Is there a reason the contents of (FILE_OBJECT)->FileName; can’t be changed?
Unless you are in the file system stack, no one in the stack usually pays attention to the name. outside of that, you don’t really own the name string, the io manager does. Why do you want to change the name? what problems are you seeing?
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Thursday, October 22, 2009 12:01 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] FileObject->FileName (BSOD)
Is there a reason the contents of (FILE_OBJECT)->FileName; can’t be changed?
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
A display dialog whenever I attempt to close a file operation process telling me of a denied file access. I’m hoping to remove this by specifying another process for it to load.
Is there another way of altering the file which is loaded? I don’t really want to be using system hook to try and suppress access denied error messages.
Is there a reason the contents of (FILE_OBJECT)->FileName; can’t be changed?
xxxxx@hotmail.com wrote:
Is there another way of altering the file which is loaded? I don’t really want to be using system hook to try and suppress access denied error messages.
What on earth are you actually trying to do? You’ve asked a very
specific question that seems almost entirely unrelated to your other
questions. I suspect you are going about your task in the wrong way.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Not quite. Along the same lines.
Taking a look at filesys/minifilter/scanner, it is possible to terminate file processes on Windows 7.0. Using this creates a dialog box, access denied, etc. I assumed I would need to use hooking to make this a quiet terminate, so I opted for attempting to run another application everytime certain files are accessed. Whereas the new process did nothing and simply exited.
Then I ran into problems attempting to change FileObject->FileName and asked about it here.
What I am trying to do is suppress the read/open/write error messages which appear, (General Windows messages, not application specific.) when I can a file open operation.
I hope that explains me.
So… you want to do this in a File System filter??? You can certainly do that… Your post would be best over in NTFSD.
Oh, and PLEASE CHANGE YOUR USERNAME. “Actual name NoAliases” isn’t cute, it’s not an identifier, and it’s not helpful. Especially given that you’re posting from Hotmail.
Peter
OSR
Ok thanks.
It looked like I did change my name too but didn’t notice the confirmation e-mail. Will do. thanks.
Hello.
I was recently refered to NT FileSystems for this answer and I was told there I should try using “IoSetThreadHardErrorMode” to avoid the “Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.” error I was recieving while trying to suppress certain files from loading. Unfortunately regardless of how I implented it, it didn’t seem to work. (Maybe I was using it wrong.) However there are two other options I have which is why I came back to this thread.
Continue looking for it, in which case if somebody here was looking for a method to suppress the permissions error dialog box I am experiencing what would they look for in google. I ask this because when I look for it, I am finding all the wrong webpages.
The second option is to go back to my original thought, replacing the file operation for another file. Say if the process is part of the main Windows, and not lets say the file is being simply opened by notepad, then the file is replaced so an exe is loaded instead. The reason for this is so when the file is loaded, a file is executed but it does nothing an quits and gives no error dialog box.
If someone can help me it would be much appricated.
nahc
After stumbling across FltCreateFileEx to be something that might work in my situation. (I have read it is expensive so it’s use will be limited.) I have found that build won’t build it because FltCreateFileEx is undefined. I’ve listed my code below.
#include <fltkernel.h>
…
RtlInitUnicodeString(&Extension, L"\Device\HardDiskVolume1\WINDEV\System32\calc.exe");
//issue my fltcreate
InitializeObjectAttributes( &objectAttributes,
&Extension,
OBJ_KERNEL_HANDLE,
NULL,
NULL );
status=FltCreateFileEx(FltObjects->Filter,
FltObjects->Instance,
&hFile,
&FltObjects->FileObject,
GENERIC_READ,
&objectAttributes,
&ioStatus,
(PLARGE_INTEGER) NULL,
FILE_ATTRIBUTE_NORMAL,
0,//execlusively
FILE_OPEN,
0L,
NULL,
0L,
0 );</fltkernel.h>
I will never ask such a stupid question again.
fltKernel.h
…
IF SP2!
I sorted the FileObject problem with the following code.
DbgPrint(“\r\nTest Create File:%wZ”,&nameInfo->Name);
RtlInitUnicodeString(&Extension, L"\Device\HardDiskVolume1\WINDEV\System32\calc.exe");
//issue my fltcreate
InitializeObjectAttributes( &objectAttributes,
&Extension,
OBJ_KERNEL_HANDLE,
NULL,
NULL );
status=FltCreateFile(FltObjects->Filter,
FltObjects->Instance,
&hFile,
//&FltObjects->FileObject,
GENERIC_READ,
&objectAttributes,
&ioStatus,
(PLARGE_INTEGER) NULL,
FILE_ATTRIBUTE_NORMAL,
0,//execlusively
FILE_OPEN,
0L,
NULL,
0L,
0 );
status = ObReferenceObjectByHandle(
hFile, //Handle
0, //DesiredAccess
*IoFileObjectType, //ObjectType
KernelMode, //AccessMode
(PVOID) &FltObjects->FileObject, //Object
NULL); //HandleInformation
DbgPrint(“\r\nTest File:%wZ,Status:%x”,&FltObjects->FileObject->FileName,status);
if (NT_SUCCESS( status ))
{
FltClose(hFile);
}
DbgPrint(“\r\nTest File:%wZ,Status:%x”,&FltObjects->FileObject->FileName,status);
returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
However it doesn’t make it stick, as soon as the function ends, the FileObject goes back to it’s original FileObject rather than my new modified one. Test File: FltObjects->FileObject->FileName returns correctly.
Can anyone help?