Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


IRP_MJ_CREATE and $Recycle.Bin path

Jorgen_LundmanJorgen_Lundman Member - All Emails Posts: 47

So I can from time to time get a IRP_MJ_CREATE with the filename as
"$Recycle.Bin\S-1-5-21-1094529100-1738202490-1165505843-1002.???"
and I call RtlUnicodeToUTF8N() to convert which returns STATUS_SOME_NOT_MAPPED.

That in itself is not really an issue, I can figure out something to do there.

The IRP_MJ_CREATE comes with SL_OPEN_TARGET_DIRECTORY so it wants the parent that contains the file.

But, what is it expecting? The path does not start with "\", it starts with "$Recycle". I have no such dir, but it is asking for the parent of it, should I return "\" or some form of error? I have not found any special-case code regarding "$Recycle.Bin" in the Windows-driver-samples.

In this case, it is passing in FileObject->RelatedFileObject, a directory, should I return that? Or am I overthinking it, it is passing a dir, and a file/dir to lookup inside it, that does not exist, so it should just fail.

Comments

  • Jorgen_LundmanJorgen_Lundman Member - All Emails Posts: 47

    Yeah I think I'm just overthinking it - the object doesn't exist, return error.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,136

    No, you are not overthinking this. You are just missing the import of the related file object and, critically, of SL_OPEN_TARGET_DIR.

    If in doubt, read FAT, but the general idea is that this is the name that a file is going to have after after a rename operation. The name, of course,is affected by the specification of a related FO, just like any other create.

    Most filesystems that I’ve spelunked return the parent dir, and FAT squirrels the new name away in the CCB so when the file object turns up in the SetFileRename it knows what to do. Of course the new name may be specified there as well. Renames is grotesque.

    If you fail the create the rename will fail and in this case explorer will do something else.

  • Jorgen_LundmanJorgen_Lundman Member - All Emails Posts: 47

    Yep, I couldn't even "git clone" as a test, it needs it to succeed for non-existent things.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA