Faulty sFilter [???]

Hi,

I have compiled the raw sFilter sample as provided by the latest IFS ( Win 2003 Sp1 ), I have set it’s DebugFlags to 3 so I could see the devices it is being attached to and file creation notifications, apparently, notification for all FS drives are being generated EXCEPT notifications for the local HD… may this be a BUG with the sFilter sample? may I be donig something wrong here?
Note that this doesn’t happen with the FileSpy sample…

Nadav.

Activating file system FEECC648 “\Device\WebDavRedirector” (NETWORK_FILE_SYSTEM)

Attaching FEC57960 to file system FEECC648 “\Device\WebDavRedirector” (NETWORK_FILE_SYSTEM)

Activating file system FEE02030 “\Device\LanmanRedirector” (NETWORK_FILE_SYSTEM)

Attaching FEC57838 to file system FEE02030 “\Device\LanmanRedirector” (NETWORK_FILE_SYSTEM)

Activating file system FEEBB680 “\FileSystem\UdfsCdRomRecognizer” (CD_ROM_FILE_SYSTEM)

Activating file system 816D0738 “\FatCdrom” (CD_ROM_FILE_SYSTEM)

Attaching FEED5C60 to file system 816D0738 “\FatCdrom” (CD_ROM_FILE_SYSTEM)

Activating file system FEECF030 “\Cdfs” (CD_ROM_FILE_SYSTEM)

Attaching FEED5B38 to file system FEECF030 “\Cdfs” (CD_ROM_FILE_SYSTEM)

Activating file system FEE0D368 “\FileSystem\NtfsRecognizer” (DISK_FILE_SYSTEM)

Activating file system FEE98748 “\FileSystem\UdfsDiskRecognizer” (DISK_FILE_SYSTEM)

Activating file system 816D0850 “\Fat” (DISK_FILE_SYSTEM)

Attaching FEED5A10 to file system 816D0850 “\Fat” (DISK_FILE_SYSTEM)

Activating file system 817052E0 “\Device\RawDisk” (DISK_FILE_SYSTEM)

Attaching FEED58E8 to file system 817052E0 “\Device\RawDisk” (DISK_FILE_SYSTEM)

Activating file system 817051C8 “\Device\RawCdRom” (CD_ROM_FILE_SYSTEM)

Attaching 81724798 to file system 817051C8 “\Device\RawCdRom” (CD_ROM_FILE_SYSTEM)


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

> all FS drives are being generated EXCEPT notifications for the local HD

I don’t understand your question - what local HD you mean ?
If you want to see the volume mount, you have to set a debug log into
the IRP_MN_MOUNT_VOLUME handler.
In your log list, I see all file systems except NTFS, is that the problem?

L.

Hi Ladislav

Thanks for your responce, Well, yess, this is my problem the Local NTFS is not being attached to, why does this happen? what may cuase this problem? What did I miss ?

Thanks ahead,
Naddav.

Ladislav Zezula wrote:
> all FS drives are being generated EXCEPT notifications for the local HD

I don’t understand your question - what local HD you mean ?
If you want to see the volume mount, you have to set a debug log into
the IRP_MN_MOUNT_VOLUME handler.
In your log list, I see all file systems except NTFS, is that the problem?

L.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Maybe SFilter loads too late. Ntfs loads under group “Boot file system”
which is sooner than rest of the file systems. I guess that you configured
SFilter to load after boot file system, but before file systems.

L.

Hi Ladislav,

Thanks again for your immediate responce, well, I use Numegas DriverMonitor to start sFilter, hence, it is not started during the startup sequance, Still, this shouldn’t matter as the sFilter use ‘IoRegisterFsRegistrationChange’ through it’s DriverEntry, On WinXP this call will trigger a callback for all of the existing FS, this callback ( SfFsNotification ) is used by sFilter to hook to the enumerated FS, this is the way all of the other FS are being hooked to… running through with the debugger ( SofIce ) I can see that \Device\HarddiskVolume* or \Device\Ntfs are not included in the ‘IoRegisterFsRegistrationChange’ enumeration…
What may cause such a behavior ?

P.S.
I am running WinXP SP2

Thanks,
Naddav.

Ladislav Zezula wrote:
Maybe SFilter loads too late. Ntfs loads under group “Boot file system”
which is sooner than rest of the file systems. I guess that you configured
SFilter to load after boot file system, but before file systems.

L.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

---------------------------------
Start your day with Yahoo! - make it your home page

Hi Ladislav,

The specific computer I am conducting the test on doesn’t use a Ntfs FS, rather, it use a Fat32 FS ( Sorry for miss-leading ), hence, running with the debugger ( SoftIce ) I can see that sFilter hooks to the \Fat FS, Still, SfCreate is not being called for IRPs generated by the \Fat FS… What may cause this problem [???]

Naddav.

Nadav wrote:
Hi Ladislav,

Thanks again for your immediate responce, well, I use Numegas DriverMonitor to start sFilter, hence, it is not started during the startup sequance, Still, this shouldn’t matter as the sFilter use ‘IoRegisterFsRegistrationChange’ through it’s DriverEntry, On WinXP this call will trigger a callback for all of the existing FS, this callback ( SfFsNotification ) is used by sFilter to hook to the enumerated FS, this is the way all of the other FS are being hooked to… running through with the debugger ( SofIce ) I can see that \Device\HarddiskVolume* or \Device\Ntfs are not included in the ‘IoRegisterFsRegistrationChange’ enumeration…
What may cause such a behavior ?

P.S.
I am running WinXP SP2

Thanks,
Naddav.

Ladislav Zezula wrote:
Maybe SFilter loads too late. Ntfs loads under group “Boot file system”
which is sooner than rest of the file systems. I guess that you configured
SFilter to load after boot file system, but before file systems.

L.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

---------------------------------
Start your day with Yahoo! - make it your home page — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@yahoo.com To unsubscribe send a blank email to xxxxx@lists.osr.com

---------------------------------
Yahoo! Mail for Mobile
Take Yahoo! Mail with you! Check email on your mobile phone.

> The specific computer I am conducting the test on doesn’t use a Ntfs FS

Bleh. Asking why the filter does not attach to Ntfs
when there are no NTFS partition.

SfCreate is not being called for IRPs generated by the \Fat FS…

Maybe the filter is not attached to a volume.
Run DeviceTree from OSR, you may find there
what devices are attached to Ntfs’s device objects.

And remember, Ntfs (and any other FS driver)
has two types of devices - control devices (you attach
to them in FS notification) and volume devices (you attach to them
manually or in mount volume handler).

L.

Load as Boot driver of “filter” group.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Nadav
To: Windows File Systems Devs Interest List
Sent: Monday, August 22, 2005 1:02 PM
Subject: Re: [ntfsd] Faulty sFilter [???]

Hi Ladislav,
Thanks again for your immediate responce, well, I use Numegas DriverMonitor to start sFilter, hence, it is not started during the startup sequance, Still, this shouldn’t matter as the sFilter use ‘IoRegisterFsRegistrationChange’ through it’s DriverEntry, On WinXP this call will trigger a callback for all of the existing FS, this callback ( SfFsNotification ) is used by sFilter to hook to the enumerated FS, this is the way all of the other FS are being hooked to… running through with the debugger ( SofIce ) I can see that \Device\HarddiskVolume* or \Device\Ntfs are not included in the ‘IoRegisterFsRegistrationChange’ enumeration…
What may cause such a behavior ?

P.S.
I am running WinXP SP2

Thanks,
Naddav.

Ladislav Zezula wrote:
Maybe SFilter loads too late. Ntfs loads under group “Boot file system”
which is sooner than rest of the file systems. I guess that you configured
SFilter to load after boot file system, but before file systems.

L.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

------------------------------------------------------------------------------
Start your day with Yahoo! - make it your home page — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com