Hi every one,
Does the notepad call NtCreateFile before it map the file through virtual
memory?
What I realy want to know it that does every file object is created by issue
a IRP_MJ_CREATE?? If not then we have no way to know when the file we want
to monitor is created or opened,( I want to create/open another file object
if this file object’s file name is what i need to monitor)
Thanks
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Tuesday, April 30, 2002 9:23 AM
To: File Systems Developers
Subject: [ntfsd] Re: How Notepad.exe open and read a text file
Notepad uses memory-mapped files.
----- Original Message -----
From: “AChen”
To: “File Systems Developers”
Sent: Tuesday, April 30, 2002 10:09 AM
Subject: [ntfsd] How Notepad.exe open and read a text file
> i found a problem, when i open a textfile, Filemon will not do anything
in FilemonDeiveControl IRP_MJ_READ, and also not execute
from FilemonFastIoRead, and how does notepad get the real data. but when i
open the text file with MSDEV.exe, it will cause a
breakpoint at the IRP_MJ_READ.
>
> so if i want to block the open oeration by notepad.exe, it will fail. how
to solve this problemb‹šç.®·§¶\¬¹??Þv?µûjÉš?¬¶ŠÚç+i
û\¢dèº{.n?‰·¬zwZnV§‘隊[h•æ¯z{_±Ý´Ûp%ŠËl¢Ê
—
You are currently subscribed to ntfsd as: xxxxx@yahoo.ca
To unsubscribe send a blank email to %%email.unsub%%
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
You should read the latest article in the NT Insider on reference
counting in filter drivers. It covers the case where a fileobject is
created not via the ‘standard’ IRP_MJ_CREATE. For instance, NTFS creates
a separate fileobject to initialize the cache map for a file. Therefore
the fileobject you see through the IRP_MJ_WRITE may not be the same
fileobject used to open the file.
Pete
Peter Scott
xxxxx@KernelDrivers.com
http://www.KernelDrivers.com
>-----Original Message-----
>From: xxxxx@lists.osr.com [mailto:bounce-ntfsd-
>xxxxx@lists.osr.com] On Behalf Of gaoren
>Sent: Monday, May 13, 2002 2:15 PM
>To: File Systems Developers
>Subject: [ntfsd] Does Notepad.exe need to call ntCreateFile before it
map
>the file in the virtual memory?
>
>Hi every one,
>
>Does the notepad call NtCreateFile before it map the file through
virtual
>memory?
>What I realy want to know it that does every file object is created by
>issue
>a IRP_MJ_CREATE?? If not then we have no way to know when the file we
want
>to monitor is created or opened,( I want to create/open another file
>object
>if this file object’s file name is what i need to monitor)
>
>Thanks
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
>Sent: Tuesday, April 30, 2002 9:23 AM
>To: File Systems Developers
>Subject: [ntfsd] Re: How Notepad.exe open and read a text file
>
>
>Notepad uses memory-mapped files.
>
>----- Original Message -----
>From: “AChen”
>>To: “File Systems Developers”
>>Sent: Tuesday, April 30, 2002 10:09 AM
>>Subject: [ntfsd] How Notepad.exe open and read a text file
>>
>>
>>> i found a problem, when i open a textfile, Filemon will not do
anything
>>in FilemonDeiveControl IRP_MJ_READ, and also not execute
>>from FilemonFastIoRead, and how does notepad get the real data. but
when i
>>open the text file with MSDEV.exe, it will cause a
>>breakpoint at the IRP_MJ_READ.
>>>
>>> so if i want to block the open oeration by notepad.exe, it will
fail.
>>how
>>to solve this problemb???.???????v???jɚ???ځ?+i
>>??d??{.n???zwZnV??隊[h???z{_?ݴ?p%??l??
>>
>>
>>—
>>You are currently subscribed to ntfsd as: xxxxx@yahoo.ca
>>To unsubscribe send a blank email to %%email.unsub%%
>>
>>
>>
>> _________________________________________________________
>>
>>Do You Yahoo!?
>>
>>Get your free @yahoo.com address at http://mail.yahoo.com
>>
>>
>>
>>
>>—
>>You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
>>To unsubscribe send a blank email to %%email.unsub%%
> What I realy want to know it that does every file object is created by issue
a IRP_MJ_CREATE??
For data access, yes, but several “query file information by name” functions use FastIoQueryOpen instead of IRP_MJ_CREATE.
Max
Actually there are cases, as I pointed out before, definitely for data
access, that the file object is created internal to NTFS. Hence you will
see the fileobject via an IRP_MJ_WRITE but there was never an
IRP_MJ_CREATE for it.
Pete
Peter Scott
xxxxx@KernelDrivers.com
http://www.KernelDrivers.com
>-----Original Message-----
>From: xxxxx@lists.osr.com [mailto:bounce-ntfsd-
>xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
>Sent: Monday, May 13, 2002 6:21 PM
>To: File Systems Developers
>Subject: [ntfsd] Re: Does Notepad.exe need to call ntCreateFile before
it
>map the file in the virtual memory?
>
>> What I realy want to know it that does every file object is created
by
>issue
>> a IRP_MJ_CREATE??
>
>For data access, yes, but several “query file information by name”
>functions use FastIoQueryOpen instead of IRP_MJ_CREATE.
>
> Max
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
>To unsubscribe send a blank email to %%email.unsub%%