Hi All,
While observing the IRP sequence for a file copy operation, i have noticed
one strange thing. I am having a network shared folder with writable access.
When i copied a file (whether from local machine or from n/w share) and
paste into the network shared folder, i observed a new pattern of IRP
sequence (while running FILEMON on the local system).
On doing Paste, the IRPs generation on the destination file are: (As
observed on local machine)
IRP_MJ_CREATE (File Overwritten)
.
.
IRP_MJ_CREATE (File Open: Write access)
.
.
.
IRP_MJ_CLEANUP
IRP_MJ_CLOSE
IRP_MJ_SET_INFORMATION
.
.
IRP_MJ_WRITE
IRP_MJ_CLEANUP
IRP_MJ_CLOSE
When i observed the IRP pattern on the other system using FileMon (On which
destination file was actually there), i guessed that the 2nd IRP_MJ_CREATE
(With Open Access), was done for checking the security previledges. There
were many IRP_MJ_QUERY_SECURITY in between.
Now my question si that, is my observation that the Create Cleanup here was
done just to check the Security Info correct, and if so, is there any way
that i can avoid these calls in my log because i do not want to show these
dummy calls in the final output logs.
What i think is that there must be some specific information (may be some
flag) in IRP_MJ_CREATE call, which should signify that it is a call for
checking security information.
Thanks alot.
Thanks and Regards,
Shreshth