Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


What is Microsoft Office Isolated Conversion Environment?

MIGMIG Member Posts: 2

Hi,

My filter driver gets it's reparse requests ignored when it is reparsing files in paths like this one
C:...\AppData\Local\Packages\oice_16_974fa576_32c1d314_xxx...

Searching around, I find references to some tech called 'Microsoft Office Isolated Conversion Environment' which appears to be some kind of sandboxing mechanism (although details are hard to find). My guess is that Win10 might be refusing to reparse access to here for security reasons.

Does anyone know if I am on the right lines here? If so is there any way I can escalate privilege or something to allow a reparse to happen?
Thanks

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302

    I have never heard of that. This doesn't make it sound like anything that special though:

    https://blogs.technet.microsoft.com/robert_hensing/2007/05/22/moice-microsoft-office-isolated-conversion-environment/

    What do you mean that your reparse requests are ignored?

    -scott
    OSR

  • MIGMIG Member Posts: 2

    Thanks Scott,
    Yes I saw this link, that and a couple of others are the basis for my assumptions (and my catchy thread title).
    Not sure what is described here is quite the same as what I see in Office 2016 though. I figured they might have kept the tech but somehow built it directly into office.
    If I procmon an excel file open from a network share, I see a copy of the excel file created in this location (possibly for the file preview before enabling edit).
    If I ask my filter driver to encrypt all excel files, the excel thread creating this file will successfully trigger a reparse in my driver and create this file encrypted.
    A second excel thread tries to open this file milliseconds later, this again triggers a reparse in my driver but the new CreateFile never appears (or perhaps gets consumed higher in the stack, but bizarrely it doesn't appear in procmon either).

    I only see this issue with win10 (win7 is fine with same Office version) and only when accessing network files.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302

    Do you reparse to another location on the local drive or on the network share? When you reparse an open to an alternate path it should be the I/O Manager that retries the create with the new path, so it's odd that you're not seeing another open.

    I'd put a breakpoint on the second reparse and then trace the response to the application. If you do a .reload when you hit the breakpoint you should see the call stack go back to user mode, at which point you can put a breakpoint after the Office call to CreateFile. It would be interesting to know what the application is getting back in this case.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA