Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

SMB2 file creates bypassing filtering

Jason_T.Jason_T. Member Posts: 63

Hi All,

I'm trying to track down a bizarre (to me at least) issue here. I have a Server 2016 machine, call it \server, and a win 10 client machine, call it \client. On \client I am creating a file and writing to it using the path \server\c$\test\test.dat. I am running procmon on \server and it sees nothing other than a subsequent AV scan of test.dat by msmpeng.exe. No other create, write, or any other occurences of test.dat in any activity from any process.

Running wireshark on \server I see some SMB2 activity where there is a FSCTL_QUERY_NETWORK_INTERFACE_INFO followed by a create file request (on test.dat), followed by multiple FILE_INFO/SMB2_FILE_ALLOCATION_INFO requests.

I got here initially trying to figure out why my minifilter (running on \server) wasn't seeing any activity, whether UNC name based or drive-letter name based, for these files getting created on \server. It was as if they were appearing without ever having been created/written. Running procmon showed the same thing that my filter was seeing, perhaps not surprisingly. So my question is how are we supposed to handle filtering this method of file creation? And is this type of SMB2 file create documented somewhere as a new addition to recent Win server versions or has this been present all along and I somehow just never came across it?

-JT

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,345

    You be better asking this in the NTFSD forum, where the cool file system kids hang out...

    I'll move it for you.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Jason_T.Jason_T. Member Posts: 63

    Thanks, Peter! I knew that, of course, but my actions would suggest otherwise :)

  • Jason_T.Jason_T. Member Posts: 63

    False alarm. Feel free to delete or leave behind so others can benefit from my snafu. Procmon was filtering out any system activity which is what the srv operations were coming in as. With that filter turned off I can see the local file activity on the C:\ pathnames as expected. Sorry for the noise!

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA