Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


status_reparse failed/lost in Windows 10, 2004

xinrenxinren Member Posts: 26

I have legacy upper disk filter driver. In the driver, it has a virtual device and certain file folder(s) will be redirected/reparsed. Let me call the folder as "reparse folder". The mechanism has been working well until Windows 10, x64, 2004 (it works for Windows 10, 19xx). When an application is writing to the "reparse folder", it now requires "administrator" privilege.

  1. If the application without administrator privilege is trying to write to a file in the "reparse folder", the application receives error "access denied".
  2. Using WinDbg, after the driver returns STATUS_REPARSE, I do not know who actually returns "the accessed denied".
  3. using procmon (c:\temp1 is the folder to reparse in the driver; ConsoleAppliation2 only CreateFile/WriteFile/CloseFile) , I get

"9:13:01.4551145 PM","ConsoleApplication2.exe","7808","CreateFile","C:\temp1\abcna.txt","REPARSE","Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: "
"9:13:01.4575022 PM","MsMpEng.exe","2588","CreateFile","C:\Windows\System32\rpcrt4.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Non-Directory File, Open For Backup, Open Reparse Point, Open Requiring Oplock, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"9:13:01.4577155 PM","MsMpEng.exe","2588","FileSystemControl","C:\Windows\System32\rpcrt4.dll","OPLOCK HANDLE CLOSED","Control: FSCTL_REQUEST_OPLOCK"
"9:13:01.4577607 PM","MsMpEng.exe","2588","FileSystemControl","C:\Windows\System32\rpcrt4.dll","SUCCESS","Control: 0x902eb (Device:0x9 Function:186 Method: 3)"
"9:13:01.4577939 PM","MsMpEng.exe","2588","CloseFile","C:\Windows\System32\rpcrt4.dll","SUCCESS",""
"9:13:01.4579974 PM","MsMpEng.exe","2588","CreateFile","C:\Windows\System32\cryptbase.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Non-Directory File, Open For Backup, Open Reparse Point, Open Requiring Oplock, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"9:13:01.4583475 PM","MsMpEng.exe","2588","FileSystemControl","C:\Windows\System32\cryptbase.dll","OPLOCK HANDLE CLOSED","Control: FSCTL_REQUEST_OPLOCK"
"9:13:01.4583748 PM","MsMpEng.exe","2588","CreateFile","C:\Windows\System32\rpcrt4.dll","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open For Backup, Open No Recall, Disallow Exclusive, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"9:13:01.4583855 PM","MsMpEng.exe","2588","FileSystemControl","C:\Windows\System32\cryptbase.dll","SUCCESS","Control: 0x902eb (Device:0x9 Function:186 Method: 3)"
...............
"9:13:01.4616452 PM","MsMpEng.exe","2588","QueryInformationVolume","C:\Windows\System32\advapi32.dll","BUFFER OVERFLOW","VolumeCreationTime: 7/22/2020 8:19:37 PM, VolumeSerialNumber: 84F4-4ACC, SupportsObjects: True, VolumeLabel: New־"
"9:13:01.4616732 PM","MsMpEng.exe","2588","QueryAllInformationFile","C:\Windows\System32\advapi32.dll","BUFFER OVERFLOW","CreationTime: 12/7/2019 5:08:13 AM, LastAccessTime: 8/31/2020 9:12:38 PM, LastWriteTime: 12/7/2019 5:08:13 AM, ChangeTime: 8/16/2020 11:52:12 AM, FileAttributes: A, AllocationSize: 688,128, EndOfFile: 685,376, NumberOfLinks: 2, DeletePending: False, Directory: False, IndexNumber: 0x100000004b1ba, EaSize: 264, Access: Read Attributes, Synchronize, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word"
"9:13:01.4617049 PM","MsMpEng.exe","2588","QueryInformationVolume","C:\Windows\System32\advapi32.dll","BUFFER OVERFLOW","VolumeCreationTime: 7/22/2020 8:19:37 PM, VolumeSerialNumber: 84F4-4ACC, SupportsObjects: True, VolumeLabel: New־"
"9:13:01.4617276 PM","MsMpEng.exe","2588","QueryAllInformationFile","C:\Windows\System32\advapi32.dll","BUFFER OVERFLOW","CreationTime: 12/7/2019 5:08:13 AM, LastAccessTime: 8/31/2020 9:12:38 PM, LastWriteTime: 12/7/2019 5:08:13 AM, ChangeTime: 8/16/2020 11:52:12 AM, FileAttributes: A, AllocationSize: 688,128, EndOfFile: 685,376, NumberOfLinks: 2, DeletePending: False, Directory: False, IndexNumber: 0x100000004b1ba, EaSize: 264, Access: Read Attributes, Synchronize, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word"
"9:13:01.4617576 PM","MsMpEng.exe","2588","FileSystemControl","C:\Windows\System32\advapi32.dll","SUCCESS","Control: FSCTL_READ_FILE_USN_DATA"
"9:13:01.4617875 PM","MsMpEng.exe","2588","QueryIdInformation","C:\Windows\System32\advapi32.dll","SUCCESS",""
"9:13:01.4618332 PM","MsMpEng.exe","2588","CloseFile","C:\Windows\System32\advapi32.dll","SUCCESS",""
..............
"9:13:01.4647890 PM","ConsoleApplication2.exe","7808","CreateFile","C:\Windows\System32\kernel.appcore.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"9:13:01.4649392 PM","ConsoleApplication2.exe","7808","QueryBasicInformationFile","C:\Windows\System32\kernel.appcore.dll","SUCCESS","CreationTime: 12/7/2019 5:08:33 AM, LastAccessTime: 8/31/2020 9:12:37 PM, LastWriteTime: 12/7/2019 5:08:33 AM, ChangeTime: 8/16/2020 11:52:13 AM, FileAttributes: A"
"9:13:01.4649660 PM","ConsoleApplication2.exe","7808","CloseFile","C:\Windows\System32\kernel.appcore.dll","SUCCESS",""
"9:13:01.4651000 PM","ConsoleApplication2.exe","7808","CreateFile","C:\Windows\System32\kernel.appcore.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"9:13:01.4652787 PM","ConsoleApplication2.exe","7808","CreateFileMapping","C:\Windows\System32\kernel.appcore.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE_WRITECOPY|PAGE_NOCACHE"
"9:13:01.4655366 PM","ConsoleApplication2.exe","7808","CreateFileMapping","C:\Windows\System32\kernel.appcore.dll","SUCCESS","SyncType: SyncTypeOther"
"9:13:01.4656555 PM","MsMpEng.exe","2588","CloseFile","C:\Windows\System32\sechost.dll","SUCCESS",""
"9:13:01.4660026 PM","ConsoleApplication2.exe","7808","CloseFile","C:\Windows\System32\kernel.appcore.dll","SUCCESS",""
"9:13:01.4725300 PM","ConsoleApplication2.exe","7808","CloseFile","C:\temp","SUCCESS",""

Note that ....... means activities by "MsMpEng.exe".

I would appreciate some pointers here. how can I find which component return the "access denied"? for example, using windbg, by which I can break at IRP_MJ_CREATE. However, after the driver returns STATUS_REPARSE, I somehow lost the control of the IRP.

Thanks in advance for your help.

Xinren

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,356

    I'm confused as I do not see an access denied in your ProcMon output...

    You can try the NTFS status debugging trick to see if the failure is coming from NTFS.

    -scott
    OSR

  • xinrenxinren Member Posts: 26

    Thank for the information, and I will try " NTFS status debugging trick to see if the failure is coming from NTFS".

    The application, ConsoleApplication2.exe receives "access denied". In the driver,

    pIrp->IoStatus.Status = Status = STATUS_REPARSE;
    pIrp->IoStatus.Information = IO_REPARSE_TAG_MOUNT_POINT;
    pIrp->Tail.Overlay.AuxiliaryBuffer = (PCHAR)pRepBuf;
    return Status;

    I am confused too on "an access denied" received by the application. In windows 10, x64, 1903, where it works, using procmon, I get

    "8:49:35.6756203 PM","ConsoleApplication2.exe","5012","CreateFile","C:\temp1\abcn.txt","REPARSE","Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: "
    "8:49:35.6757812 PM","ConsoleApplication2.exe","5012","ReadFile","\Device\ctsvC\$Directory","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
    "8:49:35.6761360 PM","ConsoleApplication2.exe","5012","CreateFile","\Device\ctsvC\temp1\abcn.txt","SUCCESS","Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created"
    "8:49:35.6763313 PM","ConsoleApplication2.exe","5012","ReadFile","\Device\ctsvC\$Secure:$SDH:$INDEX_ALLOCATION","SUCCESS","Offset: 49,152, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
    "8:49:35.6765533 PM","ConsoleApplication2.exe","5012","ReadFile","\Device\ctsvC\$Secure:$SDH:$INDEX_ALLOCATION","SUCCESS","Offset: 53,248, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
    "8:49:35.6775142 PM","ConsoleApplication2.exe","5012","WriteFile","\Device\ctsvC\temp1\abcn.txt","SUCCESS","Offset: 0, Length: 44, Priority: Normal"
    "8:49:35.6796552 PM","ConsoleApplication2.exe","5012","CloseFile","\Device\ctsvC\temp1\abcn.txt","SUCCESS",""

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE