I have some questions about the mini filter.
When a file is copied I get several events in PostCreate. I will scan the file in user mode only once. Can I know if the file is scanned before? Or can I pass a flag that says that this file is already scanned?
Another question is if I can pass a file handle to the user mode?
Thanks
Mattias
Absolutely,
This is precisely what Stream Context are useful for. Have a look at
FltAllocateContext, FltSetStreamContext, and FltReleaseContext. The
Scanner sample in the WDK demonstrates almost exactly what your looking
for, just add a flag to that structure and you could copy most
of that code with few changes.
Matt
xxxxx@netcleantech.com wrote:
I have some questions about the mini filter.
When a file is copied I get several events in PostCreate. I will scan the file in user mode only once. Can I know if the file is scanned before? Or can I pass a flag that says that this file is already scanned?Another question is if I can pass a file handle to the user mode?
Thanks
Mattias
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsYou are currently subscribed to ntfsd as: matt-martin@tx.rr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Thank you for the quick answer.
I have looked at the scanner example and I have not found these functions FltAllocateContext, FltSetStreamContext, and FltReleaseContext in the code. The scanner example did my thing but I still get several events and I don’t know how I send message between the events on the same file. Shall I use this function instead FsRtlInitPerStreamContext, FsRtlLookupPerStreamContextInternal, FsRtlGetPerStreamContextPointer and FsRtlInsertPerStreamContext? Where could I get example code to se how it is implemented?
Thanks
Mattias
Pardon me, the scanner sample uses Stream Handle Context,
(FltSetStreamHandleContext) but never the less it works the same way,
this is an easy thing
to change.
If you look at ‘scanner.c’ from the WDK 6000, lines 715 threw 730
allocate and set the context, and then it’s retrieved at line 860 where
a flag in the context
structure could be read or set.
In your post create, try to get the context, if it doesn’t exist create
and attach it and signal your UM app to start the scan and store your
flag…
You really need to stick with fltmgr functions when you can.
Good luck
xxxxx@netcleantech.com wrote:
Thank you for the quick answer.
I have looked at the scanner example and I have not found these functions FltAllocateContext, FltSetStreamContext, and FltReleaseContext in the code. The scanner example did my thing but I still get several events and I don’t know how I send message between the events on the same file. Shall I use this function instead FsRtlInitPerStreamContext, FsRtlLookupPerStreamContextInternal, FsRtlGetPerStreamContextPointer and FsRtlInsertPerStreamContext? Where could I get example code to se how it is implemented?
Thanks
Mattias
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsYou are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
At last it all works 
I try to use FltSetStreamHandleContext but it dos not works, FltSetStreamContext works better.
But now I have some other troubles. I only need to allocate the stream context ones. When I copies a file the second time I don’t need to allocate the context again it already exist.
There are three questions.
If I allocate context and not freeing the memory, can I run out of memory?
Do I need to delete the context?
If I need to delete the context where should I do that?
Thanks
Mattias Bergkvist
Just some hints:
The stream contexts are reference counted. You shall take great care to call FltReleaseContext each time you call FltSetStreamContext to maintain the correct reference counts. This has been discussed a lot on the NTFSD list, please do a search. Also, it is reasonably well described in the WDK help.
AFAIK you shall never delete effectively a stream context. The system will automatically do that when the file system doesn’t need anymore that context.
AFAIK, you have no control for the lifetime of a stream context object after the last handle on the corresponding file has been closed. The file system might keep that stream context alive for very long time, or, delete it immediately. The only thing that is guaranteed is that as long as there is at least an open handle to that file, an already set stream context will be there (so, you can store info like “the file was scanned” there). Once, the last handle is closed, you can’t relay on the stream context being kept alive for another, future open on that file.
Sandor LUKACS
Thanks Lukacs for the help.
First I use FltGetStreamContext if that call is unsuccessful I call FltAllocateContext after that I call FltSetStreamContext and at last I call FltReleaseContext only once.
Shall I call FltReleaseContext for every successfully call to FltGetStreamContext, FltAllocateContext and FltSetStreamContext, in my case it shall be two times because the FltGetStreamContext fails?
Have I understand it all correctly?
Thanks
Mattias Bergkvist
In my ScannerPostCreate I call FltAllocateContext and then FltSetStreamContext and at the end a call to FltReleaseContext.
I still have one reference left for FltSetStreamContext, where shall I release it?
Thanks for all help
Mattias Bergkvist
You don’t. FltSetStreamContext transfered ownership to the filter manager.
You are releasing the reference from the allocate.
This was all explained in other messages last week.
Bill Wandel
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@netcleantech.com
Sent: Wednesday, January 09, 2008 10:32 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Can I know if the file is scanned before?
In my ScannerPostCreate I call FltAllocateContext and then
FltSetStreamContext and at the end a call to FltReleaseContext.
I still have one reference left for FltSetStreamContext, where shall I
release it?
Thanks for all help
Mattias Bergkvist
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new fs
mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@bwandel.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
Sorry that I have missed the thread about “FltReleaseContext confusion” http://www.osronline.com/cf.cfm?PageURL=showlists.CFM?list=NTFSD
But the thread is missing to explain how long time it takes until the system is decrement the reference count and freeing the context? Is it minutes, hours or days?
Thanks
Mattias Bergkvist