FS filter coverage

pavel_so · January 29, 2011, 9:13am

Is there any write/read operations(even possibilities) that can’t be tracked with minifilter? (except pagefile).

–
Pavel Sokolov

OSR_Community_User · January 29, 2011, 10:02am

Yes, direct access to the device cannot be tracked by the minifilter (or any FS filter). Much of that is not
possible on Vista and I think none is possible on W7 however.
Also, it is still possible for any filter to skip any filters below it and send I/O directly to the file system.

It is also possible for a filter to remove all filters registered before it from the chain and completely have
them skipped from that point on. I am not sure whether W7 did something regarding this, but IoAttachDevice API could
be used this way, without checks - and a good deal of antivirus filters even did this; as a “bug”.

Regards, Dejan.

Pavel Sokolov wrote:

Is there any write/read operations(even possibilities) that can’t be tracked with minifilter? (except pagefile).

–
Pavel Sokolov

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

OSR_Community_User · January 30, 2011, 3:30pm

> Yes, direct access to the device cannot be tracked by the minifilter (or any FS filter). Much of that is

not
possible on Vista and I think none is possible on W7 however.

It is possible.

What is limited in Vista+ is writes (or maybe even all access) via PhysicalDrive%d to the regions covered by defined volumes.

You still can access the volumes sector-wise using \.\C: or volume GUID name.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Peter_Scott · January 30, 2011, 6:03pm

On 1/30/2011 1:30 PM, Maxim S. Shatskih wrote:

> Yes, direct access to the device cannot be tracked by the minifilter (or any FS filter). Much of that is
> not
> possible on Vista and I think none is possible on W7 however.

It is possible.

What is limited in Vista+ is writes (or maybe even all access) via PhysicalDrive%d to the regions covered by defined volumes.

From user mode … you can still do this from kernel mode as long as
you set the right bits in the request.

Pete

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295