File streams

OSR_Community_User · February 15, 2001, 10:54am

Hi,

Does anyone know how NTFS 5 handles file streams? Basically I’m trying
to copy a file from kernel mode and want to make sure I copy all the
streams associated with the file. Any pointers would be welcomed.

Shaun

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · February 15, 2001, 11:26am

NTFS can have named attributes. $DATA is one of the attributes for the NTFS
file.Unnamed $DATA attribute,also knowns as unnamed stream, always exists
for a file. Name $DATA attributes, name streams for a file can be created
using same Win32 APIs but by constructing file name differently. For doing
any operation on named stream of file, stream name has to be stated
explicitly.e.g filename:streamName
so when ur trying to read a file usinf Zw calls, determine if file has
streams assocaited with, enumerate all the streas and read all the streams
of the file

Hi,

Does anyone know how NTFS 5 handles file streams? Basically I’m trying
to copy a file from kernel mode and want to make sure I copy all the
streams associated with the file. Any pointers would be welcomed.

Shaun

You are currently subscribed to ntfsd as: xxxxx@Legato.COM
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · February 15, 2001, 12:11pm

Okay thanks, but what do you use to enumerate the streams (in kernel
mode)?

I assume you can use the same filename:streamname construct with
ZwCreateFile once you know what the streams are?

Shaun

Pashupati Kumar wrote:
>
>NTFS can have named attributes. $DATA is one of the attributes for the NTFS
>file.Unnamed $DATA attribute,also knowns as unnamed stream, always exists
>for a file. Name $DATA attributes, name streams for a file can be created
>using same Win32 APIs but by constructing file name differently. For doing
>any operation on named stream of file, stream name has to be stated
>explicitly.e.g filename:streamName
>so when ur trying to read a file usinf Zw calls, determine if file has
>streams assocaited with, enumerate all the streas and read all the streams
>of the file
>
>> Hi,
>>
>> Does anyone know how NTFS 5 handles file streams? Basically I’m trying
>> to copy a file from kernel mode and want to make sure I copy all the
>> streams associated with the file. Any pointers would be welcomed.
>>
>> Shaun
>>
>>
>>
>> —
>> You are currently subscribed to ntfsd as: xxxxx@Legato.COM
>> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · February 15, 2001, 12:21pm

IIRC use IRP_MJ_QUERY_INFORMATION/FileStreamInformation.

-----Original Message-----
From: Shaun [mailto:xxxxx@sdlabs.demon.co.uk]
Sent: Thursday, February 15, 2001 12:08 PM
To: File Systems Developers
Subject: [ntfsd] Re: File streams

Okay thanks, but what do you use to enumerate the streams (in kernel
mode)?

I assume you can use the same filename:streamname construct with
ZwCreateFile once you know what the streams are?

Shaun

Pashupati Kumar wrote:
>
>NTFS can have named attributes. $DATA is one of the attributes for the NTFS
>file.Unnamed $DATA attribute,also knowns as unnamed stream, always exists
>for a file. Name $DATA attributes, name streams for a file can be created
>using same Win32 APIs but by constructing file name differently. For doing
>any operation on named stream of file, stream name has to be stated
>explicitly.e.g filename:streamName
>so when ur trying to read a file usinf Zw calls, determine if file has
>streams assocaited with, enumerate all the streas and read all the streams
>of the file
>
>> Hi,
>>
>> Does anyone know how NTFS 5 handles file streams? Basically I’m trying
>> to copy a file from kernel mode and want to make sure I copy all the
>> streams associated with the file. Any pointers would be welcomed.
>>
>> Shaun
>>
>>
>>
>> —
>> You are currently subscribed to ntfsd as: xxxxx@Legato.COM
>> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · February 15, 2001, 12:21pm

> Okay thanks, but what do you use to enumerate the streams (in kernel

mode)?

use ZwQueryInformationFile with FileInformationClass as
FileStreamInformation

I assume you can use the same filename:streamname construct with
ZwCreateFile once you know what the streams are?

yes

Shaun

Pashupati Kumar wrote:
> >
> >NTFS can have named attributes. $DATA is one of the attributes for the
NTFS
> >file.Unnamed $DATA attribute,also knowns as unnamed stream, always exists
> >for a file. Name $DATA attributes, name streams for a file can be created
> >using same Win32 APIs but by constructing file name differently. For
doing
> >any operation on named stream of file, stream name has to be stated
> >explicitly.e.g filename:streamName
> >so when ur trying to read a file usinf Zw calls, determine if file has
> >streams assocaited with, enumerate all the streas and read all the
streams
> >of the file
> >
> >> Hi,
> >>
> >> Does anyone know how NTFS 5 handles file streams? Basically I’m trying
> >> to copy a file from kernel mode and want to make sure I copy all the
> >> streams associated with the file. Any pointers would be welcomed.
> >>
> >> Shaun
> >>
> >>
> >>
> >> —
> >> You are currently subscribed to ntfsd as: xxxxx@Legato.COM
> >> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
> >To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@Legato.COM
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · February 15, 2001, 12:32pm

Shaun,

Streams are enumerated by querying the file system. There are two APIs in
the IFS kit for this: ZwQueryInformationFile and IoQueryFileInformation.

Specify the FileStreamInformation for the FILE_INFORMATION_CLASS value. The
returned buffer will contain the stream information (in the
FILE_STREAM_INFORMATION format.)

ZwQueryInformationFile (albeit not this specific sub-option of it) is
documented in the DDK.

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Shaun [mailto:xxxxx@sdlabs.demon.co.uk]
Sent: Thursday, February 15, 2001 12:08 PM
To: File Systems Developers
Subject: [ntfsd] Re: File streams

Okay thanks, but what do you use to enumerate the streams (in kernel
mode)?

I assume you can use the same filename:streamname construct with
ZwCreateFile once you know what the streams are?

Shaun

Pashupati Kumar wrote:
>
>NTFS can have named attributes. $DATA is one of the attributes for the NTFS
>file.Unnamed $DATA attribute,also knowns as unnamed stream, always exists
>for a file. Name $DATA attributes, name streams for a file can be created
>using same Win32 APIs but by constructing file name differently. For doing
>any operation on named stream of file, stream name has to be stated
>explicitly.e.g filename:streamName
>so when ur trying to read a file usinf Zw calls, determine if file has
>streams assocaited with, enumerate all the streas and read all the streams
>of the file
>
>> Hi,
>>
>> Does anyone know how NTFS 5 handles file streams? Basically I’m trying
>> to copy a file from kernel mode and want to make sure I copy all the
>> streams associated with the file. Any pointers would be welcomed.
>>
>> Shaun
>>
>>
>>
>> —
>> You are currently subscribed to ntfsd as: xxxxx@Legato.COM
>> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · February 15, 2001, 12:32pm

Shaun,
You can call IoQueryFileInformation with FileStreamInformation for the
FileInformationClass or Build an IRP using IRP_MJ_QUERY_INFORMATION and
FileStreamInformation for the FileInformationClass.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Shaun
Sent: Thursday, February 15, 2001 12:08 PM
To: File Systems Developers
Subject: [ntfsd] Re: File streams

Okay thanks, but what do you use to enumerate the streams (in kernel
mode)?

I assume you can use the same filename:streamname construct with
ZwCreateFile once you know what the streams are?

Shaun

Pashupati Kumar wrote:
>
>NTFS can have named attributes. $DATA is one of the attributes for the NTFS
>file.Unnamed $DATA attribute,also knowns as unnamed stream, always exists
>for a file. Name $DATA attributes, name streams for a file can be created
>using same Win32 APIs but by constructing file name differently. For doing
>any operation on named stream of file, stream name has to be stated
>explicitly.e.g filename:streamName
>so when ur trying to read a file usinf Zw calls, determine if file has
>streams assocaited with, enumerate all the streas and read all the streams
>of the file
>
>> Hi,
>>
>> Does anyone know how NTFS 5 handles file streams? Basically I’m trying
>> to copy a file from kernel mode and want to make sure I copy all the
>> streams associated with the file. Any pointers would be welcomed.
>>
>> Shaun
>>
>>
>>
>> —
>> You are currently subscribed to ntfsd as: xxxxx@Legato.COM
>> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Don_Burn_1 · February 15, 2001, 12:36pm

ZwQueryInformationFile is available from kernel mode and
can give a list of all streams.

Don Burn
Windows 2000 Device Driver and Filesystem consulting

----- Original Message -----
From: “Shaun”
To: “File Systems Developers”
Sent: Thursday, February 15, 2001 12:07 PM
Subject: [ntfsd] Re: File streams

> Okay thanks, but what do you use to enumerate the streams (in kernel
> mode)?
>
> I assume you can use the same filename:streamname construct with
> ZwCreateFile once you know what the streams are?
>
> Shaun
>
>
> Pashupati Kumar wrote:
> >
> >NTFS can have named attributes. $DATA is one of the attributes for the
NTFS
> >file.Unnamed $DATA attribute,also knowns as unnamed stream, always exists
> >for a file. Name $DATA attributes, name streams for a file can be created
> >using same Win32 APIs but by constructing file name differently. For
doing
> >any operation on named stream of file, stream name has to be stated
> >explicitly.e.g filename:streamName
> >so when ur trying to read a file usinf Zw calls, determine if file has
> >streams assocaited with, enumerate all the streas and read all the
streams
> >of the file
> >
> >> Hi,
> >>
> >> Does anyone know how NTFS 5 handles file streams? Basically I’m trying
> >> to copy a file from kernel mode and want to make sure I copy all the
> >> streams associated with the file. Any pointers would be welcomed.
> >>
> >> Shaun
> >>
> >>
> >>
> >> —
> >> You are currently subscribed to ntfsd as: xxxxx@Legato.COM
> >> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
> >To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@acm.org
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · February 15, 2001, 1:33pm

Thanks all who replied with this. I should remember not to bother
using the docs for information and head straight for the header file
instead 8*)

Shaun

Pashupati Kumar wrote:
>> Okay thanks, but what do you use to enumerate the streams (in kernel
>> mode)?
>
>use ZwQueryInformationFile with FileInformationClass as
>FileStreamInformation
>
>> I assume you can use the same filename:streamname construct with
>> ZwCreateFile once you know what the streams are?
>
>yes
>
>> Shaun
>>
>>
>> Pashupati Kumar wrote:
>> >
>> >NTFS can have named attributes. $DATA is one of the attributes for the
>NTFS
>> >file.Unnamed $DATA attribute,also knowns as unnamed stream, always exists
>> >for a file. Name $DATA attributes, name streams for a file can be created
>> >using same Win32 APIs but by constructing file name differently. For
>doing
>> >any operation on named stream of file, stream name has to be stated
>> >explicitly.e.g filename:streamName
>> >so when ur trying to read a file usinf Zw calls, determine if file has
>> >streams assocaited with, enumerate all the streas and read all the
>streams
>> >of the file
>> >
>> >> Hi,
>> >>
>> >> Does anyone know how NTFS 5 handles file streams? Basically I’m trying
>> >> to copy a file from kernel mode and want to make sure I copy all the
>> >> streams associated with the file. Any pointers would be welcomed.
>> >>
>> >> Shaun
>> >>
>> >>
>> >>
>> >> —
>> >> You are currently subscribed to ntfsd as: xxxxx@Legato.COM
>> >> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>> >
>> >
>> >
>> >—
>> >You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
>> >To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>>
>>
>>
>>
>> —
>> You are currently subscribed to ntfsd as: xxxxx@Legato.COM
>> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com