Doubts about FltGetFileNameInformation

OSR_Community_User · March 14, 2011, 2:48am

Hi All,

While reading the FltGetFileNameInformation documentation I have found that descriptions about FLT_FILE_NAME_QUERY_DEFAULT & FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP are very same expect one sentence that - in case of FLT_FILE_NAME_QUERY_DEFAULT “If it is not currently safe to query the file system for the file name, FltGetFileNameInformation does nothing.” So I have following doubts…

What is the real difference between FLT_FILE_NAME_QUERY_DEFAULT & FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP?

What it means that FltGetFileNameInformation does nothing In case of FLT_FILE_NAME_QUERY_DEFAULT If it is not currently safe to query the file system for the file name? Does it mean it returns success without filling out parameters?

Thanks,
Hawakeli.

Alex_Carp · March 14, 2011, 12:09pm

The difference is that FLT_FILE_NAME_QUERY_DEFAULT will fail with STATUS_FLT_INVALID_NAME_REQUEST if it is not safe to query the name from the file system at that time even if the name is in the cache, whereas FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP would always return the name from the cache, regardless of whether it would be safe to query the FS.

Let’s assume you have 3 primitives: GetNameFromFSIsSafe(), GetNameFromFS() and GetNameFromCache(). Then the meaning of the flags is :

FLT_FILE_NAME_QUERY_CACHE_ONLY:
return GetNameFromCache();

FLT_FILE_NAME_QUERY_FILESYSTEM_ONLY:
if (!GetNameFromFSIsSafe()) return STATUS_FLT_INVALID_NAME_REQUEST;
return GetNameFromFS();

FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP:
name = GetNameFromCache();
if (name) return name;
if (!GetNameFromFSIsSafe()) return STATUS_FLT_INVALID_NAME_REQUEST;
return GetNameFromFS();

FLT_FILE_NAME_QUERY_DEFAULT:
if (!GetNameFromFSIsSafe()) return STATUS_FLT_INVALID_NAME_REQUEST;
name = GetNameFromCache();
if (name) return name;
return GetNameFromFS();

in development you are supposed to use FLT_FILE_NAME_QUERY_DEFAULT, because as a developer you want to know if your filter’s design requires it to get a name when it is not safe to do so. In release builds you can leave it as FLT_FILE_NAME_QUERY_DEFAULT or you could switch it to FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP which might return a name in cases where FLT_FILE_NAME_QUERY_DEFAULT might fail, but is much less deterministic because of the cache (so it’s harder to debug).

Does this make sense?

Thanks,
Alex.

OSR_Community_User · March 15, 2011, 1:23am

Thanks Alex, That is really a greate explanation.

But I got a BSOD with bug check PAGE_FAULT_IN_NONPAGED_AREA while accessing the structure returned by the function. But after that I am not able to regenerate it. So that I thought function returns success without filling out parameters?

Can any one explain why PAGE_FAULT_IN_NONPAGED_AREA occuerd?

Scott_Noone_OSR · March 15, 2011, 8:40am

>Can any one explain why PAGE_FAULT_IN_NONPAGED_AREA occuerd?

Invalid kernel memory reference, usually. Without !analyze -v output it’s
impossible to say why it happened in your case specifically.

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com