status_reparse failed/lost in Windows 10, 2004

I have legacy upper disk filter driver. In the driver, it has a virtual device and certain file folder(s) will be redirected/reparsed. Let me call the folder as “reparse folder”. The mechanism has been working well until Windows 10, x64, 2004 (it works for Windows 10, 19xx). When an application is writing to the “reparse folder”, it now requires “administrator” privilege.

  1. If the application without administrator privilege is trying to write to a file in the “reparse folder”, the application receives error “access denied”.
  2. Using WinDbg, after the driver returns STATUS_REPARSE, I do not know who actually returns “the accessed denied”.
  3. using procmon (c:\temp1 is the folder to reparse in the driver; ConsoleAppliation2 only CreateFile/WriteFile/CloseFile) , I get

“9:13:01.4551145 PM”,“ConsoleApplication2.exe”,“7808”,“CreateFile”,“C:\temp1\abcna.txt”,“REPARSE”,“Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: ”
“9:13:01.4575022 PM”,“MsMpEng.exe”,“2588”,“CreateFile”,“C:\Windows\System32\rpcrt4.dll”,“SUCCESS”,“Desired Access: Read Attributes, Disposition: Open, Options: Non-Directory File, Open For Backup, Open Reparse Point, Open Requiring Oplock, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
“9:13:01.4577155 PM”,“MsMpEng.exe”,“2588”,“FileSystemControl”,“C:\Windows\System32\rpcrt4.dll”,“OPLOCK HANDLE CLOSED”,“Control: FSCTL_REQUEST_OPLOCK”
“9:13:01.4577607 PM”,“MsMpEng.exe”,“2588”,“FileSystemControl”,“C:\Windows\System32\rpcrt4.dll”,“SUCCESS”,“Control: 0x902eb (Device:0x9 Function:186 Method: 3)”
“9:13:01.4577939 PM”,“MsMpEng.exe”,“2588”,“CloseFile”,“C:\Windows\System32\rpcrt4.dll”,“SUCCESS”,“”
“9:13:01.4579974 PM”,“MsMpEng.exe”,“2588”,“CreateFile”,“C:\Windows\System32\cryptbase.dll”,“SUCCESS”,“Desired Access: Read Attributes, Disposition: Open, Options: Non-Directory File, Open For Backup, Open Reparse Point, Open Requiring Oplock, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
“9:13:01.4583475 PM”,“MsMpEng.exe”,“2588”,“FileSystemControl”,“C:\Windows\System32\cryptbase.dll”,“OPLOCK HANDLE CLOSED”,“Control: FSCTL_REQUEST_OPLOCK”
“9:13:01.4583748 PM”,“MsMpEng.exe”,“2588”,“CreateFile”,“C:\Windows\System32\rpcrt4.dll”,“SUCCESS”,“Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open For Backup, Open No Recall, Disallow Exclusive, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
“9:13:01.4583855 PM”,“MsMpEng.exe”,“2588”,“FileSystemControl”,“C:\Windows\System32\cryptbase.dll”,“SUCCESS”,“Control: 0x902eb (Device:0x9 Function:186 Method: 3)”

“9:13:01.4616452 PM”,“MsMpEng.exe”,“2588”,“QueryInformationVolume”,“C:\Windows\System32\advapi32.dll”,“BUFFER OVERFLOW”,“VolumeCreationTime: 7/22/2020 8:19:37 PM, VolumeSerialNumber: 84F4-4ACC, SupportsObjects: True, VolumeLabel: New־”
“9:13:01.4616732 PM”,“MsMpEng.exe”,“2588”,“QueryAllInformationFile”,“C:\Windows\System32\advapi32.dll”,“BUFFER OVERFLOW”,“CreationTime: 12/7/2019 5:08:13 AM, LastAccessTime: 8/31/2020 9:12:38 PM, LastWriteTime: 12/7/2019 5:08:13 AM, ChangeTime: 8/16/2020 11:52:12 AM, FileAttributes: A, AllocationSize: 688,128, EndOfFile: 685,376, NumberOfLinks: 2, DeletePending: False, Directory: False, IndexNumber: 0x100000004b1ba, EaSize: 264, Access: Read Attributes, Synchronize, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word”
“9:13:01.4617049 PM”,“MsMpEng.exe”,“2588”,“QueryInformationVolume”,“C:\Windows\System32\advapi32.dll”,“BUFFER OVERFLOW”,“VolumeCreationTime: 7/22/2020 8:19:37 PM, VolumeSerialNumber: 84F4-4ACC, SupportsObjects: True, VolumeLabel: New־”
“9:13:01.4617276 PM”,“MsMpEng.exe”,“2588”,“QueryAllInformationFile”,“C:\Windows\System32\advapi32.dll”,“BUFFER OVERFLOW”,“CreationTime: 12/7/2019 5:08:13 AM, LastAccessTime: 8/31/2020 9:12:38 PM, LastWriteTime: 12/7/2019 5:08:13 AM, ChangeTime: 8/16/2020 11:52:12 AM, FileAttributes: A, AllocationSize: 688,128, EndOfFile: 685,376, NumberOfLinks: 2, DeletePending: False, Directory: False, IndexNumber: 0x100000004b1ba, EaSize: 264, Access: Read Attributes, Synchronize, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word”
“9:13:01.4617576 PM”,“MsMpEng.exe”,“2588”,“FileSystemControl”,“C:\Windows\System32\advapi32.dll”,“SUCCESS”,“Control: FSCTL_READ_FILE_USN_DATA”
“9:13:01.4617875 PM”,“MsMpEng.exe”,“2588”,“QueryIdInformation”,“C:\Windows\System32\advapi32.dll”,“SUCCESS”,“”
“9:13:01.4618332 PM”,“MsMpEng.exe”,“2588”,“CloseFile”,“C:\Windows\System32\advapi32.dll”,“SUCCESS”,“”

“9:13:01.4647890 PM”,“ConsoleApplication2.exe”,“7808”,“CreateFile”,“C:\Windows\System32\kernel.appcore.dll”,“SUCCESS”,“Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened”
“9:13:01.4649392 PM”,“ConsoleApplication2.exe”,“7808”,“QueryBasicInformationFile”,“C:\Windows\System32\kernel.appcore.dll”,“SUCCESS”,“CreationTime: 12/7/2019 5:08:33 AM, LastAccessTime: 8/31/2020 9:12:37 PM, LastWriteTime: 12/7/2019 5:08:33 AM, ChangeTime: 8/16/2020 11:52:13 AM, FileAttributes: A”
“9:13:01.4649660 PM”,“ConsoleApplication2.exe”,“7808”,“CloseFile”,“C:\Windows\System32\kernel.appcore.dll”,“SUCCESS”,“”
“9:13:01.4651000 PM”,“ConsoleApplication2.exe”,“7808”,“CreateFile”,“C:\Windows\System32\kernel.appcore.dll”,“SUCCESS”,“Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened”
“9:13:01.4652787 PM”,“ConsoleApplication2.exe”,“7808”,“CreateFileMapping”,“C:\Windows\System32\kernel.appcore.dll”,“FILE LOCKED WITH ONLY READERS”,“SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE”
“9:13:01.4655366 PM”,“ConsoleApplication2.exe”,“7808”,“CreateFileMapping”,“C:\Windows\System32\kernel.appcore.dll”,“SUCCESS”,“SyncType: SyncTypeOther”
“9:13:01.4656555 PM”,“MsMpEng.exe”,“2588”,“CloseFile”,“C:\Windows\System32\sechost.dll”,“SUCCESS”,“”
“9:13:01.4660026 PM”,“ConsoleApplication2.exe”,“7808”,“CloseFile”,“C:\Windows\System32\kernel.appcore.dll”,“SUCCESS”,“”
“9:13:01.4725300 PM”,“ConsoleApplication2.exe”,“7808”,“CloseFile”,“C:\temp”,“SUCCESS”,“”

Note that … means activities by “MsMpEng.exe”.

I would appreciate some pointers here. how can I find which component return the “access denied”? for example, using windbg, by which I can break at IRP_MJ_CREATE. However, after the driver returns STATUS_REPARSE, I somehow lost the control of the IRP.

Thanks in advance for your help.

Xinren

I’m confused as I do not see an access denied in your ProcMon output…

You can try the NTFS status debugging trick to see if the failure is coming from NTFS.

Thank for the information, and I will try " NTFS status debugging trick to see if the failure is coming from NTFS".

The application, ConsoleApplication2.exe receives “access denied”. In the driver,

pIrp->IoStatus.Status = Status = STATUS_REPARSE;
pIrp->IoStatus.Information = IO_REPARSE_TAG_MOUNT_POINT;
pIrp->Tail.Overlay.AuxiliaryBuffer = (PCHAR)pRepBuf;
return Status;

I am confused too on “an access denied” received by the application. In windows 10, x64, 1903, where it works, using procmon, I get

“8:49:35.6756203 PM”,“ConsoleApplication2.exe”,“5012”,“CreateFile”,“C:\temp1\abcn.txt”,“REPARSE”,“Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: ”
“8:49:35.6757812 PM”,“ConsoleApplication2.exe”,“5012”,“ReadFile”,“\Device\ctsvC$Directory”,“SUCCESS”,“Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal”
“8:49:35.6761360 PM”,“ConsoleApplication2.exe”,“5012”,“CreateFile”,“\Device\ctsvC\temp1\abcn.txt”,“SUCCESS”,“Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created”
“8:49:35.6763313 PM”,“ConsoleApplication2.exe”,“5012”,“ReadFile”,“\Device\ctsvC$Secure:$SDH:$INDEX_ALLOCATION”,“SUCCESS”,“Offset: 49,152, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal”
“8:49:35.6765533 PM”,“ConsoleApplication2.exe”,“5012”,“ReadFile”,“\Device\ctsvC$Secure:$SDH:$INDEX_ALLOCATION”,“SUCCESS”,“Offset: 53,248, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal”
“8:49:35.6775142 PM”,“ConsoleApplication2.exe”,“5012”,“WriteFile”,“\Device\ctsvC\temp1\abcn.txt”,“SUCCESS”,“Offset: 0, Length: 44, Priority: Normal”
“8:49:35.6796552 PM”,“ConsoleApplication2.exe”,“5012”,“CloseFile”,“\Device\ctsvC\temp1\abcn.txt”,“SUCCESS”,“”