Do not get non cached Read requests on Windows 7

Hi all,

I work with legacy filter driver that supposed to encrypt files. Some time
ago I got strange behavior.

That occurs only on NTFS under Windows 7. When I try read files, IRP_MJ_READ
requests for some of them come only as cached requests (IRP_NOCACHE flag is
zero). And non cached requests don’t come. In such case driver do not
process such requests and data are kept encrypted.

At the same time when I turned on debug output in my driver, I got a lot of
messages and driver worked very slowly. But all requests were correct and
driver successfully decrypted all files.

Can anybody explain such behavior ?

Thanks

Valery

Have you used “skip paging IO” flag at minifilter registration?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Valery Druba” wrote in message news:xxxxx@ntfsd…
Hi all,

I work with legacy filter driver that supposed to encrypt files. Some time ago I got strange behavior.
That occurs only on NTFS under Windows 7. When I try read files, IRP_MJ_READ requests for some of them come only as cached requests (IRP_NOCACHE flag is zero). And non cached requests don’t come. In such case driver do not process such requests and data are kept encrypted.
At the same time when I turned on debug output in my driver, I got a lot of messages and driver worked very slowly. But all requests were correct and driver successfully decrypted all files.
Can anybody explain such behavior ?

Thanks
Valery

OP said he has a legacy filter.
A little code snippet of read handler could provide some clue to list
members.

Regards
Deepak

On Mon, May 10, 2010 at 1:52 AM, Maxim S. Shatskih
wrote:

> Have you used “skip paging IO” flag at minifilter registration?
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “Valery Druba” wrote in message
> news:xxxxx@ntfsd…
> Hi all,
>
> I work with legacy filter driver that supposed to encrypt files. Some time
> ago I got strange behavior.
> That occurs only on NTFS under Windows 7. When I try read files,
> IRP_MJ_READ requests for some of them come only as cached requests
> (IRP_NOCACHE flag is zero). And non cached requests don’t come. In such case
> driver do not process such requests and data are kept encrypted.
> At the same time when I turned on debug output in my driver, I got a lot of
> messages and driver worked very slowly. But all requests were correct and
> driver successfully decrypted all files.
> Can anybody explain such behavior ?
>
> Thanks
> Valery
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

>>you said

When I try read files, IRP_MJ_READ requests for some of them come only as cached requests (IRP_NOCACHE flag is zero). And non cached requests don’t come. In such case driver do not process such requests and data are kept encrypted.

>and

At the same time when I turned on debug output in my driver, I got a lot of messages and driver worked very slowly. But all requests were correct and driver successfully decrypted all files.

Aren’t they contradictory? first statement said that driver do not process such request and second said that driver successfully decrypt them at same time.

How is it possible, you need to share more information on it. posting some code will help too.

Thank you Maxim and Deepak,

I researched the problem, and now it looks some another.

My driver gathers information about opened files and saves it in inner cache
on completion procedure of IRP_MJ_CREATE.

Later on each IRP_MJ_XXX calling driver checks is it known file. If it is
unknown file, driver just passes call to lower driver.

In current issue I discovered that only filter manager is lower driver
(except of FS driver of course). I guess that that one of anti-viruses
registered on this level.

At least I noticed that DispatchCreate calling passed through my driver, FS
executed this call, but before CompletionCreate came to my driver,
anti-virus called IRP_MJ_READ in separate thread with this file object and
new file context. So my driver got IRP_MJ_READ before CompletionCreate
returned back and of course it ignored this read calling, because it was
unknown file. But this call was non cached, and other IRP_MJ_READ were only
cached.

Well now is question. Is there way to set my driver lower then filter
manager?

Or is there another way to resolve the problem?

Thanks

Valery

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Deepak Gupta
Sent: Monday, May 10, 2010 8:24 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Do not get non cached Read requests on Windows 7

OP said he has a legacy filter.
A little code snippet of read handler could provide some clue to list
members.

Regards
Deepak

On Mon, May 10, 2010 at 1:52 AM, Maxim S. Shatskih
wrote:

Have you used “skip paging IO” flag at minifilter registration?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Valery Druba” wrote in message
news:xxxxx@ntfsd…

Hi all,

I work with legacy filter driver that supposed to encrypt files. Some time
ago I got strange behavior.
That occurs only on NTFS under Windows 7. When I try read files, IRP_MJ_READ
requests for some of them come only as cached requests (IRP_NOCACHE flag is
zero). And non cached requests don’t come. In such case driver do not
process such requests and data are kept encrypted.
At the same time when I turned on debug output in my driver, I got a lot of
messages and driver worked very slowly. But all requests were correct and
driver successfully decrypted all files.
Can anybody explain such behavior ?

Thanks
Valery

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Read the documentation on how the filter manager handles the various types
of file system filters noting that it is also involved in ‘sandboxing’
legacy filters. Pay special attention to ‘altitudes’. Also use the filter
manager utility to see how the various mini-filters and legacy filters stack
up. You might want to do this on a live system with several different AVs
(one at a time) and other products that use file system filters and
mini-filters.

The real answer to your question is to do the above and design your
algorithms to support the way the system really works and not how you would
want it to work.

“Valery Druba” wrote in message
news:xxxxx@ntfsd…
Thank you Maxim and Deepak,

I researched the problem, and now it looks some another.
My driver gathers information about opened files and saves it in inner cache
on completion procedure of IRP_MJ_CREATE.
Later on each IRP_MJ_XXX calling driver checks is it known file. If it is
unknown file, driver just passes call to lower driver.

In current issue I discovered that only filter manager is lower driver
(except of FS driver of course). I guess that that one of anti-viruses
registered on this level.
At least I noticed that DispatchCreate calling passed through my driver, FS
executed this call, but before CompletionCreate came to my driver,
anti-virus called IRP_MJ_READ in separate thread with this file object and
new file context. So my driver got IRP_MJ_READ before CompletionCreate
returned back and of course it ignored this read calling, because it was
unknown file. But this call was non cached, and other IRP_MJ_READ were only
cached.

Well now is question. Is there way to set my driver lower then filter
manager?

Or is there another way to resolve the problem?

Thanks
Valery

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Deepak Gupta
Sent: Monday, May 10, 2010 8:24 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Do not get non cached Read requests on Windows 7

OP said he has a legacy filter.
A little code snippet of read handler could provide some clue to list
members.

Regards
Deepak
On Mon, May 10, 2010 at 1:52 AM, Maxim S. Shatskih
wrote:
Have you used “skip paging IO” flag at minifilter registration?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Valery Druba” wrote in message
news:xxxxx@ntfsd…
Hi all,

I work with legacy filter driver that supposed to encrypt files. Some time
ago I got strange behavior.
That occurs only on NTFS under Windows 7. When I try read files, IRP_MJ_READ
requests for some of them come only as cached requests (IRP_NOCACHE flag is
zero). And non cached requests don’t come. In such case driver do not
process such requests and data are kept encrypted.
At the same time when I turned on debug output in my driver, I got a lot of
messages and driver worked very slowly. But all requests were correct and
driver successfully decrypted all files.
Can anybody explain such behavior ?

Thanks
Valery

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer

As David pointed out, you need to be at the proper altitude. Your filter
must reside in the encryption altitude range… For legacy encryption filters
this can be achieved by setting the FSFilter Encryption as the Group for
your filter, which would load them at the proper time and thus they would be
below the AV altitude range…

Filter manager in vista and Win7 will also take legacy filters into account
when creating its frames, provided that the filters register with the system
properly (i.e. by using the Group value …).

Look at any minifilter INF file for an example of how the INF should look
(the LoadOrderGroup entry)… Though they are minifilters, they are also
regular drivers and the Group entry is used by the system to decide when to
start them…

Thanks,
Alex.

Yes, my driver is registered in own group, and this group is placed right
after FSFilter Encryption group.
And driver that sends IRP_MJ_READ is registered in FSFilter Activity Monitor
group that placed much more upper anti-viruses.
I guess they use something undocumented to catch completion procedure lower
encryption driver.

Thanks
Valery

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Carp
Sent: Tuesday, May 11, 2010 7:42 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Do not get non cached Read requests on Windows 7

As David pointed out, you need to be at the proper altitude. Your filter
must reside in the encryption altitude range… For legacy encryption filters
this can be achieved by setting the FSFilter Encryption as the Group for
your filter, which would load them at the proper time and thus they would be
below the AV altitude range…

Filter manager in vista and Win7 will also take legacy filters into account
when creating its frames, provided that the filters register with the system
properly (i.e. by using the Group value …).

Look at any minifilter INF file for an example of how the INF should look
(the LoadOrderGroup entry)… Though they are minifilters, they are also
regular drivers and the Group entry is used by the system to decide when to
start them…

Thanks,
Alex.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>>I guess they use something undocumented to catch completion procedure lower encryption driver.

You mean a driver above you has used some thing undocumented to check for completion of a create IRP, and is getting notified before you?

It shouldn’t be the case at all, the AV (or any other driver) can not work this way. The highest probability is that you missed/skipped a create IRP.

What do you mean “own group” ? Are you not registered in the FSFilter
Encryption group ? I’m pretty sure you need to do that in order for filter
manager to be able to figure out where you need to be in the altitude
range…

Could you please post a !fltkd.volumes and !devstack on a device stack where
your filter is attached ?

Thanks,
Alex.

Absolutely agree with you, it’s impossible, that is why I checked this
several days and saw it implicitly.

Thanks
Valery

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Wednesday, May 12, 2010 10:51 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Do not get non cached Read requests on Windows 7

>I guess they use something undocumented to catch completion procedure
lower encryption driver.

You mean a driver above you has used some thing undocumented to check for
completion of a create IRP, and is getting notified before you?

It shouldn’t be the case at all, the AV (or any other driver) can not work
this way. The highest probability is that you missed/skipped a create IRP.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer