In the minispy filter, I can see from the log that the spypreOperation() of IRP_MJ_SET_INFORMATION is called when a single folder or file (logdir or logfile)
is removed by the Window manager. But when a folder which contains sub-folder and
file (logdir\logdir_2\logfile) is removed, only the file, logfile is handled by the
same spypreOperation() of IRP_MJ_SET_INFORMATION, but not the logdir and
logfir_2. Which callback function(s) handle the removal of logfir_2 and logdir?
Why doesn’t the callback function of IRP_MJ_SET_INFORMATION handle directories in
such case?
Recycle Bin?
xxxxx@TwinPeakSoft.com wrote:
In the minispy filter, I can see from the log that the spypreOperation() of IRP_MJ_SET_INFORMATION is called when a single folder or file (logdir or logfile)
is removed by the Window manager. But when a folder which contains sub-folder and
file (logdir\logdir_2\logfile) is removed, only the file, logfile is handled by the
same spypreOperation() of IRP_MJ_SET_INFORMATION, but not the logdir and
logfir_2. Which callback function(s) handle the removal of logfir_2 and logdir?
Why doesn’t the callback function of IRP_MJ_SET_INFORMATION handle directories in
such case?
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
From the minispy log, it looks like that the Operation of Major Function
of IRP_MJ_DIRECTORY_CONTROL with Minor Function of
IRP_MN_NOTIFY_CHANGE_DIRECTORY moves the directory to
Recyle bin. But I am not sure , could FSD experts confirm this?
And I don’t find many info about how to set up a call for handling
IRP_MN_NOTIFY_CHANGE_DIRECTORY. FltQueryDirectoryFile() look like only
handle Minor Function IRP_MN_QUERY_DIRECTORY, but not
IRP_MN_NOTIFY_CHANGE_DIRECTORY and it is not available for XP.
Can the FltQueryDirectoryFile() call handle
IRP_MN_NOTIFY_CHANGE_DIRECTORY Minor function in Vista and Win7?
If so, how to set up the parameters with info from struct of
DirectoryControl.NotifyDirectory of FLT_PARAMETERS?
typedef union _FLT_PARAMETERS {
… ;
union {
struct {
ULONG Length;
PUNICODE_STRING FileName;
FILE_INFORMATION_CLASS FileInformationClass;
ULONG POINTER_ALIGNMENT FileIndex;
PVOID DirectoryBuffer;
PMDL MdlAddress;
} QueryDirectory;
struct {
ULONG Length;
ULONG POINTER_ALIGNMENT CompletionFilter;
ULONG Spare1;
ULONG POINTER_ALIGNMENT Spare2;
PVOID DirectoryBuffer;
PMDL MdlAddress;
} NotifyDirectory;
} DirectoryControl;
… ;
} FLT_PARAMETERS, *PFLT_PARAMETERS;
Recycle Bin?
xxxxx@TwinPeakSoft.com wrote:
> In the minispy filter, I can see from the log that the
spypreOperation()
> of IRP_MJ_SET_INFORMATION is called when a single folder or file
(logdir
> or logfile)
> is removed by the Window manager. But when a folder which contains
sub-folder and
> file (logdir\logdir_2\logfile) is removed, only the file, logfile is
handled by the
> same spypreOperation() of IRP_MJ_SET_INFORMATION, but not the logdir
and
> logfir_2. Which callback function(s) handle the removal of logfir_2 and
logdir?
> Why doesn’t the callback function of IRP_MJ_SET_INFORMATION handle
directories in
> such case?
> —
> NTFSD is sponsored by OSR
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
John W.
Twin Peaks Software
Innovation for business continuity
E-mail: xxxxx@TwinPeakSoft.com
Tel: (510) 438-0536
Nope, IRP_MJ_DIRECTORY_CONTROL with Minor Function of
IRP_MN_NOTIFY_CHANGE_DIRECTORY simply notifies the issuer of the IRP of
changes to a directory tree.
Thanks,
Alex.
Then which Major and Minor functions remove the directory tree or
move the directory tree to Recycle Bin?
John W.
Nope, IRP_MJ_DIRECTORY_CONTROL with Minor Function of
IRP_MN_NOTIFY_CHANGE_DIRECTORY simply notifies the issuer of the IRP of
changes to a directory tree.Thanks,
Alex.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
John W.
Twin Peaks Software
Innovation for business continuity
E-mail: xxxxx@TwinPeakSoft.com
Tel: (510) 438-0536
You will see the IRP_MJ_SET_INFORMATION with an information class of FILE_RENAME_INFORMATION when it is moved to the recycle bin.
I would imagine it’s IRP_MJ_SET_INFORMATION with FileDispositionInformation
or FileRenameInformation. But I haven’t ever looked into how the recycle bin
works so I’m not sure.
Thanks,
Alex.
I have been looking into this for a week or so.
For a single empty directory or a file, IRP_MJ_SET_INFORMATION with
FileDispositionInformation does the removal.
But for a directory tree, I can’t find any info, neither can I find
any clues from minispy’s log. This should be very simple.
Why is so difficult to find any info about this?
John W.
I would imagine it’s IRP_MJ_SET_INFORMATION with
FileDispositionInformation
or FileRenameInformation. But I haven’t ever looked into how the recycle
bin
works so I’m not sure.Thanks,
Alex.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
John W.
Twin Peaks Software
Innovation for business continuity
E-mail: xxxxx@TwinPeakSoft.com
Tel: (510) 438-0536
When a directory with files/directories beneath it gets deleted you should see an IRP_MJ_SET_INFORMATION for every file/directory. Each file and dir gets it’s own Irp to delete it. Once everything under the directory is deleted you get the final Irp that removes the topmost directory.
You are asking about the behavior of a single specific application, which really doesn’t have anything to do with the file system, it has to do with the bizarre behavior of one of the more frustrating applications on Windows (frustrating for those of us working with file systems, since we often find its behavior mysterious.)
Have you tried it on different OS versions?
Here’s a question for you: if you delete a directory from the command line do you see the same thing? I suspect you will not because the command line doesn’t try to use the recycle bin.
If you are claiming that you don’t see ANY operations on that directory, I’d suggest that you’ve missed something in your analysis. I suspect the mistake is that you consider a high level operation (“I delete this directory in Explorer”) as being directly related to the low level operation. Hmm. How about if you try to do a “shift+DEL” on the directory? That should “permanently destroy” the directory and again you’ll probably get different behavior.
Tony
OSR
This is what I have found on deleting a directory,
- With a “shift+DEL” on the directory in Explorer or a rmdir command
from command line,
As rick_winter2001 pointed out,
"When a directory with files/directories beneath it gets deleted you should
see an IRP_MJ_SET_INFORMATION for every file/directory. Each file
and dir gets it’s own Irp to delete it. Once everything under the directory
is deleted you get the final Irp that removes the topmost directory. "
- With the delete option on Explorer’s pull-down menu,
The file and directory with no file or subdirectory in it(an empty directory)
, get deleted by the Major function IRP_MJ_SET_INFORMATION and
minor function FileDispositionInformation.
The directory that has file or subdirectory in it won’t get deleted, even
after
all its file and subdirectory get deleted. It stays in the directory tree.
After all files and empty directories get deleted, the topmost directory
gets renamed by the Major function IRP_MJ_SET_INFORMATION and
minor function FileRenameInformation to a directory in RECYCLER bin.
- I have not tried different OS versions yet, I am working on XP.
Have you tried it on different OS versions?
Here’s a question for you: if you delete a directory from the command line
do you see the same thing? I suspect you will not because the command
line doesn’t try to use the recycle bin.If you are claiming that you don’t see ANY operations on that directory,
I’d suggest that you’ve missed something in your analysis. I suspect the
mistake is that you consider a high level operation (“I delete this
directory in Explorer”) as being directly related to the low level
operation. Hmm. How about if you try to do a “shift+DEL” on the
directory? That should “permanently destroy” the directory and again
you’ll probably get different behavior.Tony
OSR
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
John W.
Twin Peaks Software
Innovation for business continuity
E-mail: xxxxx@TwinPeakSoft.com
Tel: (510) 438-0536
I had this problem and I am providing my solution hoping to help other readers.
When an empty folder/file is deleted, the relevant IRPs are:
IRP_MJ_CREATE
IRP_MJ_SET_INFORMATION with FileDispositionInformation Flag
IRP_MJ_CLEANUP
Check for FIleDisposition flag or FileRenameInformation in case of RecycleBin. And mark it as a possible delete event (stream context) to be confirmed during cleanup.
When you delete a folder with files in it, first the folder gets an IRP_MJ_SET_INFORMATION IRP. If you check the check the IoStatus.Status field, the value will be -1073741567 (STATUS_DIRECTORY_NOT_EMPTY). Thus, the folder is not deleted yet.
Now each file in the directory receives its own IRP_MJ_SET_INFORMATION with FileDispositionInformation Flag IRP and the file gets deleted.
After all files are deleted another IRP_MJ_SET_INFORMATION with FileDispositionInformation Flag for the directory is generated.
If you follow the method specified in the sample delete minifilter you might see that this causes a race condition so it is better to check if the file/directory is present before notifying as a delete during PostCleanup.
In my case I have incremented the NumOps as per the sample minifilter. Now NumOps = 2 in this case. I have also ignored all Cleanup where NumOps > 1. I have decremented NumOps only at PostSetInfo and when the status == STATUS_DIRECTORY_NOT_EMPTY, no PostSetInfo is called hence NumOps remained > 1 in the Stream Context.