I’m writing a file level encryption mini filter driver that must also support CIFS.
I manage to encrypt/decrypt files correctly by filtering the non cache operations and I get the proper behavior when I read/write files or even create files on the network directory (scenario 1).
When I copy files to the remote directory (scenario 2) however, I get very strange behavior -
writes are somehow written with the NON_CACHE flag off.
I suspect that is because somehow some driver on top of mine writes through as well as writing to the cache.
I tried looking at the preCreate callback method for any create options differences as well as the preWrite callback parameters (iopb->OperationFlags, Data->Flags, FltObjects->FileObject->Flags) between to two scenarios but found nothing significant, do indicate something consistent.
I also looked at the FCB_HEADER structure in the fsContext but again, nothing special.
Sysinternal’s FileMon on files created/copied indicates the create function was called with different options, but by the time it reaches my driver they are indistinguishable…
The problem is the cache state of the file is being modified during an
IO operation. There is an article on osr online about this. Basically
you are required to peak into the MRX_FCB control structure, which
changes for each platform, examine the cache state of the file and make
a decision as to whether the IO is cached or not. More specifically
whether the currently cached IO request is going to become a non-cached
IO when it is processed by the LanMan redirector. But you must also
handle the edge case where it changes after you look at it, possibly due
to an OpLock break.
Then to really mess things up, the MRX_FCB structures released in the
latest versions of the WDK are not the ones which are actually used in
Vista and they are not going to release the real ones. What does this
mean? Things are completely broken until someone at MSFT decides on a
solution to expose this information.
The only complete solution is to write a component which takes over the
file objects and you control the state of caching on these.
Pete
Kernel Drivers
Windows File System and Device Driver Consulting www.KernelDrivers.com
866.263.9295
I’m writing a file level encryption mini filter driver that must also support CIFS.
I manage to encrypt/decrypt files correctly by filtering the non cache operations and I get the proper behavior when I read/write files or even create files on the network directory (scenario 1).
When I copy files to the remote directory (scenario 2) however, I get very strange behavior -
writes are somehow written with the NON_CACHE flag off.
I suspect that is because somehow some driver on top of mine writes through as well as writing to the cache.
I tried looking at the preCreate callback method for any create options differences as well as the preWrite callback parameters (iopb->OperationFlags, Data->Flags, FltObjects->FileObject->Flags) between to two scenarios but found nothing significant, do indicate something consistent.
I also looked at the FCB_HEADER structure in the fsContext but again, nothing special.
Sysinternal’s FileMon on files created/copied indicates the create function was called with different options, but by the time it reaches my driver they are indistinguishable…
Please help,
Ariel.
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
As I figure the MRX_FCB structure is pointed to by the file object’s fsContext member, no?
What did you mean by a “… component controlling the file objects”?
Yes, the FsContext points to the Fcb which in the Mrx implementation has
it’s own structure.
You would need to implement a file system like module that would take
over the control of the file objects ‘above’ you and create your own set
of file objects to send ‘below’ you. To get this designed and
implemented be ready for about a year of development and test.
Pete
Kernel Drivers
Windows File System and Device Driver Consulting www.KernelDrivers.com
866.263.9295
As I figure the MRX_FCB structure is pointed to by the file object’s fsContext member, no?
What did you mean by a “… component controlling the file objects”?
Thanks again,
Ariel.
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
Wow, based upon the work I’ve done of late, I’d think that a year is
VERY optimistic. The only thing more painful than working on top of RDR
in my experience is working on top of MUP. In either case we are forced
to worry about some rather complex interactions (CSC and DFS come
quickly to mind. Plus there’s the frustration of wanting to cache
information and being told by the RDR developers to piss off when we ask
if we can be told when oplocks break. Nothing better than writing an
entire SMB protocol engine all so we can monitor oplock breaks in order
to do proper caching over RDR.)
Being VERY optimistic isn’t my Forte, in fact, being optimistic also isn’t…
Basically I’ll try and custom make a solution for all the various OS I’ll need to support unless you can think of another way to accomplish the same result.
OK, you can do this for all platforms BUT Vista and above. It is NOT
that the MRX_FCB structures are not published for these platforms, they
are, or at least a version of them are in the WDK. But the ones in the
WDK are not the versions that are actually used and the structures in
the WDK are not even close to what is really used.
I have contacted MSFT development about this and what they have said is
that we can talk about a solution after the release of server 2008,
meaning that it will not be available for quite some time.
In the end, any driver which needs to rely on this technique, which are
any network data manipulation filter, is broken on Vista and above. MSFT
is not going to offer a work around at this point even though there are
probably hundreds of products out there that are currently broken in the
field and not many people realize this point.
Pete
Kernel Drivers
Windows File System and Device Driver Consulting www.KernelDrivers.com
866.263.9295
Being VERY optimistic isn’t my Forte, in fact, being optimistic also isn’t…
Basically I’ll try and custom make a solution for all the various OS I’ll need to support unless you can think of another way to accomplish the same result.
Ariel.
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
Not all data modifying filters depend on understanding the underlying
cache state. Our own kit, for example, does not depend upon cached
state of the underlying file system. But building such systems is quite
a lot more complicated, since it involves controlling the cache
yourself.
Oh, and lest I miss the opportunity, may I once again curse the RDR
folks for refusing to share their cache management logic (a/k/a oplocks)
with us.
