Access Denied check and the IRP_MJ_CREATE Post Completion routine.

Gene_Allen · November 1, 2006, 10:12pm

Hello Everyone,

I’m trying to catch when Windows denies a file requests. I’ve written a pre
and post routines for IRP_MJ_CREATE in my mini-filter.

According to the Filter Development Guild, “if a minifilter returns
FLT_PREOP_SUCCESS_WITH_CALLBACK from its pre-operation callback, it is
GUARANTEED to receive exactly one completion callback per pre-operation
callback.” This seem to contradict the idea the by the time that a
IRP_MJ_CREATE post completion routine is called, the file is already open.

So, I wrote a test and sure enough, the pre-operation came thru but the post
didn’t…if access was denied. This makes sense to me since to the file
didn’t get opened and hence the post shouldn’t be called.

So my question is this…does a post create REALLY do happen when an access
check fails and there is something wrong in my test or
IF my test IS accurate how do you detect an access denied?

BTW…Filemon is able to report a ACCESS_DENIED on IRP_MJ_CREATE, but I’m
pretty sure that they aren’t using a minifilter.

I guess I could do an access check in my pre-operation, but that just feels
wrong.

thanks

Gene

OSR_Community_User · November 2, 2006, 7:46am

Gene:

Yes, you have something wrong.

If you return FLT_PREOP_SUCCESS_WITH_CALLBACK from your pre-Create callback,
your post-Create will be called regardless of status. This is obviously
necessary in case resources were allocated in the pre-call and must be
released in the post-call.

There is a mini-filter version of filespy in
C:\WINDDK\5840\src\filesys\miniFilter\minispy – give it a try.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Wednesday, November 01, 2006 10:14 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Access Denied check and the IRP_MJ_CREATE Post Completion
routine.

Hello Everyone,

I’m trying to catch when Windows denies a file requests. I’ve written a pre
and post routines for IRP_MJ_CREATE in my mini-filter.

According to the Filter Development Guild, “if a minifilter returns
FLT_PREOP_SUCCESS_WITH_CALLBACK from its pre-operation callback, it is
GUARANTEED to receive exactly one completion callback per pre-operation
callback.” This seem to contradict the idea the by the time that a
IRP_MJ_CREATE post completion routine is called, the file is already open.

So, I wrote a test and sure enough, the pre-operation came thru but the post

didn’t…if access was denied. This makes sense to me since to the file
didn’t get opened and hence the post shouldn’t be called.

So my question is this…does a post create REALLY do happen when an access

check fails and there is something wrong in my test or
IF my test IS accurate how do you detect an access denied?

BTW…Filemon is able to report a ACCESS_DENIED on IRP_MJ_CREATE, but I’m
pretty sure that they aren’t using a minifilter.

I guess I could do an access check in my pre-operation, but that just feels
wrong.

thanks

Gene

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com