File Creation / Overwritten

NTFSD
1

In minifilter driver I want to track if a file is newly created or it is replaced/overwritten. From thread I got information to solve my issue…

https://www.osronline.com/showthread.cfm?link=139900

But I found that I am always getting FILE_CREATED flag in both file existence and non-existence case.

I found that if file exist then I get following flags alongwith it.

disposition == FILE_OVERWRITE_IF
Data->IoStatus.Information == FILE_CREATED
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == 18743702
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_READ_ATTRIBUTES
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == READ_CONTROL
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_WRITE_DATA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_WRITE_ATTRIBUTES
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_WRITE_EA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_APPEND_DATA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == WRITE_DAC
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == WRITE_OWNER
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == SYNCHRONIZE

and if file does not exist then I get flags
disposition == FILE_OVERWRITE_IF
Data->IoStatus.Information == FILE_CREATED
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == 1180054
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_READ_ATTRIBUTES
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == READ_CONTROL
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_WRITE_DATA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_WRITE_ATTRIBUTES
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_WRITE_EA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == FILE_APPEND_DATA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == SYNCHRONIZE

Or is there any other method should i use for getting this information.

2

Hmm are you sure ?
I do not see such behavior. I get FILE_OVERWRITTEN if the file exists. Use
filetest and see if it does the same.
What are you version of win are you testing on ?

With respect,
Gabriel Bercea

GaMiTech Software Development
Mobile contact: (+40)0740049634
eMail: xxxxx@gmail.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Thursday, January 29, 2009 9:17 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] File Creation / Overwritten

In minifilter driver I want to track if a file is newly created or it is
replaced/overwritten. From thread I got information to solve my issue…

https://www.osronline.com/showthread.cfm?link=139900

But I found that I am always getting FILE_CREATED flag in both file
existence and non-existence case.

I found that if file exist then I get following flags alongwith it.

disposition == FILE_OVERWRITE_IF
Data->IoStatus.Information == FILE_CREATED
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == 18743702
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_READ_ATTRIBUTES
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == READ_CONTROL
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_WRITE_DATA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_WRITE_ATTRIBUTES
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_WRITE_EA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_APPEND_DATA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == WRITE_DAC
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == WRITE_OWNER
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == SYNCHRONIZE

and if file does not exist then I get flags
disposition == FILE_OVERWRITE_IF
Data->IoStatus.Information == FILE_CREATED
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == 1180054
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_READ_ATTRIBUTES
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == READ_CONTROL
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_WRITE_DATA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_WRITE_ATTRIBUTES
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_WRITE_EA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess ==
FILE_APPEND_DATA
Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess == SYNCHRONIZE

Or is there any other method should i use for getting this information.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

Ya I am sure about it…
When I tried with test application, I got FILE_OVERWRITTEN.

I am monitoring windows update, like which all files it is updating. I have Microsoft Office installed in my machine. Windows XP service pack 3. So when I install service pack for my office. I see that my minifilter shows FILE_CREATED for most of the files, like excel, word, outlook etc. not FILE_OVERWRITTEN. and this all files exist at there respective positions. Then I have done file comparison of the old and new files of excel, I found it different. So how will I be able to track that file already exist in this type of situation.