minispy filter IRP_MJ_Create called multiple times

Hi,
I’m extending minispyfilter driver part of WDK sample to monitor a folder and send notification as and when a file is opened.

The driver has registered only for IRP_MJ_CREATE,Cleanup and Write.

When I open a txt file using notepad, I immediately get a notification with Create and Cleanup. When I close the notepad again getting create and cleanup.

When I write something in the notepad and close the notepad and select save, I get multiple Create and Cleanup.

My requirement is simple. Whenever a user opens a file a notification has to be sent. Whenever the user closes a file again a notification has to be sent.

Appreciate if someone can help me on this.
Thanks

Take a look at the stacks when you are called. You will see that everything
from your driver up beats on create. A gazillion Win32 calls do opens.
Explorer just has to get bored to do an open. Filters do opens.

Procomon or Filespy will help insight…

My requirement is simple. Whenever a user opens a file a notification has
to be sent. Whenever the user closes a file again a notification has to be
sent.

Sounds like you are meeting your requirements. If you are not getting what
you expect you need to revisit your requirements, particularly what you mean
by “user”:

  • a Security Principal?
  • a logged on entity?
  • an application?
  • a “session”

and maybe what you mean by “open”: Open for read? Open for Write?

Or perhaps “file”: Do metadata channels (C:$Extend) matter? What about
directories? Systems files? executables?

This is requirements 101.

R

R,

Thanks for the reply. what I meant by the user is the logged in user who is
trying to open a file by double-clicking on it.
When double-clicking on a file it is opened for read/write. Any changes
made to the file will be saved back.

I understand IRP_MJ_CREATE in mini-filter called gazillion time. I would
like to check a file in particular folder when it is opened and when it is
closed.
All I need is 2 events. The problem is when the file is opened I get

(When Windows explorer launches notepad.exe with file d:\test\test.txt"
IRP_MJ_CREATE
IRP_MJ_CLEANUP

(when notepad.exe is closed)
IRP_MJ_CREATE
IRP_MJ_CLEANUP

When I write additional content in the file and save it I get more events.

Is there any way to get fewer events. I see the same issue with FileSpy

Thanks

On Mon, May 7, 2018 at 2:41 PM, Rod Widdowson <
xxxxx@lists.osr.com> wrote:

> Take a look at the stacks when you are called. You will see that
> everything from your driver up beats on create. A gazillion Win32 calls do
> opens. Explorer just has to get bored to do an open. Filters do opens.
>
> Procomon or Filespy will help insight…
>
> My requirement is simple. Whenever a user opens a file a notification has
>> to be sent. Whenever the user closes a file again a notification has to be
>> sent.
>>
>
> Sounds like you are meeting your requirements. If you are not getting
> what you expect you need to revisit your requirements, particularly what
> you mean by “user”:
>
> - a Security Principal?
> - a logged on entity?
> - an application?
> - a “session”
>
> and maybe what you mean by “open”: Open for read? Open for Write?
>
> Or perhaps “file”: Do metadata channels (C:$Extend) matter? What about
> directories? Systems files? executables?
>
> This is requirements 101.
>
> R
>
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

Not sure I understand the question, but maybe. Your point is that you are
getting a create and cleanup twice, once when notepad is opened and again
when notepad is closed. You would prefer to get a create when it is opened
and a cleanup when it is closed, is that right?

On Mon, May 7, 2018 at 8:03 PM, support <
xxxxx@lists.osr.com> wrote:

> R,
>
> Thanks for the reply. what I meant by the user is the logged in user who
> is trying to open a file by double-clicking on it.
> When double-clicking on a file it is opened for read/write. Any changes
> made to the file will be saved back.
>
> I understand IRP_MJ_CREATE in mini-filter called gazillion time. I would
> like to check a file in particular folder when it is opened and when it is
> closed.
> All I need is 2 events. The problem is when the file is opened I get
>
> (When Windows explorer launches notepad.exe with file d:\test\test.txt"
> IRP_MJ_CREATE
> IRP_MJ_CLEANUP
>
> (when notepad.exe is closed)
> IRP_MJ_CREATE
> IRP_MJ_CLEANUP
>
> When I write additional content in the file and save it I get more events.
>
> Is there any way to get fewer events. I see the same issue with FileSpy
>
> Thanks
>
>
>
>
> On Mon, May 7, 2018 at 2:41 PM, Rod Widdowson <
> xxxxx@lists.osr.com> wrote:
>
>> Take a look at the stacks when you are called. You will see that
>> everything from your driver up beats on create. A gazillion Win32 calls do
>> opens. Explorer just has to get bored to do an open. Filters do opens.
>>
>> Procomon or Filespy will help insight…
>>
>> My requirement is simple. Whenever a user opens a file a notification has
>>> to be sent. Whenever the user closes a file again a notification has to be
>>> sent.
>>>
>>
>> Sounds like you are meeting your requirements. If you are not getting
>> what you expect you need to revisit your requirements, particularly what
>> you mean by “user”:
>>
>> - a Security Principal?
>> - a logged on entity?
>> - an application?
>> - a “session”
>>
>> and maybe what you mean by “open”: Open for read? Open for Write?
>>
>> Or perhaps “file”: Do metadata channels (C:$Extend) matter? What about
>> directories? Systems files? executables?
>>
>> This is requirements 101.
>>
>> R
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at</http:>

Welcome to the most astonishing world of windows device driver. all you want is 2 event and you are getting a lot.this is normal behavior since you are not alone in the system. why not just try to focus on your open/r/w/close calls rest you can bypass. which is easy with minifilter.
you need to learn a lot about how minifilter works and try to get used to procmon and filespy utils.

./nT

In windows “a user” usually means a security access token obtained after a successful user logon, which is the assigned to all the processes/threads that are created by that user. Winlogon.exe usually creates the first “user” process after you login. All of the processes coming from this, usually children of Wininit will have the same access token unless something like LogonUser/CreateProcessAsUser is done. Hence: " when a user opens a file" means all the processes/treads created with that access opens a file. A file open = a call to CreateFile. This happens all the time, at least on your Windows installation volume.
What you are seeing at the filesystem filter level is simply threads requesting access to files on different volumes or even network.
The fact that you have certain expectation to the number of CREATE/CLOSES that should come due to a interactive user-mode GUI action is simply wrong. You can expect sometimes double clicking a file to see 10 creates coming down ( indexing services, backgrounds processes, other filters, etc… could decide to open the file as a result of the interactive user’s action), sometimes none ( perhaps because of some form of caching ). You cannot make such assumptions when you are writing a filter or you will have a bad time.
I would advise you to redesign your filter taking this into account.