Drive letter available

HI, all

I have a filter driver, which is installed before any file system loads.
Now i need to find the file system device object, belonging to e.g.
C:. It is clear, that I cannot get the device object in the moment when
my filter installs.

Well, I create a worker thread, which (once per 0.5 sec) will try to get
the device object. When succeeds, it will end.

But a problem is that I wouln’t like to use ZwCreateFile for opening
the root directory of the drive (at least until the drive is mounted).
Is it possible to achieve it any other way ?
E.g. using symbolic links ?
Or is it possible to find that the volume is already mounted ?

And another question : Does anyone know what object type I retrieve
when I call this ?

ObReferenceObjectByHandle(SymbolicLinkObjectHandle,
FILE_READ_DATA,
NULL,
KernelMode,
&Object,
NULL)

(It’s not a driver object, not a device object, not a file object.)

Thank you

L.

Use the techniques in the FileSpy sample included with the IFSKIT to
register for filesystem registration events, then hook the filesystem
device object to watch out for mount events. After a successful mount
use IoVolumeDeviceToDosName on the ‘real device’ that was mounted to get
the drive letter.

Ladislav Zezula wrote:

HI, all

I have a filter driver, which is installed before any file system loads.
Now i need to find the file system device object, belonging to e.g.
C:. It is clear, that I cannot get the device object in the moment when
my filter installs.

Well, I create a worker thread, which (once per 0.5 sec) will try to get
the device object. When succeeds, it will end.

But a problem is that I wouln’t like to use ZwCreateFile for opening
the root directory of the drive (at least until the drive is mounted).
Is it possible to achieve it any other way ?
E.g. using symbolic links ?
Or is it possible to find that the volume is already mounted ?

And another question : Does anyone know what object type I retrieve
when I call this ?

ObReferenceObjectByHandle(SymbolicLinkObjectHandle,
FILE_READ_DATA,
NULL,
KernelMode,
&Object,
NULL)

(It’s not a driver object, not a device object, not a file object.)

Thank you

L.

–
Nick Ryan (MVP for DDK)

Hi,

Strangely this method work for IDE hard drives.
But when I use the IoVolumeDeviceToDosName API on removable media such as
USB hard drive, PCMCIA hard drive, or compact flashes etc it will crash.

why is that so?
I have use the API in MountCompletion.

Thank You!

cheers,
vincent

From: Nick Ryan
>Reply-To: “Windows File Systems Devs Interest List”
>To: “Windows File Systems Devs Interest List”
>Subject: [ntfsd] Re: Drive letter available
>Date: Thu, 27 Nov 2003 14:26:28 -0800
>
>Use the techniques in the FileSpy sample included with the IFSKIT to
>register for filesystem registration events, then hook the filesystem
>device object to watch out for mount events. After a successful mount use
>IoVolumeDeviceToDosName on the ‘real device’ that was mounted to get the
>drive letter.
>
>Ladislav Zezula wrote:
>>HI, all
>> I have a filter driver, which is installed before any file system loads.
>>Now i need to find the file system device object, belonging to e.g.
>>C:. It is clear, that I cannot get the device object in the moment when
>>my filter installs.
>> Well, I create a worker thread, which (once per 0.5 sec) will try to get
>>the device object. When succeeds, it will end.
>> But a problem is that I wouln’t like to use ZwCreateFile for opening
>>the root directory of the drive (at least until the drive is mounted).
>>Is it possible to achieve it any other way ?
>>E.g. using symbolic links ?
>>Or is it possible to find that the volume is already mounted ?
>> And another question : Does anyone know what object type I retrieve
>>when I call this ?
>> ObReferenceObjectByHandle(SymbolicLinkObjectHandle,
>>FILE_READ_DATA,
>>NULL,
>>KernelMode,
>>&Object,
>>NULL)
>> (It’s not a driver object, not a device object, not a file object.)
>> Thank you
>> L.
>>
>
>–
>Nick Ryan (MVP for DDK)
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

_________________________________________________________________
Get 10mb of inbox space with MSN Hotmail Extra Storage
http://join.msn.com/?pgmarket=en-sg

I reverse engineered this a while back, and recall that this API simply
constructed some mountdev IOCTLs and sent them to the device. Either the
device is mishandling the IOCTL or somehow you’re not using the correct
device object…? Did you check for NULL, etc.?

vincent gambit wrote:

Hi,

Strangely this method work for IDE hard drives.
But when I use the IoVolumeDeviceToDosName API on removable media such
as USB hard drive, PCMCIA hard drive, or compact flashes etc it will crash.

why is that so?
I have use the API in MountCompletion.

Thank You!

cheers,
vincent

> From: Nick Ryan
>> Reply-To: “Windows File Systems Devs Interest List”
>> To: “Windows File Systems Devs Interest List”
>> Subject: [ntfsd] Re: Drive letter available
>> Date: Thu, 27 Nov 2003 14:26:28 -0800
>>
>> Use the techniques in the FileSpy sample included with the IFSKIT to
>> register for filesystem registration events, then hook the filesystem
>> device object to watch out for mount events. After a successful mount
>> use IoVolumeDeviceToDosName on the ‘real device’ that was mounted to
>> get the drive letter.
>>
>> Ladislav Zezula wrote:
>>
>>> HI, all
>>> I have a filter driver, which is installed before any file system
>>> loads.
>>> Now i need to find the file system device object, belonging to e.g.
>>> C:. It is clear, that I cannot get the device object in the moment when
>>> my filter installs.
>>> Well, I create a worker thread, which (once per 0.5 sec) will try to
>>> get
>>> the device object. When succeeds, it will end.
>>> But a problem is that I wouln’t like to use ZwCreateFile for opening
>>> the root directory of the drive (at least until the drive is mounted).
>>> Is it possible to achieve it any other way ?
>>> E.g. using symbolic links ?
>>> Or is it possible to find that the volume is already mounted ?
>>> And another question : Does anyone know what object type I retrieve
>>> when I call this ?
>>> ObReferenceObjectByHandle(SymbolicLinkObjectHandle,
>>> FILE_READ_DATA,
>>> NULL,
>>> KernelMode,
>>> &Object,
>>> NULL)
>>> (It’s not a driver object, not a device object, not a file object.)
>>> Thank you
>>> L.
>>>
>>
>> –
>> Nick Ryan (MVP for DDK)
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> _________________________________________________________________
> Get 10mb of inbox space with MSN Hotmail Extra Storage
> http://join.msn.com/?pgmarket=en-sg
>
>
>

–
Nick Ryan (MVP for DDK)

Wrong approach, use IoRegisterFsRegistrationChange instead.
SFILTER is the sample.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Ladislav Zezula
To: Windows File Systems Devs Interest List
Sent: Thursday, November 27, 2003 11:28 PM
Subject: [ntfsd] Drive letter available

HI, all

I have a filter driver, which is installed before any file system loads.
Now i need to find the file system device object, belonging to e.g.
C:. It is clear, that I cannot get the device object in the moment when
my filter installs.

Well, I create a worker thread, which (once per 0.5 sec) will try to get
the device object. When succeeds, it will end.

But a problem is that I wouln’t like to use ZwCreateFile for opening
the root directory of the drive (at least until the drive is mounted).
Is it possible to achieve it any other way ?
E.g. using symbolic links ?
Or is it possible to find that the volume is already mounted ?

And another question : Does anyone know what object type I retrieve
when I call this ?

ObReferenceObjectByHandle(SymbolicLinkObjectHandle,
FILE_READ_DATA,
NULL,
KernelMode,
&Object,
NULL)

(It’s not a driver object, not a device object, not a file object.)

Thank you

L.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi,

I use the RealDeviceObject and I did check for null.
it is not null.
It actually did not crash but it just hang.
Like a deadlock.
because i realised that it called the API twice before it is deadlock.

is there other ways to get the drive letter or where is the right place call
this API?

thank you!

cheers,
vincent

From: Nick Ryan
>Reply-To: “Windows File Systems Devs Interest List”
>To: “Windows File Systems Devs Interest List”
>Subject: [ntfsd] Re: Drive letter available
>Date: Fri, 28 Nov 2003 12:10:02 -0800
>
>I reverse engineered this a while back, and recall that this API simply
>constructed some mountdev IOCTLs and sent them to the device. Either the
>device is mishandling the IOCTL or somehow you’re not using the correct
>device object…? Did you check for NULL, etc.?
>
>vincent gambit wrote:
>
>>
>>
>>Hi,
>>
>>Strangely this method work for IDE hard drives.
>>But when I use the IoVolumeDeviceToDosName API on removable media such as
>>USB hard drive, PCMCIA hard drive, or compact flashes etc it will crash.
>>
>>why is that so?
>>I have use the API in MountCompletion.
>>
>>Thank You!
>>
>>cheers,
>>vincent
>>
>>>From: Nick Ryan
>>>Reply-To: “Windows File Systems Devs Interest List”
>>>To: “Windows File Systems Devs Interest List”
>>>Subject: [ntfsd] Re: Drive letter available
>>>Date: Thu, 27 Nov 2003 14:26:28 -0800
>>>
>>>Use the techniques in the FileSpy sample included with the IFSKIT to
>>>register for filesystem registration events, then hook the filesystem
>>>device object to watch out for mount events. After a successful mount use
>>>IoVolumeDeviceToDosName on the ‘real device’ that was mounted to get the
>>>drive letter.
>>>
>>>Ladislav Zezula wrote:
>>>
>>>>HI, all
>>>> I have a filter driver, which is installed before any file system
>>>>loads.
>>>>Now i need to find the file system device object, belonging to e.g.
>>>>C:. It is clear, that I cannot get the device object in the moment when
>>>>my filter installs.
>>>> Well, I create a worker thread, which (once per 0.5 sec) will try to
>>>>get
>>>>the device object. When succeeds, it will end.
>>>> But a problem is that I wouln’t like to use ZwCreateFile for opening
>>>>the root directory of the drive (at least until the drive is mounted).
>>>>Is it possible to achieve it any other way ?
>>>>E.g. using symbolic links ?
>>>>Or is it possible to find that the volume is already mounted ?
>>>> And another question : Does anyone know what object type I retrieve
>>>>when I call this ?
>>>> ObReferenceObjectByHandle(SymbolicLinkObjectHandle,
>>>>FILE_READ_DATA,
>>>>NULL,
>>>>KernelMode,
>>>>&Object,
>>>>NULL)
>>>> (It’s not a driver object, not a device object, not a file object.)
>>>> Thank you
>>>> L.
>>>>
>>>
>>>–
>>>Nick Ryan (MVP for DDK)
>>>
>>>
>>>—
>>>Questions? First check the IFS FAQ at
>>>https://www.osronline.com/article.cfm?id=17
>>>
>>>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>Get 10mb of inbox space with MSN Hotmail Extra Storage
>>http://join.msn.com/?pgmarket=en-sg
>>
>>
>>
>
>–
>Nick Ryan (MVP for DDK)
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com


Get 10mb of inbox space with MSN Hotmail Extra Storage
http://join.msn.com/?pgmarket=en-sg

Odd, I will try to reproduce this scenario with a USB drive and then see
what the deal is.

vincent gambit wrote:

Hi,

I use the RealDeviceObject and I did check for null.
it is not null.
It actually did not crash but it just hang.
Like a deadlock.
because i realised that it called the API twice before it is deadlock.

is there other ways to get the drive letter or where is the right place
call this API?

thank you!

cheers,
vincent

> From: Nick Ryan
>> Reply-To: “Windows File Systems Devs Interest List”
>> To: “Windows File Systems Devs Interest List”
>> Subject: [ntfsd] Re: Drive letter available
>> Date: Fri, 28 Nov 2003 12:10:02 -0800
>>
>> I reverse engineered this a while back, and recall that this API
>> simply constructed some mountdev IOCTLs and sent them to the device.
>> Either the device is mishandling the IOCTL or somehow you’re not using
>> the correct device object…? Did you check for NULL, etc.?
>>
>> vincent gambit wrote:
>>
>>>
>>>
>>> Hi,
>>>
>>> Strangely this method work for IDE hard drives.
>>> But when I use the IoVolumeDeviceToDosName API on removable media
>>> such as USB hard drive, PCMCIA hard drive, or compact flashes etc it
>>> will crash.
>>>
>>> why is that so?
>>> I have use the API in MountCompletion.
>>>
>>> Thank You!
>>>
>>> cheers,
>>> vincent
>>>
>>>> From: Nick Ryan
>>>> Reply-To: “Windows File Systems Devs Interest List”
>>>>
>>>> To: “Windows File Systems Devs Interest List”
>>>> Subject: [ntfsd] Re: Drive letter available
>>>> Date: Thu, 27 Nov 2003 14:26:28 -0800
>>>>
>>>> Use the techniques in the FileSpy sample included with the IFSKIT to
>>>> register for filesystem registration events, then hook the
>>>> filesystem device object to watch out for mount events. After a
>>>> successful mount use IoVolumeDeviceToDosName on the ‘real device’
>>>> that was mounted to get the drive letter.
>>>>
>>>> Ladislav Zezula wrote:
>>>>
>>>>> HI, all
>>>>> I have a filter driver, which is installed before any file system
>>>>> loads.
>>>>> Now i need to find the file system device object, belonging to e.g.
>>>>> C:. It is clear, that I cannot get the device object in the moment
>>>>> when
>>>>> my filter installs.
>>>>> Well, I create a worker thread, which (once per 0.5 sec) will try
>>>>> to get
>>>>> the device object. When succeeds, it will end.
>>>>> But a problem is that I wouln’t like to use ZwCreateFile for opening
>>>>> the root directory of the drive (at least until the drive is mounted).
>>>>> Is it possible to achieve it any other way ?
>>>>> E.g. using symbolic links ?
>>>>> Or is it possible to find that the volume is already mounted ?
>>>>> And another question : Does anyone know what object type I retrieve
>>>>> when I call this ?
>>>>> ObReferenceObjectByHandle(SymbolicLinkObjectHandle,
>>>>> FILE_READ_DATA,
>>>>> NULL,
>>>>> KernelMode,
>>>>> &Object,
>>>>> NULL)
>>>>> (It’s not a driver object, not a device object, not a file object.)
>>>>> Thank you
>>>>> L.
>>>>>
>>>>
>>>> –
>>>> Nick Ryan (MVP for DDK)
>>>>
>>>>
>>>> —
>>>> Questions? First check the IFS FAQ at
>>>> https://www.osronline.com/article.cfm?id=17
>>>>
>>>> You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>> Get 10mb of inbox space with MSN Hotmail Extra Storage
>>> http://join.msn.com/?pgmarket=en-sg
>>>
>>>
>>>
>>
>> –
>> Nick Ryan (MVP for DDK)
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> Get 10mb of inbox space with MSN Hotmail Extra Storage
> http://join.msn.com/?pgmarket=en-sg
>
>
>

–
Nick Ryan (MVP for DDK)