FltGetFileNameInformation failed with PreCreate: failed with status = 0xc000003a when trying to open notepad.exe in precreate().
The same is working fine on Windows 11. On Windows 10, it’s not.
Trying to figure out why? I changed the name options flags as per MSDN and tried combinations of different flags, but the issue persists.
What else could be tried here? Can anyone please help me with some pointers?
I can see that on Win10, the path to Notepad.exe is C:\Windows\system32\notepad.exe, while on Win11, it is not.
I appreciate any help you can provide.
Thank you.
Do you have ProcMon output perhaps?
Are you sure it is the actual open? What is FileName in the
Data->TargetFileObject exactly?
ProcMon output: not showing notpad.exe.
Can’t see "IRP_MJ_CREATE " for c:\Windows\System32\notepad.exe rather than notepad.exe.local(what is it?), failed with the name not found.
I am trying to block Exe, not particularly Notepad, based on some user-defined policy.
What I did, in precreate (), checked the abs path, and if that path contains that exe, access is denied. Code works fine on Win11 for any app of defined policy, but on win10, the code fails for every policy path. Is it something related to query IRP?
I haven’t been able to figure out what I am doing wrong. I suspect to handle memory mapped IO also to make it work. But why. maybe this will not work here with a path match.
Thank you for the help.
Best Regards.
What fails with path not found then, according to ProcMon? We need more info to even guess. That error code is quite specific, the open is for a non existant path, and it will fail anyway. So you are looking at the wrong open, or already corrupted the memory. Memory mapping has nothing to do with file names during open. .local is some metadata file, that rarely exists. Also not related to file name query in your case. Dejan.
Thank you for the help.
I figured out that the problem was not with FltGet*** but with case sensitivity in my comparison.
Thank you.
1 Like