? While I will attempt again to understand the minifilter
documentation on Microsoft’s github page, do you have a recommended
tutorial or steps that I can use? Thanks.

CA Tan

On Mon, 16 Apr 2018, 10:01 PM Don Burn , <
xxxxx@lists.osr.com> wrote:

> Traditionally, the approach is to allow the open to proceed, then on the
> POST operation check the flag. You can get the filename and the SID of
> the
> user as part of the pre/post operations.
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Monday, April 16, 2018 9:51 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] How to determine a file open event via mini filter?
>
> I don’t know why I cannot seem to find a straightforward answer to the
> question “How to determine file open event via mini filter?”
>
> In Microsoft’s docs
> (
> https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create
> ), it is explained that :
>
> “The I/O Manager sends the IRP_MJ_CREATE request when a new file or
> directory is being created, or when an existing file, device, directory, or
> volume is being opened.”
>
> In the same Microsoft doc on IRP_MJ_CREATE, it says:
>
> “Irp->IoStatus Pointer to an IO_STATUS_BLOCK structure that receives the
> final completion status and information about the requested operation. The
> file system sets the Information member of this structure to one of the
> following values:
>
> FILE_CREATED
>
> FILE_DOES_NOT_EXIST
>
> FILE_EXISTS
>
> FILE_OPENED
>
> FILE_OVERWRITTEN
>
> FILE_SUPERSEDED”
>
> How do I identify if the status of the event is FILE_OPENED? The question
> is, when IRP_MJ_CREATE is sent, can I determine if this is a result of an
> existing file being open? And if I can, can I therefore identify the name
> of
> the file that is being opened, and which AD account has opened it?
>
> Thanks.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>
></http:></http:></http:>

use filetest utility and start playing with this awesome tool. put a break point using windbg in your precreate dispatch and see the cdb values there you an find all of your questions.

better to start with pass through filter sample of ddk.

hope this will help.

./nT

Thanks nT. I downloaded filetest (
http://www.zezula.net/en/fstools/filetest.html) and tried to use it. I’m
not sure if I follow what you meant for me to use it for. Would it be the
same effect if I simply opened a text file while having DbgView turned on?
As for windbg, I’m not sure if I am thinking correctly that this might be
an overkill. All I just want to know is how do I call out the flag of the
POST operation (as per Don Burn’s post). I guess the fault is really mine
when I don’t understand what you mean by “pass through filter sample of
ddk”. I did try to understand the passThrough filter sample on Microsoft’s
github, but I might have failed to understand the relation. Appreciate if
you might have more specific directions as I am still trying to understand
file systems and minifilters. Thanks.

On Tue, Apr 17, 2018 at 3:37 PM, xxxxx@gmail.com
wrote:

> use filetest utility and start playing with this awesome tool. put a break
> point using windbg in your precreate dispatch and see the cdb values there
> you an find all of your questions.
>
> better to start with pass through filter sample of ddk.
>
> hope this will help.
>
> ./nT
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Regards,
CA</http:>

Hello CA,

Please check documentation for FLT_CALLBACK_DATA structure which is passed as parameter to PostOperation callback in minifilter.

In this structure, you will find IO_STATUS_BLOCK structure member and Information field of this structure will tell you whether existing file is opened or existing file is overwritten or new file is created.

Hope this help you.

Regards,
Gaurav Khuntale

Thank you Gaurav.

I tried getting IoStatus.Information out from BOTH PreOperation (I know you
said to do this on PostOperation only, but I wanted to see what happens if
I attempt also on PreOperation) and PostOperation. On DbgViewer,
PreOperation shows the IoStatus.Information to be (null). PostOperation
does not print any data from my KdPrint line. If I do not ask to print
IoStatus.Information on PostOperation, the KdPrint line prints fine.

Here is my code in my PostOperation:

FLT_POSTOP_CALLBACK_STATUS MiniPostCreate(PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext,
FLT_POST_OPERATION_FLAGS Flags)
{
PFLT_FILE_NAME_INFORMATION FileNameInfo;
NTSTATUS status;
WCHAR Name[200] = { 0 };

status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);

if (NT_SUCCESS(status))
{
status = FltParseFileNameInformation(FileNameInfo);

if (NT_SUCCESS(status))
{

if (FileNameInfo->Name.MaximumLength < 260)
{
RtlCopyMemory(Name, FileNameInfo->Name.Buffer,
FileNameInfo->Name.MaximumLength);
//KdPrint((“Post Create is running. File: %ws,
IoStatus.Pointer:%ws\r\n”, Name, Data->IoStatus.Pointer));
KdPrint((“Post Create is running. File: %ws,
IoStatus.Information is ‘%ws’\r\n”,
Name,
Data->IoStatus.Information));

}
}

FltReleaseFileNameInformation(FileNameInfo);
}
return FLT_POSTOP_FINISHED_PROCESSING;
}

Did I miss something? Thanks.

On Fri, Apr 20, 2018 at 6:11 PM, xxxxx@gmail.com <
xxxxx@lists.osr.com> wrote:

Hello CA,

Please check documentation for FLT_CALLBACK_DATA structure which is passed
as parameter to PostOperation callback in minifilter.

In this structure, you will find IO_STATUS_BLOCK structure member and
Information field of this structure will tell you whether existing file is
opened or existing file is overwritten or new file is created.

Hope this help you.

Regards,
Gaurav Khuntale


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Regards,
CA</http:>

Hello CA,

You are using wrong format specifier to print Data->IoStatus.Information. Please check data type of ‘Information’ member and use appropriate format specifier. You will get the data that you wanted.

Regards,
Gaurav

Two additional things:

  1. The Information field is meaningless in PreCreate. The value is set by
    the file system as part of completing the open, at which point you’re called
    at PostCreate

  2. A UNICODE_STRING.Buffer is not guaranteed to be NULL terminated, so the
    way you’re copying and printing the buffer is invalid. You can print a
    PUNICODE_STRING with %wZ. So to print the path you can just:
    DbgPrint(“%wZ\n”, &FileNameInfo->Name);

-scott
OSR
@OSRDrivers

“%%merge inmail_.HdrFrom_%%” wrote in message news:xxxxx@ntfsd…

Hello CA,

You are using wrong format specifier to print Data->IoStatus.Information.
Please check data type of ‘Information’ member and use appropriate format
specifier. You will get the data that you wanted.

Regards,
Gaurav