MessageYes, I absolutely agree and endorse what Don says, adding only that a file system filter is definitely a choice of last resort.
To restore the state of the disk after use the simplest approach is to ensure that the file system reads and writes use a filtered view of the disk sectors, (use free space to save the user’s changes, and never change the real file allocation tables). Upon reboot the free space will still be marked as free and the authrorized data on disk will still be intact.
I think you are well advised to stay low in the stack, and investigate the possibilities of doing this at the filter level between the file system and the disk. If I remember rightly a lower filter below a file system, and an upper filter above a disk, are subtly different, even although they would normally end up in the same location in the device stack. Check that out.
If there are other factors that oblige you to choose a higher level, a file system filter driver is still not the best way to go, because it is so difficult for such a filter to handle the disk cache, and (a related issue) memory mapped files. Moreover, different file systems make use of the cache in different ways.
If you choose to go high in the stack, then a ‘pseudo file system’ would likely be the simplest way (but you won’t find much info if you search for this term). This is just a component that behaves like a file system, but replaces the chosen file system(s) at mount time. This results in all access to the original file system being redirected to the pseudo file system.
The swap file, and file-deletion via the trash bin are also tricky issues to handle, so you need to consider carefully if these affect you. Moreover the file system queries directory contents and traverses become things you need to actively manage at this level. So the workload expands a lot in comparsion with with faking a FAT or two.
Arranging for redirecting to the PFS when a native file sytem mounts is something I saw implemented in someone else’s code a few years ago. Its really simple if you know the magic code (but unfortunately I can’t remember any of the details except that it was very clean).
The PFS must present at its upper-edge the appearance of a full windows file system (more than a filter needs to do), but it can use an existing file system for disk reads and writes. E.g. create an ordinary file on the native file system as a kind of temporary disk image.
This largely avoids the cache issues which plague filter drivers, and is merely fiendishly difficult to write, rather than being actively ferocious! But since you have the IFS kit you have access to sample code for pretty well everything you need.
And as Don says you’ll need good boot protection too.
Jack.
“Don Ward” wrote in message news:xxxxx@ntdev…
I don’t know if a file system filter driver is the best way to do what you want, or not. I do know that writing file system filter drivers is ferociously difficult.
I’d be inclined to research the possibilities of using a simpler filter at a lower level (for instance, just above the disk class driver) to reserve an area of disk that cannot be written to under normal circumstances. However, if the malicious user is able to boot the machine to run his own code, then all bets are off: you’ve lost.
Another reason for rejecting a file system filter driver, apart from the difficulty of writing one, is that I don’t think a file system filter driver would protect you from lower level accesses such as formatting the disk.
Regards
Don
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Rakesh Yadava
Sent: 21 January 2005 07:58
To: Windows System Software Devs Interest List
Subject: [ntdev] Can a filter driver redirect this?
Hi all,
I am a software Engg. working with a product based company upon a
file system/filter driver.
I am new in this era , I am reffering “Device driver by Art Baker” and IFS toolkit.
I am facing problem with this.
please provide a valuable help.
I’m aiming to create a “Desktop security software for public access
computers”. The core feature of the software, which is, Reboot to Restore
the Hard Disk Drive, should have the ability to discard any changes made by
a user once the software is installed on a system. It should restore the
hard drive to its original configuration with a simple reboot/shutdown/after x-times
reboot operation. This is accomplished in competitive products by redirecting the
complete user I/O to a temporary buffer’ space hidden in the hard drive / a private partition with hidden file system type created by us . Any changes made by the user are written to the buffer space / private partition and available for the user during the current session / next session . As soon as the computer is rebooted / after specified number of reboot, the I/O reads are redirected back to the original file locations and all changes made in the previous session are discarded that simply means all the files Created/modified/deleted by the user in the last session are completely restored!
All changes made by the user after Reboot-To-Restore is installed on the
system should be temporary! For Example the user may perform all the
following malicious actions, but the system will be completely restored with
a simple reboot / after specified number of reboot; The User May: Install new software, Remove software, Delete folders, files or everything, Virus infections, Power off or reset (no
Scandisk), Change Desktop and background, Download files from the Internet,
Registry changes, Format the hard drive!, Totally mess up the computer!
All the above changes to the system should be completely restored.
can u suggest me anything ???
Please…
Regards,
Rakesh