how to block the file creation in FILE_DEVICE_NETWORK_FILE_SYSTEM

I have created an File system mini filter to block the file creation in network file system.
but while creating a file in network file system causes BSOD.

following block code in MiniPrecreate is used for blocking the file operation

           status =FltGetDiskDeviceObject(FltObjects->Volume,&Pdo);
           if(Pdo->DeviceType != FILE_DEVICE_NETWORK_FILE_SYSTEM)
            {
        	Data->IoStatus.Status=STATUS_ACCESS_DENIED;
        	Data->IoStatus.Information=0;
        	FltReleaseFileNameInformation(FileNameInfos);
        	return FLT_PREOP_COMPLETE;
        
            }

how can block the network file system file operatons

Shouldn’t you check the status variable before using Pdo?
As far as I can recall, a network file system doesn’t have a disk.
The bug check code would also be helpful.

In addition to the below comments:

  • Set an InstanceSetup callback for mounted volumes.
  • In this callback if the file system type is one you are interested in then allocate a volume context and set it accordingly.
  • In your precreate callback, if you successfully retrieve a volume context then you know it’s one you are interested in so fail the request.

I am guessing you don’t want to fail ALL requests to the network, just creates? So check for the appropriate values in the create parameters, etc.

Pete

Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

You need to check if Pdo variable is not somehow NULL and if Status is NT_SUCCESS.
Try better FltGetVolumeFromFileObject followed by FltGetVolumeProperties.
From the _FLT_VOLUME_PROPERTIES structure you can deduce where you are.

But the BEST way to achieve this is to simply register for an InstanceSetup callback and only attach to network file systems.
InstanceSetup callback conveniently has a parameter “In FLT_FILESYSTEM_TYPE VolumeFilesystemType” and “In DEVICE_TYPE VolumeDeviceType” which you can use and decide if you want to attach or not.
If you only attach to FILE_DEVICE_NETWORK_FILE_SYSTEM or FILE_DEVICE_NETWORK_REDIRECTOR VolumeDeviceTypes for example you have attached only to network file systems, therefor you know that in your Create callbacks you always have a create which goes to the network and then you just decide what to do with it.

Thank you all
I registered InstanceSetup callback and added condition for attaching network volume only.

NTSTATUS PfltInstanceSetupCallback(PCFLT_RELATED_OBJECTS FltObjects,FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType)
{
NTSTATUS Status;
if(VolumeDeviceType==FILE_DEVICE_NETWORK_FILE_SYSTEM)
{
Status=STATUS_SUCCESS ;
}
if(VolumeDeviceType==FILE_DEVICE_DISK_FILE_SYSTEM)
{
Status=STATUS_FLT_DO_NOT_ATTACH;
}

return Status;

}

thank you all :smile:

I have one more question
I need to block file creation file deletion and file modification in network file system
I can block the file creation and deletion using filtering IRP_MJ_SET_INFORMATION and IRP_MJ_CREATE but i need to block the file modification.
I just tried with blocking all IRP_MJ_WRITE request but it also block the drive accessing.
how to find the file modification IRP_MJ_WRITE request
please help

Blocking Write should not do anything other than stop files from being written, which is what you want. If you are specifically concerned about files, check the file object to make sure it is a file, not a directory. If everything is being blocked, it is undoubtedly your IRP_MJ_CREATE blocking doing that. IRP_MJ_CREATE is difficult to filter, because lazy or generalized code opens with permissions they don’t need.

I would only check for specific actions such as create options FILE_DELETE_ON_CLOSE, or create disposition FILE_OVERWRITE or FILE_OVERWRITE_IF. Alternatively, you could change the desired access and create disposition to not include items you don’t want, such as write access, and then let the create fail on them. I chose not to do that because as I said, filtering IRP_MJ_CREATE, when you don’t really know what you have, is difficult.

There are many ways to modify a file besides writing to it or truncating it on open. For example: IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION with PageProtection of one of the PAGE_WRITE values, IRP_MJ_SET_INFORMATION setting File Disposition Info to delete, renaming, or changing the end of file, etc. (but not all IRP_MJ_SET_INFORMATION!).