FltCreateFile handle and reference counts

OSR_Community_User · October 30, 2010, 10:59am

I’ve got a peculiar situation with a file object…
Namely, after FltCreateFile I call ObReferenceObjectByHandle to get
the file object and I call (unconditionally) FltClose. This is how it is
supposed to be (FltCreateFile increases ref to 1, ObRef increases to 2,
FltClose decreases to 1 again while I keep using the file object…).
Well, this works until FltReadFile/FltWriteFile - they return with
an error “file is closed”.

Is this supposed to be so, or is this a bug? The FO is still
referenced, it should be opened.

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

Petr_Kurtin · October 30, 2010, 11:41am

This is correct behavior. You can’t issue a non-paging IO to the file object
for which cleanup routine was already executed (I think FO_CLEANUP_COMPLETE
should be set in FO, see !fileobj). You can send only paging IOs to these
file objects.

Petr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Saturday, October 30, 2010 4:59 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FltCreateFile handle and reference counts

I’ve got a peculiar situation with a file object…
Namely, after FltCreateFile I call ObReferenceObjectByHandle to get
the file object and I call (unconditionally) FltClose. This is how it is
supposed to be (FltCreateFile increases ref to 1, ObRef increases to 2,
FltClose decreases to 1 again while I keep using the file object…).
Well, this works until FltReadFile/FltWriteFile - they return with
an error “file is closed”.

Is this supposed to be so, or is this a bug? The FO is still
referenced, it should be opened.

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · October 31, 2010, 11:31pm

That part I agree with. However, the question is whether the file should have a Cleanup called when there is
still a file object reference?

Petr Kurtin wrote:

This is correct behavior. You can’t issue a non-paging IO to the file object for which cleanup routine was already
executed (I think FO_CLEANUP_COMPLETE should be set in FO, see !fileobj). You can send only paging IOs to these
file objects.

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

OSR_Community_User · November 1, 2010, 1:53am

> That part I agree with. However, the question is whether the file should have a Cleanup called when

there is
still a file object reference?

Yes it will. The sequence of:

ZwCreateFile
ObReferenceObjectByHandle
ZwClose

also known as IoGetDeviceObjectPointer, sends CLEANUP but not CLOSE, the FO is returned alive.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · November 1, 2010, 2:07am

Thanks. It did not seem so to me, but this example makes perfect sense.

“Maxim S. Shatskih” wrote:

Yes it will. The sequence of:

ZwCreateFile
ObReferenceObjectByHandle
ZwClose
also known as IoGetDeviceObjectPointer, sends CLEANUP but not CLOSE, the FO is returned alive.

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.