Best way to ignore remote mailslot/named pipe activity in file system filter driver

NTFSD
1

Hello,

We have a Filter Manager based file system filter driver. Since the Filter manager does not attach to the mailslot/named pipe device object, our filter driver do not see mailslot/named pipe activity and we indeed want to ignore this activity.

However, when this mailslot/named pipe is accessed remotely through LANMAN redirector we do see this activity and our filter driver needs to detect and ignore this. What’s the best way to detect this?

In PreOpCreate, we notice that FLT_RELATED_OBJECTS->FileObject->DeviceObject->DeviceType is set to FILE_DEVICE_NETWORK_FILE_SYSTEM and FLT_RELATED_OBJECTS->FileObject->FileName is of the form \servername\pipe\pipename for named pipes and \servername*MAILSLOT\mailslotname for mailslots.

We can go with pattern parsing on FileName, however, we would like to avoid it if there is much better way to do this.

Any thoughts/suggestions?

Thanks.
-Prasad

2

Hello,

No takers for this one? This seems like a standard requirement? No?

If parsing filename is the only option, we will go that path.

Thanks.
-Prasad

3

If you need to skip remote pipes and mailslots in precreate, you could query the FLT_FILE_NAME_OPENED name and check the share for “pipe” or “mailslot”. Otherwise you could check the FO_NAMED_PIPE, FO_MAILSLOT flags on the fileobject in operations after precreate.

Scott [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@vmware.com
Sent: Thursday, December 15, 2011 2:20 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Best way to ignore remote mailslot/named pipe activity in file system filter driver

Hello,

We have a Filter Manager based file system filter driver. Since the Filter manager does not attach to the mailslot/named pipe device object, our filter driver do not see mailslot/named pipe activity and we indeed want to ignore this activity.

However, when this mailslot/named pipe is accessed remotely through LANMAN redirector we do see this activity and our filter driver needs to detect and ignore this. What’s the best way to detect this?

In PreOpCreate, we notice that FLT_RELATED_OBJECTS->FileObject->DeviceObject->DeviceType is set to FILE_DEVICE_NETWORK_FILE_SYSTEM and FLT_RELATED_OBJECTS->FileObject->FileName is of the form \servername\pipe\pipename for named pipes and \servername*MAILSLOT\mailslotname for mailslots.

We can go with pattern parsing on FileName, however, we would like to avoid it if there is much better way to do this.

Any thoughts/suggestions?

Thanks.
-Prasad

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

Thanks Scott for your response.

We will probably go with checking FO_NAMED_PIPE, FO_MAILSLOT flags in PostOpCreate since it sounds better than pattern matching.

Further, I was under the impression that FltGetFileNameInformation fails on mailslot/pipe objects. But, may be I am wrong. It may be failing with FLT_FILE_NAME_NORMALIZED option and may work with FLT_FILE_NAME_OPENED flag as you say.

Thanks.
-Prasad