Dependency between IRP_MJ_CREATE and IRP_MJ_WRITE

Hi

The following case happens during logging with a simple minifilter:

IRP_MJ_CREATE C:\test.log
IRP_MJ_CREATE C:\test.log
IRP_MJ_WRITE C:\test.log

I would like to know if it is possible to figure out if the write goes to file created the first or in the second time although it is the same file! Because I couldn’t find out a way to get the file handle I thought it is possible to use the address of the file object as an indicator, but in the case above the address is the same for both creates. Is there another way to determine the logical dependency between those actions?

Best regards

Hans

> I would like to know if it is possible to figure out if the write goes to

file created the first or in the second time

You are getting there. The file object is where you want to go.
Specifically you probably want to look at StreamHandleContexts.

but in the case above the address is the same for both creates

That will only happen if the create failed or the file was closed between
the two creates. Either track Close or cleanup or (again) look at Stream
Handle Contexts.

Rod

wrote in message news:xxxxx@ntfsd…
> Hi
>
> The following case happens during logging with a simple minifilter:
>
> IRP_MJ_CREATE C:\test.log
> IRP_MJ_CREATE C:\test.log
> IRP_MJ_WRITE C:\test.log
>
> I would like to know if it is possible to figure out if the write goes to
> file created the first or in the second time although it is the same file!
> Because I couldn’t find out a way to get the file handle I thought it is
> possible to use the address of the file object as an indicator, but in the
> case above the address is the same for both creates. Is there another way
> to determine the logical dependency between those actions?
>
> Best regards
>
> Hans
>

Rod Widdowson wrote:

> I would like to know if it is possible to figure out if the write goes
> to file created the first or in the second time

You are getting there. The file object is where you want to go.
Specifically you probably want to look at StreamHandleContexts.

One added piece of information … be aware that you might see the
writes come in on a file object which you have never see an
IRP_MJ_CREATE. Search for stream file objects to learn more about those.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295