Extended Attributes support on Windows XP

Mahesh_Dhannawat · June 2, 2008, 10:53am

Hi all,

I am developing a nullfilter driver, in which i want to support Extended Attributes for a file.
First i want to set EA to my file and then use this EA for identifying it as my file.

For assigning EAs to the file, functions FltSetEaFile/FltQueryEaFile are usable only for Win2k3 onwards, i want to support EA for Windows XP SP2.

Also i tried registering the irps IRP_MJ_QUERY_EA & IRP_MJ_SET_EA. But i haven’t found any use of it as these irps are not called whenever the files are accessed.

About NtQueryEaFile/NtSetEaFile, not able to use it, i think it need some header files, also no related documentation found in the IFS Kit.

Kindly help me, how sholud i support EAs on WINDOWS XP SP2.

Any inputs are appreciated.

Thanks
Mahesh

Don_Burn_1 · June 2, 2008, 11:01am

The only way is to roll your own IRP’s. This has the huge problem that all
mini-filters below you in the stack will not see these calls so your driver
could cause problems. Unfortunately, this is one of the holes that a number
of us have complained about for some time.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntfsd…
> Hi all,
>
> I am developing a nullfilter driver, in which i want to support Extended
> Attributes for a file.
> First i want to set EA to my file and then use this EA for identifying it
> as my file.
>
> For assigning EAs to the file, functions FltSetEaFile/FltQueryEaFile are
> usable only for Win2k3 onwards, i want to support EA for Windows XP SP2.
>
> Also i tried registering the irps IRP_MJ_QUERY_EA & IRP_MJ_SET_EA. But i
> haven’t found any use of it as these irps are not called whenever the
> files are accessed.
>
> About NtQueryEaFile/NtSetEaFile, not able to use it, i think it need some
> header files, also no related documentation found in the IFS Kit.
>
> Kindly help me, how sholud i support EAs on WINDOWS XP SP2.
>
> Any inputs are appreciated.
>
> Thanks
> Mahesh
>

OSR_Community_User · June 2, 2008, 11:34am

> Also i tried registering the irps IRP_MJ_QUERY_EA & IRP_MJ_SET_EA. But i

haven’t found any use of it as these irps are not called whenever the files
are
accessed.

Correct, since no software in usual Windows package ever use EAs

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Don_Burn_1 · June 2, 2008, 11:37am

Max,

I will have to go back and remember which, but that statement is wrong.
There are a number of server type products that use EA’s including stuff
from Microsoft.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntfsd…
>> Also i tried registering the irps IRP_MJ_QUERY_EA & IRP_MJ_SET_EA. But i
>>haven’t found any use of it as these irps are not called whenever the
>>files
> are
>>accessed.
>
> Correct, since no software in usual Windows package ever use EAs
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>

OSR_Community_User · June 2, 2008, 11:50am

> There are a number of server type products that use EA’s including stuff

from Microsoft.

I mean the bare Windows OS without additional software installed.

Also note that NTFS has a better replacement of EAs - named additional
attribute streams.

I believe that some software (not only virii and AV) uses these streams, but
EAs, which are the obsolete OS/2 feature moved to NT kernel to be OS/2
compatible???

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · June 2, 2008, 1:32pm

As well, remember they are only supported on NTFS and FAT12/16, not
FAT32. You can see this in the source for FastFat. Also, they conflict
with reparse point information so if a directory has one it can not have
the other.

Pete

Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

Maxim S. Shatskih wrote:

> There are a number of server type products that use EA’s including stuff
> from Microsoft.

I mean the bare Windows OS without additional software installed.

Also note that NTFS has a better replacement of EAs - named additional
attribute streams.

I believe that some software (not only virii and AV) uses these streams, but
EAs, which are the obsolete OS/2 feature moved to NT kernel to be OS/2
compatible???

OSR_Community_User · June 3, 2008, 2:26am

Hi All,

to get EA im using ZwQueryEaFile and works fine …

Mahesh_Dhannawat · June 3, 2008, 12:24pm

Hi all ,

Mitja, you are correct, ZwQueryEaFile/ZwSetEaFile works fine. I am calling these functions in Create Operation.

But ZwQueryEaFile/ZwSetEaFile need FileHandle as input, that means open the file using FltCreateFile() to get filehandle which is very expensive operation leading towards performance degradation.

Also, Using FltCreateFile() and ZwSetEaFile(), i tried setting EA for a file, and then call ZwQueryEaFile() to check whether EAs are set properly or not.

Here is the Pseudo Code:

PreCreate()
{
PFILE_FULL_EA_INFORMATION eaBuffer = NULL;
LONG eaLength;
char header[10] = “testEA”;

PFILE_FULL_EA_INFORMATION pGetEA;
char Buffer[sizeof(FILE_FULL_EA_INFORMATION) + 20];

eaLength = FIELD_OFFSET(FILE_FULL_EA_INFORMATION, EaName[0]) + sizeof(header) + 1;
eaBuffer = (PFILE_FULL_EA_INFORMATION)
ExAllocatePoolWithTag(NonPagedPool,eaLength,‘1EBA’);

if(NULL == eaBuffer)
{
return;
}

RtlZeroMemory(eaBuffer, eaLength);

eaBuffer->NextEntryOffset = 0;
eaBuffer->Flags = 0;
eaBuffer->EaNameLength = (UCHAR)strlen(header);
eaBuffer->EaValueLength = (USHORT)strlen(header);

RtlCopyMemory(&eaBuffer->EaName[0],header,strlen(header)+1);

status = ZwSetEaFile(hFileHandle, … handle obtained using FltCreateFile()
&ioStatus,
eaBuffer,
eaLength);

if(!NT_SUCCESS(status))
{
return;
}

status = ZwQueryEaFile(hFileHandle,
&ioStatus,
(PFILE_FULL_EA_INFORMATION)Buffer,
sizeof(Buffer),
TRUE,
NULL,
0,
NULL,
TRUE);

if(!NT_SUCCESS(status))
{
return;
}

pGetEA = (PFILE_FULL_EA_INFORMATION)Buffer;

DbgPrint(“PreCreate – EA is %.*S\n”,pGetEA->EaValueLength/sizeof(CHAR),pGetEA->EaName[0]);

}

OutPut Shown is:
PreCreate – EA is ??

As the above code shows wrong output, it seems to have some problem either while setting EA or while Querying the EAs.

Kindly help me out to solve this issue, why i am not getting the expected output (i.e PreCreate – EA is testEA) ?

Also, Is there any other way to get FileHandle in Create operation except FltCreateFile() ?

Any inputs are appreciated

Thanks
Mahesh

OSR_Community_User · June 4, 2008, 3:25am

Try to do a query for EA in post create function, because IMHO EA are not set yet by FS …

Mahesh_Dhannawat · June 4, 2008, 10:30am

Hi,

Mitja, In PostCreate also, i need to get the FileHandle either by ZwOpenFile() or NTOpenFile() functions and then give this filehandle to ZwQueryEaFile() or ZwSetEaFile().

About ZwOpenFile/NtOpenFile, many times “Sharing violation” error occurs & fewer times it gets succeeded.

This is how i am calling ZwOpenFile/NtOpenFile

status = ZwOpenFile(&hFileHandle,
FILE_READ_DATA | DELETE | FILE_WRITE_DATA,
&objectAttributes,
&ioStatus,
FILE_SHARE_READ,
0);

Let me know whether i am going in a correct way or not.

Thanks
Mahesh

OSR_Community_User · June 4, 2008, 10:43am

Use FltCreateFile to get handle for ZwQueryEaFile …

OSR_Community_User · June 4, 2008, 10:44am

What kind of mini-filter are you developing? What is purpose of that filter?

Mahesh_Dhannawat · June 4, 2008, 12:18pm

Hi,

I am using nullfilter sample driver provided in IFS Kit.
In Create operation (pre or post anyone) i want to use EAs for identifying file as my file, so first time set EA for that file which is accessed, then next time use this EAs to identify it as my file & perform some operations on it.

Also, while making such identification (by querying for EAs) of files , performance should not be affected.

FltCreateFile() works fine but it degrades the performance drastically.

Thanks
Mahesh

Don_Burn_1 · June 4, 2008, 12:24pm

This is why I suggested rolling your own IRP. This is not that hard to do,
and you do not need to do the FltCreateFile.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntfsd…
> Hi,
>
> I am using nullfilter sample driver provided in IFS Kit.
> In Create operation (pre or post anyone) i want to use EAs for identifying
> file as my file, so first time set EA for that file which is accessed,
> then next time use this EAs to identify it as my file & perform some
> operations on it.
>
> Also, while making such identification (by querying for EAs) of files ,
> performance should not be affected.
>
> FltCreateFile() works fine but it degrades the performance drastically.
>
>
> Thanks
> Mahesh
>