Thank a lot, Tony.
I’m simply using standard ZwSetInformationFile within a plain kernel
driver instead of a filter driver. I’ve got a couple of drivers. No
filter technique is involved with this problem.
Regarding native application, you are right. It runs between BOOT_START
and SYSTEM_START drivers according to sysinternals. But this executable
doesn’t register itself to BootExecute registry value.
I thought about ADS, but I don’t have information on that. How do I
enumerate ADS from kernel driver? If it DOES have at least one ADS in
it, can’t we delete the file?
I don’t know much about USN journal. But I believe it is just a plain
.dll file that is registered to Winlogon Notify key, making it run as
part of winlogon process during boot-up.
I’ll look into SectionObjectPointers and let you know.
Cheers,
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Friday, 9 December 2005 2:36 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] File deletion problem
And you’re sure it is the FSD that is rejecting the request and not the
OS?
System start certainly doesn’t guarantee there aren’t processes running
(I think SMSS starts between boot and system start time, but I might be
mis-remembering.) Of course, this is trivial to check (with a
debugger).
Since this is your filter, set a breakpoint when you get this return
value. Then take the file object and look at the SectionObjectPointers
structure. If there’s an ImageSectionObject then I’d look at the mapped
file possibility. If that doesn’t pan out, you’ll probably have to walk
through with the debugger until you find it returning STATUS_CANT_DELETE
and work backwards from there why it fails (I’ve had to do this before,
but it really requires a system set up to analyze.) For example, if you
get that error, stop in the debugger and then call *again* so you can
walk it with the debugger.
Hard links certainly wouldn’t be a problem (although keep in mind that
you are deleting the *link* and that the file might stick around.)
Can you give us a hint as to the type of file here? Is it possible it
has alternate data streams and one of them is opened? Or this is the
USN journal, or some registry hive, or something else like that?
Obviously, there’s a reason, but we’re just guessing at this point - and
having more context may provide more suggestions on what might be going
wrong.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 24-27, 2006.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sean Park
Sent: Thursday, December 08, 2005 10:11 PM
To: ntfsd redirect
Subject: RE: [ntfsd] File deletion problem
Thanks guys,
I’m sure there is no user process running at the time when my driver is
running (SYSTEM_START). The file could be mapped in system process,
however as far as I can see there is no Native process/Driver guarding
this particular file. So I doubt it is about mapped file.
Hmm…
Definitely the file isn’t marked as read-only any more since I set it to
FILE_ATTRIBUTE_NORMAL. The file isn’t root directory (or dcb).
I thought about hard-links. But hardlink count was set to 1, which means
there is no hard link.
I’m stuck. Any suggestions?
Cheers,
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Friday, 9 December 2005 1:18 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] File deletion problem
Alexi is right here (I don’t know why, but I originally started with the
mapped file solution and then got “access denied” in my head and was
searching for that, which *doesn’t* cover the mapped file case)
From FAT:
//
// Make sure there is no process mapping this file as an image.
//
if (!MmFlushImageSection( &Fcb->NonPaged->SectionObjectPointers,
MmFlushForDelete )) {
DebugTrace(-1, Dbg, “Cannot delete user mapped image\n”, 0);
return STATUS_CANNOT_DELETE;
}
In fact, there are three reasons why FAT will return
STATUS_CANNOT_DELETE:
- it is the root directory;
- it is read-only;
- it is a mapped image that cannot be flushed
I would expect similar (comparable) situations for NTFS as well.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 24-27, 2006.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexei Jelvis
Sent: Thursday, December 08, 2005 9:02 PM
To: ntfsd redirect
Subject: RE: [ntfsd] File deletion problem
Usually STATUS_CANNOT_DELETE returned from SetInformation means that
another
process created a memory mapping for the file. Can it be your case?
Alexei.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sean Park
Sent: Thursday, December 08, 2005 3:28 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] File deletion problem
Hi Folks,
I’ve got a problem with file deletion in the driver during the boot
process (SYSTEM_START). The situation is:
Platform: Win XP
File System: NTFS
Procedure:
- Open the file in the system process context (ZwCreateFile)
- Get file attribute (ZwQueryInformataionFile with
FILE_BASIC_INFORMATION)
- Set file attribute to FILE_ATTRIBUTE_NORMAL (ZwSetInformationFile
with FILE_BASIC_INFORMATION)
- Mark for Delete (ZwSetInformationFile with
FILE_DISPOSITION_INFORMATION)
- Close the file in the system process context (ZwClose)
Step 2~3 are required for read-only file deletion. It works most of the
time. But there is one file I can’t delete. There was neither filter
driver nor kernel Native API hooking in place guarding this particular
file.
I haven’t checked out whether it had been open before. There’s little
chance that this happens. So, let’s assume no one opened it before my
driver is running and no one referenced it either using
ObReferenceObject(). (I’ll check it out though)
My driver actually succeeds to open the file and set the attribute, but
it fails when it tries to mark for delete (step 4), returning
STATUS_CANNOT_DELETE (C0000121). For sure, I have tested with several
hidden and read-only files, but they all worked fine except for this one
because I set FILE_ATTRIBUTE_NORMAL.
Does anyone know the reason why the file cannot be deleted?
Best wishes,
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com