Any benefit on attaching to FLT_FSTYPE_RAW volumes in a minifilter?

We have a minifilter, that we basically need to get notified for every file access on the machine and potentially scan them.

My question is, What type of file accesses will we miss, if we don’t attach to FLT_FSTYPE_RAW? Do we really need to also attach to FLT_FSTYPE_RAW?

And what type of volumes will become FLT_FSTYPE_RAW instead of something normal like FLT_FSTYPE_NTFS?

Device Objects for disk, tape, and CD-ROM devices have a Volume Parameter Block (VPB). The first time someone tries to open one of these devices the I/O Manager checks to see if there’s currently a file system mounted over the device (VPB_MOUNTED set). If not, the I/O Manager goes through the file system recognition process.

The I/O Manager calls the file systems one by one to see if the media is formatted with their file system. If it is, they create a new device object, wire it into the VPB, and set the mounted flag. Now the I/O requests go to the top of the file system stack instead of the media device stack.

Now, what happens when no file system claims the device? Well, the I/O Manager has a “Raw File System” that claims the device if no one else does. This file system only supports device opens and not individual files.

There are primarily two cases where you see this happening:

  1. An unformatted volume
  2. Someone opening a disk device directly (e.g. \.\PhysicalDrive0). This shows up as raw because the disk isn’t formatted with a file system. Instead, the disk has partitions and those partitions have the file system.

Lots of minifilters ignore raw and are OK doing so.

1 Like

@“Scott_Noone_(OSR)” said:
Device Objects for disk, tape, and CD-ROM devices have a Volume Parameter Block (VPB). The first time someone tries to open one of these devices the I/O Manager checks to see if there’s currently a file system mounted over the device (VPB_MOUNTED set). If not, the I/O Manager goes through the file system recognition process.

The I/O Manager calls the file systems one by one to see if the media is formatted with their file system. If it is, they create a new device object, wire it into the VPB, and set the mounted flag. Now the I/O requests go to the top of the file system stack instead of the media device stack.

Now, what happens when no file system claims the device? Well, the I/O Manager has a “Raw File System” that claims the device if no one else does. This file system only supports device opens and not individual files.

I’ve read about VPB many many times, and it always confused me, and this is the best explanation I’ve read regarding it. So thank you, now I finally get it.

1 Like

Excellent! Glad that helped.