c:\myfolder\type test.txt reported as test.txt in FltObjects

NTFSD
1

I found out the kernel at PreCreate() reported that

FltObjects->FileObject->FileName is “test.txt” instead of
“\MyFolder\test.txt” when I type the following command
prompt:

C:\MyFolder\>type test.txt

and the FltGetVolumeName(vol, &uszVol, NULL); where uszVol
is returning as “…Volume2” where it is “c:” at usermode
when translated.

So, I cannot detect correctly when the command “type test.txt”
where it is “\MyFolder\test.txt” should be reported by
FltObjects->FileObject->FileName instead of “test.txt”

I came across if not mistaken, not to rely on FltObjects->FileObject->FileName somehow it is the cached version.

However, any hint or help is very much appreciated.

Please advise.

2

Take a look at FltObjects->FileObject->RelatedFileObject. If there is RelatedFileObject then the open is relative to that FILE_OBJECT and you must take that into account when trying to figure out the path.

Thanks,
Alex.

On May 22, 2013, at 4:04 PM, xxxxx@yahoo.com wrote:

I found out the kernel at PreCreate() reported that

FltObjects->FileObject->FileName is “test.txt” instead of
“\MyFolder\test.txt” when I type the following command
prompt:

C:\MyFolder\>type test.txt
>
> and the FltGetVolumeName(vol, &uszVol, NULL); where uszVol
> is returning as “…Volume2” where it is “c:” at usermode
> when translated.
>
> So, I cannot detect correctly when the command “type test.txt”
> where it is “\MyFolder\test.txt” should be reported by
> FltObjects->FileObject->FileName instead of “test.txt”
>
> I came across if not mistaken, not to rely on FltObjects->FileObject->FileName somehow it is the cached version.
>
> However, any hint or help is very much appreciated.
>
> Please advise.
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

Thanks a million, it is the exact directory name stored in:

FltObjects->FileObject->RelatedFileObject->FileName

Now, it is working much effectively.

4

you can’t use RelatedFileObject->FileName since this is not a create
operation for RelatedFileObject

use FltGetFileNameInformationUnsafe or store name in stream context

On Thu, May 23, 2013 at 1:14 PM, wrote:

> Thanks a million, it is the exact directory name stored in:
>
> FltObjects->FileObject->RelatedFileObject->FileName
>
> Now, it is working much effectively.
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

5

The OP mentioned he’s doing this at PreCreate(), so he should be fine. Also, no reason to call the Unsafe version of the function, FltGetFileNameInformation() should work just fine.

Thanks,
Alex.
On May 23, 2013, at 3:56 AM, Sergey Pisarev wrote:

> you can’t use RelatedFileObject->FileName since this is not a create operation for RelatedFileObject
>
> use FltGetFileNameInformationUnsafe or store name in stream context
>
>
> On Thu, May 23, 2013 at 1:14 PM, wrote:
> Thanks a million, it is the exact directory name stored in:
>
> FltObjects->FileObject->RelatedFileObject->FileName
>
> Now, it is working much effectively.
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> — NTFSD is sponsored by OSR OSR is hiring!! Info at http://www.osr.com/careers For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

6

this is pre_create for file_object and not for file_object->
RelatedFileObject.

why RelatedFileObject->FileName must be valid during pre-create of
file_object ?

On Thu, May 23, 2013 at 6:14 PM, Alex Carp wrote:

> The OP mentioned he’s doing this at PreCreate(), so he should be fine.
> Also, no reason to call the Unsafe version of the function,
> FltGetFileNameInformation() should work just fine.
>
> Thanks,
> Alex.
>
> On May 23, 2013, at 3:56 AM, Sergey Pisarev
> wrote:
>
> you can’t use RelatedFileObject->FileName since this is not a create
> operation for RelatedFileObject
>
> use FltGetFileNameInformationUnsafe or store name in stream context
>
>
> On Thu, May 23, 2013 at 1:14 PM, wrote:
>
>> Thanks a million, it is the exact directory name stored in:
>>
>> FltObjects->FileObject->RelatedFileObject->FileName
>>
>> Now, it is working much effectively.
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTFSD is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers For our schedule of debugging and file system
> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

7

msdn states that “The *RelatedFileObject* member is only valid during the
processing of the*IRP_MJ_CREATE*http:
requests”

does that also mean that RelatedFileObject->FileName is valid.


for example file_object is valid for mj_write, but FileName is not

On Thu, May 23, 2013 at 6:31 PM, Sergey Pisarev wrote:

> this is pre_create for file_object and not for file_object->
> RelatedFileObject.
>
> why RelatedFileObject->FileName must be valid during pre-create of
> file_object ?
>
> On Thu, May 23, 2013 at 6:14 PM, Alex Carp wrote:
>
>> The OP mentioned he’s doing this at PreCreate(), so he should be fine.
>> Also, no reason to call the Unsafe version of the function,
>> FltGetFileNameInformation() should work just fine.
>>
>> Thanks,
>> Alex.
>>
>> On May 23, 2013, at 3:56 AM, Sergey Pisarev
>> wrote:
>>
>> you can’t use RelatedFileObject->FileName since this is not a create
>> operation for RelatedFileObject
>>
>> use FltGetFileNameInformationUnsafe or store name in stream context
>>
>>
>> On Thu, May 23, 2013 at 1:14 PM, wrote:
>>
>>> Thanks a million, it is the exact directory name stored in:
>>>
>>> FltObjects->FileObject->RelatedFileObject->FileName
>>>
>>> Now, it is working much effectively.
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>
>>> For our schedule of debugging and file system seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>> http://www.osr.com/careers For our schedule of debugging and file system
>> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
>> List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
></http:>

8

It is not guaranteed to be valid and should not be relied upon.

Pete

On 5/23/2013 8:31 AM, Sergey Pisarev wrote:

this is pre_create for file_object and not for
file_object->RelatedFileObject.

why RelatedFileObject->FileName must be valid during pre-create of
file_object ?

On Thu, May 23, 2013 at 6:14 PM, Alex Carp > mailto:xxxxx> wrote:
>
> The OP mentioned he’s doing this at PreCreate(), so he should be
> fine. Also, no reason to call the Unsafe version of the function,
> FltGetFileNameInformation() should work just fine.
>
> Thanks,
> Alex.
>
> On May 23, 2013, at 3:56 AM, Sergey Pisarev
> > wrote:
>
>> you can’t use RelatedFileObject->FileName since this is not a
>> create operation for RelatedFileObject
>>
>> use FltGetFileNameInformationUnsafe or store name in stream context
>>
>>
>> On Thu, May 23, 2013 at 1:14 PM, >> mailto:xxxxx> wrote:
>>
>> Thanks a million, it is the exact directory name stored in:
>>
>> FltObjects->FileObject->RelatedFileObject->FileName
>>
>> Now, it is working much effectively.
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>> http://www.osr.com/careers For our schedule of debugging and file
>> system seminars visit: http://www.osr.com/seminars To unsubscribe,
>> visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTFSD is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers For our schedule of debugging and file system
> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295</mailto:xxxxx></mailto:xxxxx>

9

Oh, now I see your point, sorry about the confusion.

In this case let me clarify my previous statement: the rule i’ve been using is that if during pre IRP_MJ_CREATE for FileObject the FileObject->RelatedFileObject field is not NULL then actual path of the file is made up from the name of FileObject->RelatedFileObject + FileObject->FileName, the difference being that the name of FileObject->RelatedFileObject is not guaranteed to be the same as FileObject->RelatedFileObject->FileName.

Since FileObject->RelatedFileObject is an opened FILE_OBJECT one should call FltGetFileNameInformation() to get its name. The reason it works to call FltGetFileNameInformation() is because the cases where FltGetFileNameInformation() doesn’t work don’t really apply here (we’re in preCreate so TopLevelIrp isn’t set; we’re clearly not in the paging path and the RelatedFileObject is opened because the caller has a handle to it - the RelatedFileObject is passed as a handle to IoCreateFile via OBJECT_ATTRIBUTES). So one shouldn’t blindly call RtlUnicodeStringCat() with RelatedFileObject->FilenName and FileObject->FileName.

Another thing to note is that, as far I remember, FileObject->RelatedFileObject is undefined during any other operation (except IRP_MJ_NETWORK_QUERY_OPEN which actually has an IRP_MJ_CREATE parameter so it falls under the same rules).

In general one should really leave it to FltGetFileNameInformation() to handle all these details, I certainly prefer using it.

Thanks,
Alex.

On May 23, 2013, at 7:43 AM, Peter Scott wrote:

>
> It is not guaranteed to be valid and should not be relied upon.
>
> Pete
>
> On 5/23/2013 8:31 AM, Sergey Pisarev wrote:
>> this is pre_create for file_object and not for
>> file_object->RelatedFileObject.
>>
>> why RelatedFileObject->FileName must be valid during pre-create of
>> file_object ?
>>
>> On Thu, May 23, 2013 at 6:14 PM, Alex Carp >> mailto:xxxxx> wrote:
>>
>> The OP mentioned he’s doing this at PreCreate(), so he should be
>> fine. Also, no reason to call the Unsafe version of the function,
>> FltGetFileNameInformation() should work just fine.
>>
>> Thanks,
>> Alex.
>>
>> On May 23, 2013, at 3:56 AM, Sergey Pisarev
>> > wrote:
>>
>>> you can’t use RelatedFileObject->FileName since this is not a
>>> create operation for RelatedFileObject
>>>
>>> use FltGetFileNameInformationUnsafe or store name in stream context
>>>
>>>
>>> On Thu, May 23, 2013 at 1:14 PM, >>> mailto:xxxxx> wrote:
>>>
>>> Thanks a million, it is the exact directory name stored in:
>>>
>>> FltObjects->FileObject->RelatedFileObject->FileName
>>>
>>> Now, it is working much effectively.
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>
>>> For our schedule of debugging and file system seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>>> http://www.osr.com/careers For our schedule of debugging and file
>>> system seminars visit: http://www.osr.com/seminars To unsubscribe,
>>> visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>> http://www.osr.com/careers For our schedule of debugging and file system
>> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
>> List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>