NTFSD Folk:
I need to find any files that are open at the time my driver is loaded. It
could be done in user or kernel mode, although kernel would be preferable.
The closest I’ve found is the “procexp” utility from www.sysinternals.com
which shows all active processes, the handles they have open, and the files
associated with those handles.
But I can’t figure out how to build such a list, especially in kernel mode.
Any clues?
Ken
Ken,
I recommend Gary Nebbetts book. Or google for
ZwQuerySystemInformation SystemHandleInformation
Yep, thanks. There are some specific hints about getting lists of processes
in “Enumerating processes in Windows XP kernel mode drivers”
http://www.volynkin.com/procenum.htm
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of frank
Sent: Saturday, September 17, 2005 5:15 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Finding open files
Ken,
I recommend Gary Nebbetts book. Or google for
ZwQuerySystemInformation SystemHandleInformation
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
Ken
How about starting your driver before the file system driver? I have the
feeling that if you really do think you need to know this then you have a
high level design kind of problem. Whay do you think you need to have thes
information in yuor driver?
Cheers
Lyndon
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I need to find any files that are open at the time my driver is loaded.
> It
> could be done in user or kernel mode, although kernel would be preferable.
>
> The closest I’ve found is the “procexp” utility from www.sysinternals.com
> which shows all active processes, the handles they have open, and the
> files
> associated with those handles.
>
> But I can’t figure out how to build such a list, especially in kernel
> mode.
> Any clues?
>
> Ken
>
>
Agreed. The one exception is when the driver is initially loaded. (Note
that this is a mini-driver so can be unloaded/loaded at any time). It
starts working, but may need to know about certain files that were open at
the time it was loaded. Nasty.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Saturday, September 17, 2005 6:31 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Finding open files
Ken
How about starting your driver before the file system driver? I have the
feeling that if you really do think you need to know this then you have a
high level design kind of problem. Whay do you think you need to have thes
information in yuor driver?
Cheers
Lyndon
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I need to find any files that are open at the time my driver is loaded.
> It
> could be done in user or kernel mode, although kernel would be preferable.
>
> The closest I’ve found is the “procexp” utility from www.sysinternals.com
> which shows all active processes, the handles they have open, and the
> files
> associated with those handles.
>
> But I can’t figure out how to build such a list, especially in kernel
> mode.
> Any clues?
>
> Ken
>
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
Ken,
Take a look at this app and drivers source. It might give you an idea of
what it is you want to do.
http://www.codeguru.com/Cpp/W-P/files/fileinformation/article.php/c4453/
----- Original Message -----
From: “Ken Cross”
To: “Windows File Systems Devs Interest List”
Sent: Saturday, September 17, 2005 2:51 PM
Subject: [ntfsd] Finding open files
> NTFSD Folk:
>
> I need to find any files that are open at the time my driver is loaded.
> It
> could be done in user or kernel mode, although kernel would be preferable.
>
> The closest I’ve found is the “procexp” utility from www.sysinternals.com
> which shows all active processes, the handles they have open, and the
> files
> associated with those handles.
>
> But I can’t figure out how to build such a list, especially in kernel
> mode.
> Any clues?
>
> Ken
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Well there are obvious races galore in an attempt to answer “files that were
open at the time it was loaded” 
Why do you think you need this?
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> Agreed. The one exception is when the driver is initially loaded. (Note
> that this is a mini-driver so can be unloaded/loaded at any time). It
> starts working, but may need to know about certain files that were open at
> the time it was loaded. Nasty.
>
> Ken
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
> Sent: Saturday, September 17, 2005 6:31 PM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Finding open files
>
> Ken
>
> How about starting your driver before the file system driver? I have the
> feeling that if you really do think you need to know this then you have a
> high level design kind of problem. Whay do you think you need to have thes
> information in yuor driver?
>
> Cheers
> Lyndon
>
> “Ken Cross” wrote in message news:xxxxx@ntfsd…
>> NTFSD Folk:
>>
>> I need to find any files that are open at the time my driver is loaded.
>> It
>> could be done in user or kernel mode, although kernel would be
>> preferable.
>>
>> The closest I’ve found is the “procexp” utility from www.sysinternals.com
>> which shows all active processes, the handles they have open, and the
>> files
>> associated with those handles.
>>
>> But I can’t figure out how to build such a list, especially in kernel
>> mode.
>> Any clues?
>>
>> Ken
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Basically, I need to know about writes to certain files, but I don’t see
them if the file was already opened when the driver gets loaded. If I just
know that the files are opened for write already, I can just skip the whole
thing until it sees the Create request (which might not be until after the
next reboot – that’s OK).
This only happens at installation time, but I’d like to plug that hole…
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Sunday, September 18, 2005 12:44 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Finding open files
Well there are obvious races galore in an attempt to answer "files that were
open at the time it was loaded" Why do you think you need this?
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> Agreed. The one exception is when the driver is initially loaded. (Note
> that this is a mini-driver so can be unloaded/loaded at any time). It
> starts working, but may need to know about certain files that were open at
> the time it was loaded. Nasty.
>
> Ken
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
> Sent: Saturday, September 17, 2005 6:31 PM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Finding open files
>
> Ken
>
> How about starting your driver before the file system driver? I have the
> feeling that if you really do think you need to know this then you have a
> high level design kind of problem. Whay do you think you need to have thes
> information in yuor driver?
>
> Cheers
> Lyndon
>
> “Ken Cross” wrote in message news:xxxxx@ntfsd…
>> NTFSD Folk:
>>
>> I need to find any files that are open at the time my driver is loaded.
>> It
>> could be done in user or kernel mode, although kernel would be
>> preferable.
>>
>> The closest I’ve found is the “procexp” utility from www.sysinternals.com
>> which shows all active processes, the handles they have open, and the
>> files
>> associated with those handles.
>>
>> But I can’t figure out how to build such a list, especially in kernel
>> mode.
>> Any clues?
>>
>> Ken
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
How come you think you dont see writes for files opened befor eyour filter
started? I do seee such writes in my filter for sure.
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> Basically, I need to know about writes to certain files, but I don’t see
> them if the file was already opened when the driver gets loaded. If I
> just
> know that the files are opened for write already, I can just skip the
> whole
> thing until it sees the Create request (which might not be until after the
> next reboot – that’s OK).
>
> This only happens at installation time, but I’d like to plug that hole…
>
> Ken
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
> Sent: Sunday, September 18, 2005 12:44 PM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Finding open files
>
> Well there are obvious races galore in an attempt to answer “files that
> were
>
> open at the time it was loaded” Why do you think you need this?
>
> “Ken Cross” wrote in message news:xxxxx@ntfsd…
>> Agreed. The one exception is when the driver is initially loaded. (Note
>> that this is a mini-driver so can be unloaded/loaded at any time). It
>> starts working, but may need to know about certain files that were open
>> at
>> the time it was loaded. Nasty.
>>
>> Ken
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
>> Sent: Saturday, September 17, 2005 6:31 PM
>> To: Windows File Systems Devs Interest List
>> Subject: Re:[ntfsd] Finding open files
>>
>> Ken
>>
>> How about starting your driver before the file system driver? I have the
>> feeling that if you really do think you need to know this then you have a
>> high level design kind of problem. Whay do you think you need to have
>> thes
>> information in yuor driver?
>>
>> Cheers
>> Lyndon
>>
>> “Ken Cross” wrote in message news:xxxxx@ntfsd…
>>> NTFSD Folk:
>>>
>>> I need to find any files that are open at the time my driver is loaded.
>>> It
>>> could be done in user or kernel mode, although kernel would be
>>> preferable.
>>>
>>> The closest I’ve found is the “procexp” utility from
>>> www.sysinternals.com
>>> which shows all active processes, the handles they have open, and the
>>> files
>>> associated with those handles.
>>>
>>> But I can’t figure out how to build such a list, especially in kernel
>>> mode.
>>> Any clues?
>>>
>>> Ken
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
OK, let me qualify that – I skip writes without a StreamHandle context, and
I don’t have a StreamHandle context unless I see Create first. And I really
don’t want to examine *every* write just to see if it may be from a file for
which I didn’t see a Create.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Sunday, September 18, 2005 3:21 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Finding open files
How come you think you dont see writes for files opened befor eyour filter
started? I do seee such writes in my filter for sure.
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> Basically, I need to know about writes to certain files, but I don’t see
> them if the file was already opened when the driver gets loaded. If I
> just
> know that the files are opened for write already, I can just skip the
> whole
> thing until it sees the Create request (which might not be until after the
> next reboot – that’s OK).
>
> This only happens at installation time, but I’d like to plug that hole…
>
> Ken
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
> Sent: Sunday, September 18, 2005 12:44 PM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Finding open files
>
> Well there are obvious races galore in an attempt to answer “files that
> were
>
> open at the time it was loaded” Why do you think you need this?
>
> “Ken Cross” wrote in message news:xxxxx@ntfsd…
>> Agreed. The one exception is when the driver is initially loaded. (Note
>> that this is a mini-driver so can be unloaded/loaded at any time). It
>> starts working, but may need to know about certain files that were open
>> at
>> the time it was loaded. Nasty.
>>
>> Ken
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
>> Sent: Saturday, September 17, 2005 6:31 PM
>> To: Windows File Systems Devs Interest List
>> Subject: Re:[ntfsd] Finding open files
>>
>> Ken
>>
>> How about starting your driver before the file system driver? I have the
>> feeling that if you really do think you need to know this then you have a
>> high level design kind of problem. Whay do you think you need to have
>> thes
>> information in yuor driver?
>>
>> Cheers
>> Lyndon
>>
>> “Ken Cross” wrote in message news:xxxxx@ntfsd…
>>> NTFSD Folk:
>>>
>>> I need to find any files that are open at the time my driver is loaded.
>>> It
>>> could be done in user or kernel mode, although kernel would be
>>> preferable.
>>>
>>> The closest I’ve found is the “procexp” utility from
>>> www.sysinternals.com
>>> which shows all active processes, the handles they have open, and the
>>> files
>>> associated with those handles.
>>>
>>> But I can’t figure out how to build such a list, especially in kernel
>>> mode.
>>> Any clues?
>>>
>>> Ken
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
Ken,
If you really need to know about files that are already open I would
suggest loading at boot time and using the
FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP flag in the
FLT_REGISTRATION structure and returning STATUS_FLT_DO_NOT_DETACH from
your unload routine to stop unloading of your driver.
If you start down the road of trying to get a list of open files I think
you will come unstuck eventually. AFAIK, and someone correct me if I am
wrong, there is no reliable way to achieve what you want without loading
at boot time.
Ben
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: 17 September 2005 23:47
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Agreed. The one exception is when the driver is initially loaded.
(Note that this is a mini-driver so can be unloaded/loaded at any time).
It starts working, but may need to know about certain files that were
open at the time it was loaded. Nasty.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Saturday, September 17, 2005 6:31 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Finding open files
Ken
How about starting your driver before the file system driver? I have the
feeling that if you really do think you need to know this then you have
a high level design kind of problem. Whay do you think you need to have
thes information in yuor driver?
Cheers
Lyndon
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I need to find any files that are open at the time my driver is
loaded.
> It
> could be done in user or kernel mode, although kernel would be
preferable.
>
> The closest I’ve found is the “procexp” utility from
> www.sysinternals.com which shows all active processes, the handles
> they have open, and the files associated with those handles.
>
> But I can’t figure out how to build such a list, especially in kernel
> mode.
> Any clues?
>
> Ken
>
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
send a blank email to xxxxx@lists.osr.com
Thanks, Ben.
Let me clarify – I really meant “when the driver is initially installed”.
That doesn’t happen at boot time.
I have found a mechanism to find open files (use ZwQuerySystemInformation
for SystemHandleInformation, look for file handles), but I wish there was a
better-supported scheme.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ben Curley
Sent: Monday, September 19, 2005 6:44 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Ken,
If you really need to know about files that are already open I would
suggest loading at boot time and using the
FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP flag in the
FLT_REGISTRATION structure and returning STATUS_FLT_DO_NOT_DETACH from
your unload routine to stop unloading of your driver.
If you start down the road of trying to get a list of open files I think
you will come unstuck eventually. AFAIK, and someone correct me if I am
wrong, there is no reliable way to achieve what you want without loading
at boot time.
Ben
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: 17 September 2005 23:47
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Agreed. The one exception is when the driver is initially loaded.
(Note that this is a mini-driver so can be unloaded/loaded at any time).
It starts working, but may need to know about certain files that were
open at the time it was loaded. Nasty.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Saturday, September 17, 2005 6:31 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Finding open files
Ken
How about starting your driver before the file system driver? I have the
feeling that if you really do think you need to know this then you have
a high level design kind of problem. Whay do you think you need to have
thes information in yuor driver?
Cheers
Lyndon
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I need to find any files that are open at the time my driver is
loaded.
> It
> could be done in user or kernel mode, although kernel would be
preferable.
>
> The closest I’ve found is the “procexp” utility from
> www.sysinternals.com which shows all active processes, the handles
> they have open, and the files associated with those handles.
>
> But I can’t figure out how to build such a list, especially in kernel
> mode.
> Any clues?
>
> Ken
>
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Ken,
I tried to do what you are suggesting using the zwquerysysteminformation
thing, it just isn’t reliable as it will only give you a snap shot of a
moment in time.
What happens when something opens a file that you are interested in
after you have enumerated the handles, but before you are reading to
start filtering new files?
Make the user reboot after installing. Much safer.
Ben
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: 19 September 2005 11:55
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Thanks, Ben.
Let me clarify – I really meant “when the driver is initially
installed”.
That doesn’t happen at boot time.
I have found a mechanism to find open files (use
ZwQuerySystemInformation for SystemHandleInformation, look for file
handles), but I wish there was a better-supported scheme.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ben Curley
Sent: Monday, September 19, 2005 6:44 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Ken,
If you really need to know about files that are already open I would
suggest loading at boot time and using the
FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP flag in the
FLT_REGISTRATION structure and returning STATUS_FLT_DO_NOT_DETACH from
your unload routine to stop unloading of your driver.
If you start down the road of trying to get a list of open files I think
you will come unstuck eventually. AFAIK, and someone correct me if I am
wrong, there is no reliable way to achieve what you want without loading
at boot time.
Ben
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: 17 September 2005 23:47
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Agreed. The one exception is when the driver is initially loaded.
(Note that this is a mini-driver so can be unloaded/loaded at any time).
It starts working, but may need to know about certain files that were
open at the time it was loaded. Nasty.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Saturday, September 17, 2005 6:31 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Finding open files
Ken
How about starting your driver before the file system driver? I have the
feeling that if you really do think you need to know this then you have
a high level design kind of problem. Whay do you think you need to have
thes information in yuor driver?
Cheers
Lyndon
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I need to find any files that are open at the time my driver is
loaded.
> It
> could be done in user or kernel mode, although kernel would be
preferable.
>
> The closest I’ve found is the “procexp” utility from
> www.sysinternals.com which shows all active processes, the handles
> they have open, and the files associated with those handles.
>
> But I can’t figure out how to build such a list, especially in kernel
> mode.
> Any clues?
>
> Ken
>
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
send a blank email to xxxxx@lists.osr.com
Ben:
I understand and I agree. For what a want, though, it’s “good enough”. If
it misses some, it’ll put everything right the next time the process stops
and restarts. But detecting open files at installation time will save a
considerable amount of processing that would have to be re-done.
Having to reboot after installation is so legacy… 
Thanks,
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ben Curley
Sent: Monday, September 19, 2005 9:41 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Ken,
I tried to do what you are suggesting using the zwquerysysteminformation
thing, it just isn’t reliable as it will only give you a snap shot of a
moment in time.
What happens when something opens a file that you are interested in
after you have enumerated the handles, but before you are reading to
start filtering new files?
Make the user reboot after installing. Much safer.
Ben
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: 19 September 2005 11:55
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Thanks, Ben.
Let me clarify – I really meant “when the driver is initially
installed”.
That doesn’t happen at boot time.
I have found a mechanism to find open files (use
ZwQuerySystemInformation for SystemHandleInformation, look for file
handles), but I wish there was a better-supported scheme.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ben Curley
Sent: Monday, September 19, 2005 6:44 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Ken,
If you really need to know about files that are already open I would
suggest loading at boot time and using the
FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP flag in the
FLT_REGISTRATION structure and returning STATUS_FLT_DO_NOT_DETACH from
your unload routine to stop unloading of your driver.
If you start down the road of trying to get a list of open files I think
you will come unstuck eventually. AFAIK, and someone correct me if I am
wrong, there is no reliable way to achieve what you want without loading
at boot time.
Ben
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: 17 September 2005 23:47
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Finding open files
Agreed. The one exception is when the driver is initially loaded.
(Note that this is a mini-driver so can be unloaded/loaded at any time).
It starts working, but may need to know about certain files that were
open at the time it was loaded. Nasty.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Saturday, September 17, 2005 6:31 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Finding open files
Ken
How about starting your driver before the file system driver? I have the
feeling that if you really do think you need to know this then you have
a high level design kind of problem. Whay do you think you need to have
thes information in yuor driver?
Cheers
Lyndon
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I need to find any files that are open at the time my driver is
loaded.
> It
> could be done in user or kernel mode, although kernel would be
preferable.
>
> The closest I’ve found is the “procexp” utility from
> www.sysinternals.com which shows all active processes, the handles
> they have open, and the files associated with those handles.
>
> But I can’t figure out how to build such a list, especially in kernel
> mode.
> Any clues?
>
> Ken
>
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Ken
You will or have found ZwQuerySystemInformation and the Nebbet book might
help you. So what about files which were open (exists handle) and are no
longer open (not exists handle) before your filter starts but nevertheless
along comes writes for those files.
Good luck
Lyndon
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I need to find any files that are open at the time my driver is loaded.
> It
> could be done in user or kernel mode, although kernel would be preferable.
>
> The closest I’ve found is the “procexp” utility from www.sysinternals.com
> which shows all active processes, the handles they have open, and the
> files
> associated with those handles.
>
> But I can’t figure out how to build such a list, especially in kernel
> mode.
> Any clues?
>
> Ken
>
>
Yep, definitely a possibility.
As I mentioned (somewhere), this whole exercise is to avoid unnecessary
processing, but if it’s wrong, it’ll recover the next time the file is
opened, which is “good enough”.
Thanks,
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Wednesday, September 21, 2005 5:41 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Finding open files
Ken
You will or have found ZwQuerySystemInformation and the Nebbet book might
help you. So what about files which were open (exists handle) and are no
longer open (not exists handle) before your filter starts but nevertheless
along comes writes for those files.
Good luck
Lyndon
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> NTFSD Folk:
>
> I need to find any files that are open at the time my driver is loaded.
> It
> could be done in user or kernel mode, although kernel would be preferable.
>
> The closest I’ve found is the “procexp” utility from www.sysinternals.com
> which shows all active processes, the handles they have open, and the
> files
> associated with those handles.
>
> But I can’t figure out how to build such a list, especially in kernel
> mode.
> Any clues?
>
> Ken
>
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com