FindFirstFile and FindNextFile

OSR_Community_User · March 31, 2002, 10:18pm

I want to be able to see what filenames are returned from
IRP_MN_QUERY_DIRECTORY after a FindFirstFile() or FindNextFile() are
executed. After setting the IoSetCompletionRoutine(), can anybody tell me
the location of the filename string that is returned and whether it’s a char
string or a wchar string? I have not been able to find any information on
this. I was thinking that maybe it is returned in the
AssociatedIrp.SystemBuffer. Any help would be greatly appreciated!

–
Brian Young
KinoCode, Inc.
xxxxx@kinocode.com
www.kinocode.com

OSR_Community_User · March 31, 2002, 10:48pm

The actual returned data depends upon the Flags field in the device object,
a subject that we’ve covered in the list very recently. For NTFS and FAT
this would be method neither, so that Irp->UserBuffer would normally contain
the necessary data. HOWEVER, if the Irp was posted, then Irp->UserBuffer
won’t be valid because you won’t be in the right process context
(Irp->Tail.Overlay.Thread != PsGetcurrentThread()). Under this case, you’ll
need to use either KeStackAttachProcess (to force yourself into the right
process context) or MmGetSystemAddressForMdl. The first approach
(KeStackAttachProcess) cannot be used if IRQL > APC_LEVEL which could be the
case in a completion routine.

Thus, try using Irp->UserBuffer (if in thread context) or
MmGetSystemAddressForMdlSafe(Irp->MdlAddress) (if not in thread context) and
you can then see the data.

The FORMAT of the data is determined by the FileInformationClass parameter
in the stack location, which (for the record) is the third DWORD parameter.
This is one of:

FileDirectoryInformation
FileFullDirectoryInformation
FileBothDirectoryInformation
FileNamesInformation
FileIdBothDirectoryInformation
FileIdFullDirectoryInformation
FileObjectIdInformation

The corresponding data structures would be:

FILE_DIRECTORY_INFORMATION
FILE_FULL_DIR_INFORMATION
FILE_BOTH_DIR_INFORMATION
FILE_NAMES_INFORMATION
FILE_ID_BOTH_DIR_INFORMATION
FILE_ID_FULL_DIR_INFORMATION
FILE_OBJECTID_INFORMATION

The exact details of all of this are in ntifs.h, but for each of these you
will find the name information (well, except for the last one, which doesn’t
have name information associated with it - only object ID information).

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: KinoCode [mailto:xxxxx@kinocode.com]
Sent: Sunday, March 31, 2002 10:16 PM
To: File Systems Developers
Subject: [ntfsd] FindFirstFile and FindNextFile

I want to be able to see what filenames are returned from
IRP_MN_QUERY_DIRECTORY after a FindFirstFile() or FindNextFile() are
executed. After setting the IoSetCompletionRoutine(), can anybody tell me
the location of the filename string that is returned and whether it’s a char
string or a wchar string? I have not been able to find any information on
this. I was thinking that maybe it is returned in the
AssociatedIrp.SystemBuffer. Any help would be greatly appreciated!

–
Brian Young
KinoCode, Inc.
xxxxx@kinocode.com
www.kinocode.com

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%