Hi,
I am in the process of developing a file system filter
driver. I have got it working for the most part with
help of the sample in the IFS Kit.
I have a few questions on detecting file creation and
attributes in the driver.
-
How do I know when a file is being a created so
that I can flag that particular record to be sent to
the user-mode program? At which stage should this
detection be done?
-
It will also be helpful if someone could let me
know how to differentiate between requests to read
directories and to read files.
Thanks
Krishna
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
Krishna,
- Detection of file creation (or opening of an object) is done during the processing of IRP_MJ_CREATE FSD entry point. This is one of the (and probably ‘the’) most complex entry points in the world of NT FSD/Filtering. So need to have a detailed understanding of all the possible cases that this entry point needs to handle. Based on my experience, I categorize the processing typically done during IRP_MJ_CREATE into the following 6 distinct cases.
a. Opening of the FSD volume
b. Opening of the ‘Root’ directory (different that the volume open).
c. Re-Opening of an existing directory
d. Opening of an existing object (directory or file)
e. Opening of a ‘Target’ directory (used by I/O manager during a ‘Rename’ operation).
f. Creating a new object (directory or file), truncate the file object if already exits.
Determination of which of the above case IRP_MJ_CREATE IRP is invoked for, is based on various parameters passed through this IRP.
Rajeev Nagar’s book, OSRs book or OSR articles should be able to explain the parameter parsing logic to determine an appropriate case.
Experts on the list, please correct me if I am wrong.
- ‘File’ reads are identified by a IRP_MJ_READ or FastIoRead entry point. Note that typically NT FSDs will fail a IRP_MJ_READ if it is invoked on a ‘directory’ object (though I believe old Unix interfaces use to allow reading of directory as if its a normal file).
‘Directory’ reads are
identified by a IRP_MJ_DIRECTORY_CONTROL entry point with a minor function code of IRP_MN_QUERY_DIRECTORY.
Again if you specify a ‘File’ object to IRP_MJ_DIRECTORY_CONTROL, FSD will fail the request.
www.osronline.com is an excellent source of information for details.
I hope this helps.
Regards,
Manish
Krishna Monian wrote:
Hi,
I am in the process of developing a file system filter
driver. I have got it working for the most part with
help of the sample in the IFS Kit.
I have a few questions on detecting file creation and
attributes in the driver.
1. How do I know when a file is being a created so
that I can flag that particular record to be sent to
the user-mode program? At which stage should this
detection be done?
2. It will also be helpful if someone could let me
know how to differentiate between requests to read
directories and to read files.
Thanks
Krishna
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
---------------------------------
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger
Krishna
IRP_MJ_CREATE is used for creation of things which include files and
directories so you need in work with IRP_MJ_CREATE. Well IRP_MJ_CREATE is
used for create, open, overwrite, supersede and the special case of
SL_OPEN_TARGET_DIRECTORY. The
easiest way I know to determine if the thing was created is to look at
IoStstus.Information in the completion routine (post create path); if the
thing was created then this field will have value FILE_CREATED. Note that
overwrite and supersede (?) also change the attributes; there are similar
definitions of value for the IoStatus.Information field for these cases.
If you want to know if the thing is a file or directory then in the most
general terms you will need to ask the file system in the post create path.
If FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE was specified in the IRP
and the create succeeds then you can infer if the thing was not a directory
and that might suffice for your purposes.
The attributes can be changed after the file is created. See for example
IRP_MJ_SET_INFORMATION for information class FileBasicInformation among
others. So you might need to track these also.
On the question of requests to read directories as opposed to files … I
dont know if IRP_MJ_READ can succeed when the target is a directory sounds
odd to me; it might be allowed for paging reads however. Might the the best
thing for you is to remember your answer about whether the thing is a file
or directory from IRP_MJ_CREATEl if you do down this road then you are into
context tracking and you could have a look at the OSR NT Insider article on
reference counting and context tracking for some valuable pointers.
Good luck
Lyndon
“Krishna Monian” wrote in message
news:xxxxx@ntfsd…
> Hi,
> I am in the process of developing a file system filter
> driver. I have got it working for the most part with
> help of the sample in the IFS Kit.
>
> I have a few questions on detecting file creation and
> attributes in the driver.
>
> 1. How do I know when a file is being a created so
> that I can flag that particular record to be sent to
> the user-mode program? At which stage should this
> detection be done?
>
> 2. It will also be helpful if someone could let me
> know how to differentiate between requests to read
> directories and to read files.
>
> Thanks
> Krishna
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Friends. Fun. Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/
>