FileObjects and File Handles

NTDEV
1

I have a few quick questions about FileObjects and File Handles.

  1. Every time a thread opens a file, is a new FileObject created for
    each open
    or can an existing FileObject (already inuse for that file) be
    used by the OS
    for some file opens ?
  2. If a file has several concurrent opens (by multiple threads in
    multiple processes),
    is a FileObject created for each open (1-to-1 relationship) OR
    will some of the threads
    end up “using” the same FileObject (1-to-many) even though they
    have different file handles)?
  3. If a file handle is duplicated (user or kernel), will a new
    FileObject be created for the
    duplicate handle or will they both end up using" the same FileObject ?
    The reason I ask is because I am seeing some unusual combinations of
    FileObjects and file
    handles in some corner cases in kernel drivers.
    Thanks in advance.
    Duane Souder
2
  1. Each call to CreateFile will create a new PFILE_OBJECT
  2. 1:1
  3. If the handle is duplicated (in the process or out of process) the 2 handles share the same PFILE_OBJECT, so N:1

There are also “lite stream” file objects where you will see a cleanup/close without a create if you are a storage driver. This will have the flag FO_STREAM_FILE set in FileObject->Flags. What problems are you seeing and in which class/stack does your driver live in?

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Duane Souder
Sent: Thursday, December 20, 2007 10:44 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] FileObjects and File Handles

I have a few quick questions about FileObjects and File Handles.

  1. Every time a thread opens a file, is a new FileObject created for
    each open
    or can an existing FileObject (already inuse for that file) be
    used by the OS
    for some file opens ?
  2. If a file has several concurrent opens (by multiple threads in
    multiple processes),
    is a FileObject created for each open (1-to-1 relationship) OR
    will some of the threads
    end up “using” the same FileObject (1-to-many) even though they
    have different file handles)?
  3. If a file handle is duplicated (user or kernel), will a new
    FileObject be created for the
    duplicate handle or will they both end up using" the same FileObject ?
    The reason I ask is because I am seeing some unusual combinations of
    FileObjects and file
    handles in some corner cases in kernel drivers.
    Thanks in advance.
    Duane Souder

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

Doron,
Thanks for the answers. I believe that your answer to number 3
explains what we are seeing.
Our driver is a file system filter driver and monitors each volume,
memory stick, CD, etc.
Given: File IRP’s with FileObject(A) in the context of Pid(X)
We observe: FileObject(A) sometimes used in the context Pid(Y)
Note: We are not talking about IRP completion path.
FileObject(A) is still valid and in-use for
Pid(X) (no IRP_MJ_CLEANUP’s or IRP_MJ_CLOSE’s)
Our guess: Confirmed by your answer to number 3, is that
another product is duplicating
handles and therefore IRP’s in another process
context is “seen” as using the
same FileObject.
Do you agree?
Thanks,
Duane Souder

Doron Holan wrote:

  1. Each call to CreateFile will create a new PFILE_OBJECT
  2. 1:1
  3. If the handle is duplicated (in the process or out of process) the 2 handles share the same PFILE_OBJECT, so N:1

There are also “lite stream” file objects where you will see a cleanup/close without a create if you are a storage driver. This will have the flag FO_STREAM_FILE set in FileObject->Flags. What problems are you seeing and in which class/stack does your driver live in?

d

4

That sounds correct to me

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Duane Souder
Sent: Friday, December 21, 2007 7:53 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] FileObjects and File Handles

Doron,
Thanks for the answers. I believe that your answer to number 3
explains what we are seeing.
Our driver is a file system filter driver and monitors each volume,
memory stick, CD, etc.
Given: File IRP’s with FileObject(A) in the context of Pid(X)
We observe: FileObject(A) sometimes used in the context Pid(Y)
Note: We are not talking about IRP completion path.
FileObject(A) is still valid and in-use for
Pid(X) (no IRP_MJ_CLEANUP’s or IRP_MJ_CLOSE’s)
Our guess: Confirmed by your answer to number 3, is that
another product is duplicating
handles and therefore IRP’s in another process
context is “seen” as using the
same FileObject.
Do you agree?
Thanks,
Duane Souder

Doron Holan wrote:

  1. Each call to CreateFile will create a new PFILE_OBJECT
  2. 1:1
  3. If the handle is duplicated (in the process or out of process) the 2 handles share the same PFILE_OBJECT, so N:1

There are also “lite stream” file objects where you will see a cleanup/close without a create if you are a storage driver. This will have the flag FO_STREAM_FILE set in FileObject->Flags. What problems are you seeing and in which class/stack does your driver live in?

d

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

5

> 1) Every time a thread opens a file, is a new FileObject created for

each open
or can an existing FileObject (already inuse for that file) be
used by the OS
for some file opens ?

Each CreateFile call creates a new file object.

Several handles to the same file object are only created by DuplicateHandle and
by inheritance by the child process, no other ways.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com