0xc0000005 in creating an IRP

OSR_Community_User · June 22, 2003, 3:50am

Hi All,
For checking whether a file for which an IRP_MJ_CREATE Packet has come
already exists or not, I am making an IRP in the IRP_MJ_CREATE routine and
then checking the status to know whether the file already exists.
The code for IRP creation is as follows.

irp->UserEvent = &event;
irp->UserIosb = &IoStatusBlock;
irp->Tail.Overlay.Thread = PsGetCurrentThread();
irp->Tail.Overlay.OriginalFileObject = FileObject;
irp->RequestorMode = KernelMode;

KeInitializeEvent(&event, SynchronizationEvent, FALSE);
DbgPrint(“Initialized Event”);

ioStackLocation = IoGetNextIrpStackLocation(irp);
ioOriginalStackLocation = IoGetNextIrpStackLocation(Irp);
ioStackLocation->MajorFunction = IRP_MJ_CREATE;
ioStackLocation->DeviceObject = fsdDevice;
ioStackLocation->FileObject = FileObject;
DbgPrint(“Done with the first part of stack allocation”);

//Change the Parameters to check the just existence of the file
ioStackLocation->Parameters.Create.Options=FILE_NON_DIRECTORY_FILE
|(FILE_OPEN <<24) ;
DbgPrint(“Set option”);
ioStackLocation->Parameters.Create.FileAttributes=FILE_ATTRIBUTE_NORMAL;

DbgPrint(“Set Attrib”);
ioStackLocation->Parameters.Create.ShareAccess= 0x0;
DbgPrint(“ShareAccess”);

ioStackLocation->Parameters.Create.SecurityContext->DesiredAccess=FILE_READ_ATTRIBUTES;

DbgPrint(“Desired Access”);
ioStackLocation->Parameters.Create.SecurityContext->FullCreateOptions=
ioOriginalStackLocation->Parameters.Create.Options;
DbgPrint(“Done with the second part”);

IoSetCompletionRoutine(irp, MyCreateCompletion, 0, TRUE, TRUE, TRUE);
DbgPrint(“Completion routine set”);

//IoCallDriver(
((PFILESPY_DEVICE_EXTENSION)DeviceObject->DeviceExtension)->AttachedToDeviceObject,
irp );
(void)IoCallDriver(fsdDevice, irp);

DbgPrint(“Got the clue”);

KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);
DbgPrint(“Came Back”);

if( IoStatusBlock.Information == FILE_CREATED )
DbgPrint(“Created”);
if( IoStatusBlock.Information == FILE_OPENED )
DbgPrint(“Opened”);
if( IoStatusBlock.Information == FILE_OVERWRITTEN )
DbgPrint(“Overwritten”);
if( IoStatusBlock.Information == FILE_SUPERSEDED )
DbgPrint(“Superseded”);
if( IoStatusBlock.Information == FILE_EXISTS )
DbgPrint(“Exists”);
if( IoStatusBlock.Information == FILE_DOES_NOT_EXIST )
DbgPrint(“DNE”);

Now I am getting exception 0xc0000005 in the lines.

ioStackLocation->Parameters.Create.SecurityContext->DesiredAccess=FILE_READ_ATTRIBUTES;

DbgPrint(“Desired Access”);
ioStackLocation->Parameters.Create.SecurityContext->FullCreateOptions=
ioOriginalStackLocation->Parameters.Create.Options;
DbgPrint(“Done with the second part”);

If i remove these lines, then on IoCallDriver I am getting the same
exception.
What might be the reason.

As per documentation it stands for.
//
// MessageId: STATUS_ACCESS_VIOLATION
//
// MessageText:
//
// The instruction at “0x%08lx” referenced memory at “0x%08lx”. The
memory could not be “%s”.
//
#define STATUS_ACCESS_VIOLATION ((NTSTATUS)0xC0000005L) //
winnt

But I am not geting clues.
Please Help

Regards
Lalit

Dan_Partelly · June 22, 2003, 7:40am

Check Iosb.Information once the original request completed, rather then
trying to roll your own create IRP, to see whatever a the file existed prior
or not. You can later cancel the create if you choose not to open the file.
Rolling a IRP_MJ_CREATE is a little challenge in itself, and its way more
complex than any other operation.

----- Original Message -----
From: “Lalit S. Rana”
To: “File Systems Developers”
Sent: Sunday, June 22, 2003 10:49 AM
Subject: [ntfsd] 0xc0000005 in creating an IRP

> Hi All,
> For checking whether a file for which an IRP_MJ_CREATE Packet has come
> already exists or not, I am making an IRP in the IRP_MJ_CREATE routine and
> then checking the status to know whether the file already exists.
> The code for IRP creation is as follows.
>
> irp->UserEvent = &event;
> irp->UserIosb = &IoStatusBlock;
> irp->Tail.Overlay.Thread = PsGetCurrentThread();
> irp->Tail.Overlay.OriginalFileObject = FileObject;
> irp->RequestorMode = KernelMode;
>
> KeInitializeEvent(&event, SynchronizationEvent, FALSE);
> DbgPrint(“Initialized Event”);
>
> ioStackLocation = IoGetNextIrpStackLocation(irp);
> ioOriginalStackLocation = IoGetNextIrpStackLocation(Irp);
> ioStackLocation->MajorFunction = IRP_MJ_CREATE;
> ioStackLocation->DeviceObject = fsdDevice;
> ioStackLocation->FileObject = FileObject;
> DbgPrint(“Done with the first part of stack allocation”);
>
> //Change the Parameters to check the just existence of the file
> ioStackLocation->Parameters.Create.Options=FILE_NON_DIRECTORY_FILE
> |(FILE_OPEN <<24) ;
> DbgPrint(“Set option”);
> ioStackLocation->Parameters.Create.FileAttributes=FILE_ATTRIBUTE_NORMAL;
>
> DbgPrint(“Set Attrib”);
> ioStackLocation->Parameters.Create.ShareAccess= 0x0;
> DbgPrint(“ShareAccess”);
>
>
ioStackLocation->Parameters.Create.SecurityContext->DesiredAccess=FILE_READ_
ATTRIBUTES;
>
> DbgPrint(“Desired Access”);
> ioStackLocation->Parameters.Create.SecurityContext->FullCreateOptions=
> ioOriginalStackLocation->Parameters.Create.Options;
> DbgPrint(“Done with the second part”);
>
> IoSetCompletionRoutine(irp, MyCreateCompletion, 0, TRUE, TRUE, TRUE);
> DbgPrint(“Completion routine set”);
>
> //IoCallDriver(
>
((PFILESPY_DEVICE_EXTENSION)DeviceObject->DeviceExtension)->AttachedToDevice
Object,
> irp );
> (void)IoCallDriver(fsdDevice, irp);
>
> DbgPrint(“Got the clue”);
>
> KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);
> DbgPrint(“Came Back”);
>
>
> if( IoStatusBlock.Information == FILE_CREATED )
> DbgPrint(“Created”);
> if( IoStatusBlock.Information == FILE_OPENED )
> DbgPrint(“Opened”);
> if( IoStatusBlock.Information == FILE_OVERWRITTEN )
> DbgPrint(“Overwritten”);
> if( IoStatusBlock.Information == FILE_SUPERSEDED )
> DbgPrint(“Superseded”);
> if( IoStatusBlock.Information == FILE_EXISTS )
> DbgPrint(“Exists”);
> if( IoStatusBlock.Information == FILE_DOES_NOT_EXIST )
> DbgPrint(“DNE”);
>
>
>
>
> Now I am getting exception 0xc0000005 in the lines.
>
>
ioStackLocation->Parameters.Create.SecurityContext->DesiredAccess=FILE_READ_
ATTRIBUTES;
>
> DbgPrint(“Desired Access”);
> ioStackLocation->Parameters.Create.SecurityContext->FullCreateOptions=
> ioOriginalStackLocation->Parameters.Create.Options;
> DbgPrint(“Done with the second part”);
>
> If i remove these lines, then on IoCallDriver I am getting the same
> exception.
> What might be the reason.
>
>
> As per documentation it stands for.
> //
> // MessageId: STATUS_ACCESS_VIOLATION
> //
> // MessageText:
> //
> // The instruction at “0x%08lx” referenced memory at “0x%08lx”. The
> memory could not be “%s”.
> //
> #define STATUS_ACCESS_VIOLATION ((NTSTATUS)0xC0000005L) //
> winnt
>
> But I am not geting clues.
> Please Help
>
> Regards
> Lalit
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · June 22, 2003, 8:48am

Hi Dan,
If there is a request for creation of file and after checking the
Information field I cancel the IRP in the completion routine by using
STATUS_MORE_PROCESSING_REQUIRED. Would the created file automatically get
deleted OR the file would be taken as never created.
I am not able to understand what will happen in that scenario.
Please Help.
Lalit

OSR_Community_User · June 22, 2003, 10:34am

If the file was created, you need to delete it yourself. If it was
replaced or superseded (virtually the same thing as replace), then there is
no going back.
You could change the options to try to open the file first, and check the
result then - and call for a create/replace, if it’s an error and the user
requested something other than open. You can re-use the original IRP this
way.

“Lalit S. Rana” wrote:

Hi Dan,
If there is a request for creation of file and after checking the
Information field I cancel the IRP in the completion routine by using
STATUS_MORE_PROCESSING_REQUIRED. Would the created file automatically get
deleted OR the file would be taken as never created.
I am not able to understand what will happen in that scenario.
Please Help.
Lalit

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

OSR_Community_User · June 22, 2003, 11:03am

Hi Dejan,
I wish to check in my routine whether the IRP_MJ_CREATE is for creation of
file or for opening of the file.
Could you tell me why the routine I am using is not working. My logic is
that I am creating a new IRP (trying to open the file) in the first place
(at the dispatch routine for IRP_MJ_CREATE), now i check from the
information field whether the file already exists and if it doesn’t the
request is for creation.
My self created IRP is giving 0xc0000005 at the setting of
ioStackLocation->Parameters.Create.SecurityContext->DesiredAccess=FILE_READ_ATTRIBUTES;

ioStackLocation->Parameters.Create.SecurityContext->FullCreateOptions=
ioOriginalStackLocation->Parameters.Create.Options;

If I delete these two statements then the same error is coming at
IoCallDriver. I tried to implement ZwCreateFile thinking that its result
will tell me whether the file already exists or not.
But was getting exception.
Can’t I call ZwCreateFile in the dispatch routine for Create.
Please help.
I am not getting a proper algorithm to work with this issue.
Regards,
Lalit

If the file was created, you need to delete it yourself. If it was
replaced or superseded (virtually the same thing as replace), then there
is
no going back.
You could change the options to try to open the file first, and check the
result then - and call for a create/replace, if it’s an error and the user
requested something other than open. You can re-use the original IRP this
way.

“Lalit S. Rana” wrote:

Hi Dan,
If there is a request for creation of file and after checking the
Information field I cancel the IRP in the completion routine by using
STATUS_MORE_PROCESSING_REQUIRED. Would the created file automatically get
deleted OR the file would be taken as never created.
I am not able to understand what will happen in that scenario.
Please Help.
Lalit

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

OSR_Community_User · June 22, 2003, 12:35pm

You’re not reading my reply at all.
A create can be for:

Open only
Create only
Replace only
Open if exist, create otherwise
Overwrite if exist, create otherwise

The option for this is in IrpSp->Parameters.Create.Options >> 24.
It can be FILE_OPEN, FILE_CREATE, FILE_OVERWRITE, FILE_OPEN_IF, FILE_OVERWRITE_IF (or
FILE_SUPERSEDE, which is similar to overwrite).
Now, to check whether a file exists already, re-use the original IRP: change
nextIrpSp->Options >> 24 to FILE_OPEN, and do IoCallDriver. In your completion return
STATUS_MORE_PROCESSING_REQUIRED.
After waiting on the event, check Irp->IoStatus.Status. If it was successful, the file
existed. If not, the file does not exist.
Now handle the original call.
In case of FILE_OVERWRITE and FILE_OVERWRITE_IF you need to close the file before
re-issuing the IRP.
In all cases, re-use the original IRP, and don’t create your own.

Regards, Dejan.

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

OSR_Community_User · June 22, 2003, 1:06pm

Thanks Dejan,
You made things look so easy.
But still I am fearing, in case the request sent is for FILE_OVERWRITE or
FILE_OVERWRITE_IF.
Reason being I am not able to issue an IRP(by IoAllocateIRP) in
IRP_MJ_CREATE, its throwing 0xc0000005.

In case of FILE_OVERWRITE and FILE_OVERWRITE_IF you need to close the
file before
re-issuing the IRP.
I will try doing it again and refer back in case of errors.
Regards,
Lalit.

“Dejan Maksimovic” wrote in message news:xxxxx@ntfsd…
>
>
> You’re not reading my reply at all.
> A create can be for:
> - Open only
> - Create only
> - Replace only
> - Open if exist, create otherwise
> - Overwrite if exist, create otherwise
>
> The option for this is in IrpSp->Parameters.Create.Options >> 24.
> It can be FILE_OPEN, FILE_CREATE, FILE_OVERWRITE, FILE_OPEN_IF,
FILE_OVERWRITE_IF (or
> FILE_SUPERSEDE, which is similar to overwrite).
> Now, to check whether a file exists already, re-use the original IRP:
change
> nextIrpSp->Options >> 24 to FILE_OPEN, and do IoCallDriver. In your
completion return
> STATUS_MORE_PROCESSING_REQUIRED.
> After waiting on the event, check Irp->IoStatus.Status. If it was
successful, the file
> existed. If not, the file does not exist.
> Now handle the original call.
> In all cases, re-use the original IRP, and don’t create your own.
>
> Regards, Dejan.
>
> –
> Kind regards, Dejan M. MVP for DDK
> http://www.alfasp.com E-mail: xxxxx@alfasp.com
> Alfa Transparent File Encryptor - Transparent file encryption services.
> Alfa File Protector - File protection and hiding library for Win32
developers.
> Alfa File Monitor - File monitoring library for Win32 developers.
>
>
>
>
>

OSR_Community_User · June 22, 2003, 1:36pm

IRP for IRP_MJ_CREATE is very complex to create. That’s why everyone
suggested not to do it.

Reason being I am not able to issue an IRP(by IoAllocateIRP) in
IRP_MJ_CREATE, its throwing 0xc0000005.

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Srin_Kumar · June 23, 2003, 12:44am

Lalit,
Did you allocate SecurityContext in the below line? I believe
you are using invalid/uninitalized pointer.