Access conflicts on section views

As you may have seen in another thread, I am opening section views on files
to read the files from my mini-filter. The goal is to read open files like
the registry for backup.

I seem to be able to read open files just fine, but when another
application, like explorer, or a text editor, tries to open the file while I
am reading it, that application gets the error “The requested operation
cannot be performed on a file with a user-mapped section open”. I specify
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE in my FltCreateFile
call so I thought others should be able to read while I am reading.

I am doing these reads during a port call from user mode. Does that make
any section I open a “user-mapped” section? Why does it matter? Is there a
way to make my code look like kernel-mode instead of user-mode? Should I
take the trouble to read the file in a system process thread and pass the
data through a queue to the user-mode code?

Here is my current code:

InitializeObjectAttributes( &attr, &uPath, OBJ_CASE_INSENSITIVE |
OBJ_KERNEL_HANDLE, NULL, NULL );

status = FltCreateFile( gFilter, gInstance, &gReadHandle, GENERIC_READ,
&attr, &ioStatus, 0,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE |
FILE_SHARE_DELETE, FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT |
FILE_SEQUENTIAL_ONLY, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK );

ExFreePool( uPathBuf );

status = ObReferenceObjectByHandle( gReadHandle, 0, NULL, KernelMode,
&gReadFileObj, NULL);

status = FltQueryInformationFile( gInstance, gReadFileObj, &fileInfo,
sizeof( fileInfo ), FileStandardInformation, NULL );

sectionSize.QuadPart = fileInfo.EndOfFile.QuadPart;

status = ZwCreateSection( &gSectionHandle, SECTION_MAP_READ, NULL,
&sectionSize, PAGE_READWRITE, SEC_COMMIT, gReadHandle );

status = ZwMapViewOfSection( gSectionHandle, NtCurrentProcess(), &baseAddr,
0, 0, &sectionOfs, &sectionLen, (SECTION_INHERIT)1, 0, PAGE_READWRITE );

RtlCopyMemory( data, baseAddr + (size_t) (gFileOfs - sectionOfs.QuadPart),
dLen );

status = ZwUnmapViewOfSection( NtCurrentProcess(), baseAddr );

// Much later, after multiple mappings of views, I call ZwClose(
gSectionHandle ).

Mark

So far as I know so long as you have done ZwCreateSection …
ZwMapViewOfSection … in whatever process context then the same conditions
arise. You did not say what operations are failing in the application! I
could guess these are things like: delete, rename, truncate … things that
are incompatible with the existence of the view.

If I were you I should have a good hard think about reading open files such
as registry hives for backup and have a good read of the volume shadown copy
service documentation.

Regards
Lyndon

“Mark Hahn” wrote in message news:xxxxx@ntfsd…
> As you may have seen in another thread, I am opening section views on
> files to read the files from my mini-filter. The goal is to read open
> files like the registry for backup.
>
> I seem to be able to read open files just fine, but when another
> application, like explorer, or a text editor, tries to open the file while
> I am reading it, that application gets the error “The requested operation
> cannot be performed on a file with a user-mapped section open”. I specify
> FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE in my FltCreateFile
> call so I thought others should be able to read while I am reading.
>
> I am doing these reads during a port call from user mode. Does that make
> any section I open a “user-mapped” section? Why does it matter? Is there
> a way to make my code look like kernel-mode instead of user-mode? Should
> I take the trouble to read the file in a system process thread and pass
> the data through a queue to the user-mode code?
>
> Here is my current code:
>
> InitializeObjectAttributes( &attr, &uPath, OBJ_CASE_INSENSITIVE |
> OBJ_KERNEL_HANDLE, NULL, NULL );
>
> status = FltCreateFile( gFilter, gInstance, &gReadHandle, GENERIC_READ,
> &attr, &ioStatus, 0,
> FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE |
> FILE_SHARE_DELETE, FILE_OPEN,
> FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT |
> FILE_SEQUENTIAL_ONLY, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK );
>
> ExFreePool( uPathBuf );
>
> status = ObReferenceObjectByHandle( gReadHandle, 0, NULL, KernelMode,
> &gReadFileObj, NULL);
>
> status = FltQueryInformationFile( gInstance, gReadFileObj, &fileInfo,
> sizeof( fileInfo ), FileStandardInformation, NULL );
>
> sectionSize.QuadPart = fileInfo.EndOfFile.QuadPart;
>
> status = ZwCreateSection( &gSectionHandle, SECTION_MAP_READ, NULL,
> &sectionSize, PAGE_READWRITE, SEC_COMMIT, gReadHandle );
>
> status = ZwMapViewOfSection( gSectionHandle, NtCurrentProcess(),
> &baseAddr, 0, 0, &sectionOfs, &sectionLen, (SECTION_INHERIT)1, 0,
> PAGE_READWRITE );
>
> RtlCopyMemory( data, baseAddr + (size_t) (gFileOfs - sectionOfs.QuadPart),
> dLen );
>
> status = ZwUnmapViewOfSection( NtCurrentProcess(), baseAddr );
>
> // Much later, after multiple mappings of views, I call ZwClose(
> gSectionHandle ).
>
>

I looked at vss but it isn’t supported on win2k. If it is true that the
section/view reading always interferes with normal operation of the PC, then
I may have to drop support of win2k and go to vss.

Thanks…

“Lyndon J Clarke” wrote in message
news:xxxxx@ntfsd…
> Mark
>
> So far as I know so long as you have done ZwCreateSection …
> ZwMapViewOfSection … in whatever process context then the same
> conditions arise. You did not say what operations are failing in the
> application! I could guess these are things like: delete, rename, truncate
> … things that are incompatible with the existence of the view.
>
> If I were you I should have a good hard think about reading open files
> such as registry hives for backup and have a good read of the volume
> shadown copy service documentation.
>
> Regards
> Lyndon
>
> “Mark Hahn” wrote in message news:xxxxx@ntfsd…
>> As you may have seen in another thread, I am opening section views on
>> files to read the files from my mini-filter. The goal is to read open
>> files like the registry for backup.
>>
>> I seem to be able to read open files just fine, but when another
>> application, like explorer, or a text editor, tries to open the file
>> while I am reading it, that application gets the error “The requested
>> operation cannot be performed on a file with a user-mapped section open”.
>> I specify FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE in my
>> FltCreateFile call so I thought others should be able to read while I am
>> reading.
>>
>> I am doing these reads during a port call from user mode. Does that make
>> any section I open a “user-mapped” section? Why does it matter? Is
>> there a way to make my code look like kernel-mode instead of user-mode?
>> Should I take the trouble to read the file in a system process thread and
>> pass the data through a queue to the user-mode code?
>>
>> Here is my current code:
>>
>> InitializeObjectAttributes( &attr, &uPath, OBJ_CASE_INSENSITIVE |
>> OBJ_KERNEL_HANDLE, NULL, NULL );
>>
>> status = FltCreateFile( gFilter, gInstance, &gReadHandle, GENERIC_READ,
>> &attr, &ioStatus, 0,
>> FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE |
>> FILE_SHARE_DELETE, FILE_OPEN,
>> FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT |
>> FILE_SEQUENTIAL_ONLY, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK );
>>
>> ExFreePool( uPathBuf );
>>
>> status = ObReferenceObjectByHandle( gReadHandle, 0, NULL, KernelMode,
>> &gReadFileObj, NULL);
>>
>> status = FltQueryInformationFile( gInstance, gReadFileObj, &fileInfo,
>> sizeof( fileInfo ), FileStandardInformation, NULL );
>>
>> sectionSize.QuadPart = fileInfo.EndOfFile.QuadPart;
>>
>> status = ZwCreateSection( &gSectionHandle, SECTION_MAP_READ, NULL,
>> &sectionSize, PAGE_READWRITE, SEC_COMMIT, gReadHandle );
>>
>> status = ZwMapViewOfSection( gSectionHandle, NtCurrentProcess(),
>> &baseAddr, 0, 0, &sectionOfs, &sectionLen, (SECTION_INHERIT)1, 0,
>> PAGE_READWRITE );
>>
>> RtlCopyMemory( data, baseAddr + (size_t) (gFileOfs -
>> sectionOfs.QuadPart), dLen );
>>
>> status = ZwUnmapViewOfSection( NtCurrentProcess(), baseAddr );
>>
>> // Much later, after multiple mappings of views, I call ZwClose(
>> gSectionHandle ).
>>
>>
>
>
>

Mark

Question - why do you create and map section of these files, why not ‘just’
read them? If the answer is, because you want to bypass byte range locks,
then did you know its quite possible and not at all difficult to roll your
own paging IRP_MJ_READ, which will bypass byte range locks. If you do this,
then you tend toward seeing the data ‘on disk’, as opposed to the data ‘in
cache’, I dont know if the distinction matters for your purposes.

Cheers
Lyndon

“Mark Hahn” wrote in message news:xxxxx@ntfsd…
> As you may have seen in another thread, I am opening section views on
> files to read the files from my mini-filter. The goal is to read open
> files like the registry for backup.
>
> I seem to be able to read open files just fine, but when another
> application, like explorer, or a text editor, tries to open the file while
> I am reading it, that application gets the error “The requested operation
> cannot be performed on a file with a user-mapped section open”. I specify
> FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE in my FltCreateFile
> call so I thought others should be able to read while I am reading.
>
> I am doing these reads during a port call from user mode. Does that make
> any section I open a “user-mapped” section? Why does it matter? Is there
> a way to make my code look like kernel-mode instead of user-mode? Should
> I take the trouble to read the file in a system process thread and pass
> the data through a queue to the user-mode code?
>
> Here is my current code:
>
> InitializeObjectAttributes( &attr, &uPath, OBJ_CASE_INSENSITIVE |
> OBJ_KERNEL_HANDLE, NULL, NULL );
>
> status = FltCreateFile( gFilter, gInstance, &gReadHandle, GENERIC_READ,
> &attr, &ioStatus, 0,
> FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE |
> FILE_SHARE_DELETE, FILE_OPEN,
> FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT |
> FILE_SEQUENTIAL_ONLY, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK );
>
> ExFreePool( uPathBuf );
>
> status = ObReferenceObjectByHandle( gReadHandle, 0, NULL, KernelMode,
> &gReadFileObj, NULL);
>
> status = FltQueryInformationFile( gInstance, gReadFileObj, &fileInfo,
> sizeof( fileInfo ), FileStandardInformation, NULL );
>
> sectionSize.QuadPart = fileInfo.EndOfFile.QuadPart;
>
> status = ZwCreateSection( &gSectionHandle, SECTION_MAP_READ, NULL,
> &sectionSize, PAGE_READWRITE, SEC_COMMIT, gReadHandle );
>
> status = ZwMapViewOfSection( gSectionHandle, NtCurrentProcess(),
> &baseAddr, 0, 0, &sectionOfs, &sectionLen, (SECTION_INHERIT)1, 0,
> PAGE_READWRITE );
>
> RtlCopyMemory( data, baseAddr + (size_t) (gFileOfs - sectionOfs.QuadPart),
> dLen );
>
> status = ZwUnmapViewOfSection( NtCurrentProcess(), baseAddr );
>
> // Much later, after multiple mappings of views, I call ZwClose(
> gSectionHandle ).
>
>

> did you know its quite possible and not at all difficult to roll your own

paging IRP_MJ_READ

I was doing that and ran into trouble. I started a thead here and the
consensus was that it wouldn’t work. Have you done it?

My business partner just reluctantly agreed to drop win2k support. I’d love
to get it back.

“Lyndon J Clarke” wrote in message
news:xxxxx@ntfsd…
> Mark
>
> Question - why do you create and map section of these files, why not
> ‘just’ read them? If the answer is, because you want to bypass byte range
> locks, then did you know its quite possible and not at all difficult to
> roll your own paging IRP_MJ_READ, which will bypass byte range locks. If
> you do this, then you tend toward seeing the data ‘on disk’, as opposed to
> the data ‘in cache’, I dont know if the distinction matters for your
> purposes.
>
> Cheers
> Lyndon
>
> “Mark Hahn” wrote in message news:xxxxx@ntfsd…
>> As you may have seen in another thread, I am opening section views on
>> files to read the files from my mini-filter. The goal is to read open
>> files like the registry for backup.
>>
>> I seem to be able to read open files just fine, but when another
>> application, like explorer, or a text editor, tries to open the file
>> while I am reading it, that application gets the error “The requested
>> operation cannot be performed on a file with a user-mapped section open”.
>> I specify FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE in my
>> FltCreateFile call so I thought others should be able to read while I am
>> reading.
>>
>> I am doing these reads during a port call from user mode. Does that make
>> any section I open a “user-mapped” section? Why does it matter? Is
>> there a way to make my code look like kernel-mode instead of user-mode?
>> Should I take the trouble to read the file in a system process thread and
>> pass the data through a queue to the user-mode code?
>>
>> Here is my current code:
>>
>> InitializeObjectAttributes( &attr, &uPath, OBJ_CASE_INSENSITIVE |
>> OBJ_KERNEL_HANDLE, NULL, NULL );
>>
>> status = FltCreateFile( gFilter, gInstance, &gReadHandle, GENERIC_READ,
>> &attr, &ioStatus, 0,
>> FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE |
>> FILE_SHARE_DELETE, FILE_OPEN,
>> FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT |
>> FILE_SEQUENTIAL_ONLY, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK );
>>
>> ExFreePool( uPathBuf );
>>
>> status = ObReferenceObjectByHandle( gReadHandle, 0, NULL, KernelMode,
>> &gReadFileObj, NULL);
>>
>> status = FltQueryInformationFile( gInstance, gReadFileObj, &fileInfo,
>> sizeof( fileInfo ), FileStandardInformation, NULL );
>>
>> sectionSize.QuadPart = fileInfo.EndOfFile.QuadPart;
>>
>> status = ZwCreateSection( &gSectionHandle, SECTION_MAP_READ, NULL,
>> &sectionSize, PAGE_READWRITE, SEC_COMMIT, gReadHandle );
>>
>> status = ZwMapViewOfSection( gSectionHandle, NtCurrentProcess(),
>> &baseAddr, 0, 0, &sectionOfs, &sectionLen, (SECTION_INHERIT)1, 0,
>> PAGE_READWRITE );
>>
>> RtlCopyMemory( data, baseAddr + (size_t) (gFileOfs -
>> sectionOfs.QuadPart), dLen );
>>
>> status = ZwUnmapViewOfSection( NtCurrentProcess(), baseAddr );
>>
>> // Much later, after multiple mappings of views, I call ZwClose(
>> gSectionHandle ).
>>
>>
>
>
>

I’ve done that read indeed, can you post a url to your thread?

Cheers
Lyndon

“Mark Hahn” wrote in message news:xxxxx@ntfsd…
>> did you know its quite possible and not at all difficult to roll your own
>> paging IRP_MJ_READ
>
> I was doing that and ran into trouble. I started a thead here and the
> consensus was that it wouldn’t work. Have you done it?
>
> My business partner just reluctantly agreed to drop win2k support. I’d
> love to get it back.
>
>
> “Lyndon J Clarke” wrote in message
> news:xxxxx@ntfsd…
>> Mark
>>
>> Question - why do you create and map section of these files, why not
>> ‘just’ read them? If the answer is, because you want to bypass byte range
>> locks, then did you know its quite possible and not at all difficult to
>> roll your own paging IRP_MJ_READ, which will bypass byte range locks. If
>> you do this, then you tend toward seeing the data ‘on disk’, as opposed
>> to the data ‘in cache’, I dont know if the distinction matters for your
>> purposes.
>>
>> Cheers
>> Lyndon
>>
>> “Mark Hahn” wrote in message news:xxxxx@ntfsd…
>>> As you may have seen in another thread, I am opening section views on
>>> files to read the files from my mini-filter. The goal is to read open
>>> files like the registry for backup.
>>>
>>> I seem to be able to read open files just fine, but when another
>>> application, like explorer, or a text editor, tries to open the file
>>> while I am reading it, that application gets the error “The requested
>>> operation cannot be performed on a file with a user-mapped section
>>> open”. I specify FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
>>> in my FltCreateFile call so I thought others should be able to read
>>> while I am reading.
>>>
>>> I am doing these reads during a port call from user mode. Does that
>>> make any section I open a “user-mapped” section? Why does it matter?
>>> Is there a way to make my code look like kernel-mode instead of
>>> user-mode? Should I take the trouble to read the file in a system
>>> process thread and pass the data through a queue to the user-mode code?
>>>
>>> Here is my current code:
>>>
>>> InitializeObjectAttributes( &attr, &uPath, OBJ_CASE_INSENSITIVE |
>>> OBJ_KERNEL_HANDLE, NULL, NULL );
>>>
>>> status = FltCreateFile( gFilter, gInstance, &gReadHandle, GENERIC_READ,
>>> &attr, &ioStatus, 0,
>>> FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE |
>>> FILE_SHARE_DELETE, FILE_OPEN,
>>> FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT |
>>> FILE_SEQUENTIAL_ONLY, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK );
>>>
>>> ExFreePool( uPathBuf );
>>>
>>> status = ObReferenceObjectByHandle( gReadHandle, 0, NULL, KernelMode,
>>> &gReadFileObj, NULL);
>>>
>>> status = FltQueryInformationFile( gInstance, gReadFileObj, &fileInfo,
>>> sizeof( fileInfo ), FileStandardInformation, NULL );
>>>
>>> sectionSize.QuadPart = fileInfo.EndOfFile.QuadPart;
>>>
>>> status = ZwCreateSection( &gSectionHandle, SECTION_MAP_READ, NULL,
>>> &sectionSize, PAGE_READWRITE, SEC_COMMIT, gReadHandle );
>>>
>>> status = ZwMapViewOfSection( gSectionHandle, NtCurrentProcess(),
>>> &baseAddr, 0, 0, &sectionOfs, &sectionLen, (SECTION_INHERIT)1, 0,
>>> PAGE_READWRITE );
>>>
>>> RtlCopyMemory( data, baseAddr + (size_t) (gFileOfs -
>>> sectionOfs.QuadPart), dLen );
>>>
>>> status = ZwUnmapViewOfSection( NtCurrentProcess(), baseAddr );
>>>
>>> // Much later, after multiple mappings of views, I call ZwClose(
>>> gSectionHandle ).
>>>
>>>
>>
>>
>>
>
>
>

I was wrong about the thread. The thread I was thinking of was not about
range-locks. The range lock solution I am using came from the many threads
that said to map a section view. Neal said this and many others. None
mentioned that it would interfere with other operations.

How do I roll my own paging IRPs in a mini-filter?

“Lyndon J Clarke” wrote in message
news:xxxxx@ntfsd…
> I’ve done that read indeed, can you post a url to your thread?
>
> Cheers
> Lyndon
>
> “Mark Hahn” wrote in message news:xxxxx@ntfsd…
>>> did you know its quite possible and not at all difficult to roll your
>>> own paging IRP_MJ_READ
>>
>> I was doing that and ran into trouble. I started a thead here and the
>> consensus was that it wouldn’t work. Have you done it?
>>
>> My business partner just reluctantly agreed to drop win2k support. I’d
>> love to get it back.
>>
>>
>> “Lyndon J Clarke” wrote in message
>> news:xxxxx@ntfsd…
>>> Mark
>>>
>>> Question - why do you create and map section of these files, why not
>>> ‘just’ read them? If the answer is, because you want to bypass byte
>>> range locks, then did you know its quite possible and not at all
>>> difficult to roll your own paging IRP_MJ_READ, which will bypass byte
>>> range locks. If you do this, then you tend toward seeing the data ‘on
>>> disk’, as opposed to the data ‘in cache’, I dont know if the distinction
>>> matters for your purposes.
>>>
>>> Cheers
>>> Lyndon
>>>
>>> “Mark Hahn” wrote in message news:xxxxx@ntfsd…
>>>> As you may have seen in another thread, I am opening section views on
>>>> files to read the files from my mini-filter. The goal is to read open
>>>> files like the registry for backup.
>>>>
>>>> I seem to be able to read open files just fine, but when another
>>>> application, like explorer, or a text editor, tries to open the file
>>>> while I am reading it, that application gets the error “The requested
>>>> operation cannot be performed on a file with a user-mapped section
>>>> open”. I specify FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
>>>> in my FltCreateFile call so I thought others should be able to read
>>>> while I am reading.
>>>>
>>>> I am doing these reads during a port call from user mode. Does that
>>>> make any section I open a “user-mapped” section? Why does it matter?
>>>> Is there a way to make my code look like kernel-mode instead of
>>>> user-mode? Should I take the trouble to read the file in a system
>>>> process thread and pass the data through a queue to the user-mode code?
>>>>
>>>> Here is my current code:
>>>>
>>>> InitializeObjectAttributes( &attr, &uPath, OBJ_CASE_INSENSITIVE |
>>>> OBJ_KERNEL_HANDLE, NULL, NULL );
>>>>
>>>> status = FltCreateFile( gFilter, gInstance, &gReadHandle, GENERIC_READ,
>>>> &attr, &ioStatus, 0,
>>>> FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE |
>>>> FILE_SHARE_DELETE, FILE_OPEN,
>>>> FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT |
>>>> FILE_SEQUENTIAL_ONLY, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK );
>>>>
>>>> ExFreePool( uPathBuf );
>>>>
>>>> status = ObReferenceObjectByHandle( gReadHandle, 0, NULL, KernelMode,
>>>> &gReadFileObj, NULL);
>>>>
>>>> status = FltQueryInformationFile( gInstance, gReadFileObj, &fileInfo,
>>>> sizeof( fileInfo ), FileStandardInformation, NULL );
>>>>
>>>> sectionSize.QuadPart = fileInfo.EndOfFile.QuadPart;
>>>>
>>>> status = ZwCreateSection( &gSectionHandle, SECTION_MAP_READ, NULL,
>>>> &sectionSize, PAGE_READWRITE, SEC_COMMIT, gReadHandle );
>>>>
>>>> status = ZwMapViewOfSection( gSectionHandle, NtCurrentProcess(),
>>>> &baseAddr, 0, 0, &sectionOfs, &sectionLen, (SECTION_INHERIT)1, 0,
>>>> PAGE_READWRITE );
>>>>
>>>> RtlCopyMemory( data, baseAddr + (size_t) (gFileOfs -
>>>> sectionOfs.QuadPart), dLen );
>>>>
>>>> status = ZwUnmapViewOfSection( NtCurrentProcess(), baseAddr );
>>>>
>>>> // Much later, after multiple mappings of views, I call ZwClose(
>>>> gSectionHandle ).
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>

Well … if you were a legacy filter (you can be filespy for a moment for
the purpose) you could put a breakpoint in IRP_MJ_READ handler where its
paging i/o and then you see what the irp looks like. There is an osr nt
insider article on “rolling your own”. I cant comment on how you do this in
a mini-filter as opposed to a legacy filter at the moment; I am not far
enough down that road.

“Mark Hahn” wrote in message news:xxxxx@ntfsd…
>I was wrong about the thread. The thread I was thinking of was not about
>range-locks. The range lock solution I am using came from the many threads
>that said to map a section view. Neal said this and many others. None
>mentioned that it would interfere with other operations.
>
> How do I roll my own paging IRPs in a mini-filter?
>
>
> “Lyndon J Clarke” wrote in message
> news:xxxxx@ntfsd…
>> I’ve done that read indeed, can you post a url to your thread?
>>
>> Cheers
>> Lyndon
>>
>> “Mark Hahn” wrote in message news:xxxxx@ntfsd…
>>>> did you know its quite possible and not at all difficult to roll your
>>>> own paging IRP_MJ_READ
>>>
>>> I was doing that and ran into trouble. I started a thead here and the
>>> consensus was that it wouldn’t work. Have you done it?
>>>
>>> My business partner just reluctantly agreed to drop win2k support. I’d
>>> love to get it back.
>>>
>>>
>>> “Lyndon J Clarke” wrote in message
>>> news:xxxxx@ntfsd…
>>>> Mark
>>>>
>>>> Question - why do you create and map section of these files, why not
>>>> ‘just’ read them? If the answer is, because you want to bypass byte
>>>> range locks, then did you know its quite possible and not at all
>>>> difficult to roll your own paging IRP_MJ_READ, which will bypass byte
>>>> range locks. If you do this, then you tend toward seeing the data ‘on
>>>> disk’, as opposed to the data ‘in cache’, I dont know if the
>>>> distinction matters for your purposes.
>>>>
>>>> Cheers
>>>> Lyndon
>>>>
>>>> “Mark Hahn” wrote in message news:xxxxx@ntfsd…
>>>>> As you may have seen in another thread, I am opening section views on
>>>>> files to read the files from my mini-filter. The goal is to read open
>>>>> files like the registry for backup.
>>>>>
>>>>> I seem to be able to read open files just fine, but when another
>>>>> application, like explorer, or a text editor, tries to open the file
>>>>> while I am reading it, that application gets the error “The requested
>>>>> operation cannot be performed on a file with a user-mapped section
>>>>> open”. I specify FILE_SHARE_READ | FILE_SHARE_WRITE |
>>>>> FILE_SHARE_DELETE in my FltCreateFile call so I thought others should
>>>>> be able to read while I am reading.
>>>>>
>>>>> I am doing these reads during a port call from user mode. Does that
>>>>> make any section I open a “user-mapped” section? Why does it matter?
>>>>> Is there a way to make my code look like kernel-mode instead of
>>>>> user-mode? Should I take the trouble to read the file in a system
>>>>> process thread and pass the data through a queue to the user-mode
>>>>> code?
>>>>>
>>>>> Here is my current code:
>>>>>
>>>>> InitializeObjectAttributes( &attr, &uPath, OBJ_CASE_INSENSITIVE |
>>>>> OBJ_KERNEL_HANDLE, NULL, NULL );
>>>>>
>>>>> status = FltCreateFile( gFilter, gInstance, &gReadHandle,
>>>>> GENERIC_READ, &attr, &ioStatus, 0,
>>>>> FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE |
>>>>> FILE_SHARE_DELETE, FILE_OPEN,
>>>>> FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT |
>>>>> FILE_SEQUENTIAL_ONLY, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK );
>>>>>
>>>>> ExFreePool( uPathBuf );
>>>>>
>>>>> status = ObReferenceObjectByHandle( gReadHandle, 0, NULL, KernelMode,
>>>>> &gReadFileObj, NULL);
>>>>>
>>>>> status = FltQueryInformationFile( gInstance, gReadFileObj, &fileInfo,
>>>>> sizeof( fileInfo ), FileStandardInformation, NULL );
>>>>>
>>>>> sectionSize.QuadPart = fileInfo.EndOfFile.QuadPart;
>>>>>
>>>>> status = ZwCreateSection( &gSectionHandle, SECTION_MAP_READ, NULL,
>>>>> &sectionSize, PAGE_READWRITE, SEC_COMMIT, gReadHandle );
>>>>>
>>>>> status = ZwMapViewOfSection( gSectionHandle, NtCurrentProcess(),
>>>>> &baseAddr, 0, 0, &sectionOfs, &sectionLen, (SECTION_INHERIT)1, 0,
>>>>> PAGE_READWRITE );
>>>>>
>>>>> RtlCopyMemory( data, baseAddr + (size_t) (gFileOfs -
>>>>> sectionOfs.QuadPart), dLen );
>>>>>
>>>>> status = ZwUnmapViewOfSection( NtCurrentProcess(), baseAddr );
>>>>>
>>>>> // Much later, after multiple mappings of views, I call ZwClose(
>>>>> gSectionHandle ).
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>