As noted in a previous question, I’m doing a minifilter activity monitor.
I’m working on getting approval to attend the Boston FS seminar, but I need
some basics answered before that.
Is there a relationship between the FO I see in a minifilter callback and
the HANDLE the UM application gets? Since my filter is currently capturing
(almost) everything, I’ve had a hard time discerning what might be different
(if anything) if an app opens the same file 5 times without closing it, for
example. I’ve done a bit of spelunking with FileTest, but I’m absolutely
sure I’ve not fully comprehended what I’m seeing.
So for my benefit, and for the benefit of the archives, which I’ve not had
complete success searching, here’s what I think is going on, please offer
corrections to the defects in understanding:
An app opens a file, the system presents an FO to the minifilter. An app
opens another handle to the same file, the system presents another FO to the
minifilter.
If an app shares a handle with another app, the FO will be the same, but the
Process ID will not.
I found a post by Aditya Shrivastava that explained the following:
FLT_STREAMHANDLE_CONTEXT corresponds to creating a context per FO.
FLT_STREAM_CONTEXT corresponds to creating a context per file stream, so
only one context, no matter how many apps open that specific file:stream.
Since I’m targeting Pre-Vista OS’es, I don’t care about FLT_FILE_CONTEXT,
but that would be one context per file, no matter how many streams the file
has.
Thanks,
Phil
Philip D. Barila (303) 776-1264
)