Getting original file name for temporary files formed by MS Word

Hi All,

I am working on some file monitoring mechanisms (kernel mode) and for that i
want that i keep a track of all the intermediate files formed in case of MS
Office applications and in turn find to which file (e.g. .DOC file), it is
actually linked to.
Seeing to a simple case of MS Word, suppose there is a file by name
TestFile.Doc. When this file is opened, a file with ~$ at the start is
formed, which contains the user info. This file can be easily linked to the
original file (Same name with prefix as ~$).

But when this file is saved there is a sequence of ~wr******.tmp files
formed.
To be more explainatory,

1. original file is first renamed to ~WRL****.tmp. (Can easily be linked to
   original file name)
2. ~WRD****.tmp is renamed to TestFile.doc
3. Almost all temporary files are deleted (In most cases)

*Between step 1 and 2, there are certain more ~WRL****.tmp and ~WRF****.tmp
files formed*

Now in order to keep a track of all modifications on the file, i need to log
the name of original .DOC file for all these temporary files.
At the same time, there is a possibilty that a user creates a file by the
same tmp name.

I have already seen the meaning of all these temporary files on Microsoft’s
site and still have doubts how my filter driver is going to do the above
task.
I saw a few archieves on OSR regarding this, for minifilters but it won’t be
much helpful to me as i am not dealing with Minifilters and also, *Tunnel
Names* (Flt Tunnel Name retrieving functions) might not solve the whole
purpose (Especially in cases where more than one ~WRL****.tmp files are
formed for a single save operation).

So, can anyone guide me how shall i go about all this.

Thanks in advance for your help.

Regards,
Shreshth

Good luck! Although you might be able to correlate .doc files with .tmp
files, it is not only application-specific, it is version-specific (it’s
different from Word 98 to Word 2003, and they could definitely change it
again in Word 2006).

Couldn’t you just monitor opening of .doc files? You know if they’re opened
for read/write/delete.

Also, consider if the user decides to quit without saving. This simply
deletes the .tmp files. What would you do in that case?

Ken

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Shreshth Luthra
Sent: Friday, April 07, 2006 4:09 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Getting original file name for temporary files formed by MS
Word

Hi All,

I am working on some file monitoring mechanisms (kernel mode) and for that i
want that i keep a track of all the intermediate files formed in case of MS
Office applications and in turn find to which file (e.g. .DOC file), it is
actually linked to.
Seeing to a simple case of MS Word, suppose there is a file by name
TestFile.Doc. When this file is opened, a file with ~$ at the start is
formed, which contains the user info. This file can be easily linked to the
original file (Same name with prefix as ~$).

But when this file is saved there is a sequence of ~wr******.tmp files
formed.
To be more explainatory,

1. original file is first renamed to ~WRL****.tmp. (Can easily be linked to
   original file name)
2. ~WRD****.tmp is renamed to TestFile.doc
3. Almost all temporary files are deleted (In most cases)

Between step 1 and 2, there are certain more ~WRL****.tmp and ~WRF****.tmp
files formed

Now in order to keep a track of all modifications on the file, i need to log
the name of original .DOC file for all these temporary files.
At the same time, there is a possibilty that a user creates a file by the
same tmp name.

I have already seen the meaning of all these temporary files on Microsoft’s
site and still have doubts how my filter driver is going to do the above
task.
I saw a few archieves on OSR regarding this, for minifilters but it won’t be
much helpful to me as i am not dealing with Minifilters and also, Tunnel
Names (Flt Tunnel Name retrieving functions) might not solve the whole
purpose (Especially in cases where more than one ~WRL****.tmp files are
formed for a single save operation).

So, can anyone guide me how shall i go about all this.

Thanks in advance for your help.

Regards,
Shreshth
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com

Please explain how you think this has anything at all to do with windows nt
file systems development.

“Shreshth Luthra” wrote in message
news:xxxxx@ntfsd…
Hi All,

I am working on some file monitoring mechanisms (kernel mode) and for that i
want that i keep a track of all the intermediate files formed in case of MS
Office applications and in turn find to which file (e.g. .DOC file), it is
actually linked to.
Seeing to a simple case of MS Word, suppose there is a file by name
TestFile.Doc. When this file is opened, a file with ~$ at the start is
formed, which contains the user info. This file can be easily linked to the
original file (Same name with prefix as ~$).

But when this file is saved there is a sequence of ~wr .tmp files
formed.
To be more explainatory,
1. original file is first renamed to ~WRL.tmp. (Can easily be linked to
original file name)
2. ~WRD**.tmp is renamed to TestFile.doc
3. Almost all temporary files are deleted (In most cases)

Between step 1 and 2, there are certain more ~WRL****.tmp and ~WRF****.tmp
files formed

Now in order to keep a track of all modifications on the file, i need to log
the name of original .DOC file for all these temporary files.
At the same time, there is a possibilty that a user creates a file by the
same tmp name.

I have already seen the meaning of all these temporary files on Microsoft’s
site and still have doubts how my filter driver is going to do the above
task.
I saw a few archieves on OSR regarding this, for minifilters but it won’t be
much helpful to me as i am not dealing with Minifilters and also, Tunnel
Names (Flt Tunnel Name retrieving functions) might not solve the whole
purpose (Especially in cases where more than one ~WRL****.tmp files are
formed for a single save operation).

So, can anyone guide me how shall i go about all this.

Thanks in advance for your help.

Regards,
Shreshth

>Please explain how you think this has anything at all to do with windows nt

file systems development.

I explored on Microsoft’s site before mailing it to NTFSD.
See, my requirement at that stage is to log all the IRP calls coming on all
these temporary files and display the original .DOC filename along with the
temporary file name.
And i thought, there might be a possiblity that some field in the IRPs
corresponding to these temporary files, points to or can be made to point to
the DOC file originating the operation.

May be someone on NTFSD has explored on something similar because my
ultimate motive is something not very uncommon.

Also, consider if the user decides to quit without saving. This simply
deletes the .tmp files. What would you do in that case?
As per my understanding, the tmp files are formed only on save operation
(except for a few standard ones for WinWord.exe such as ~WR*0000.tmp).
Please correct me if i am wrong.

Couldn’t you just monitor opening of .doc files? You know if they’re
opened
for read/write/delete.

Consider a case here. Suppose that i have opened a file TestFile.Doc for
read/write. And i do a series of save operations. In the meantime, some
other process simply accesses some intermediate tmp file for some write
operation (whose contents are ultimately going to reach the TestFile.doc on
close operation). So if i am not able to link it with the original
TestFile.doc in the output logs, i would not be able to analyze if file’s
contents are as expected or some other intruder process has changed it.

Regards,
Shreshth Luthra

Think of this in another way - if you are writing an application
program, do you tell the OS the purpose for which you are opening a
file? For example, look at CreateFile (Win32) or NtCreateFile (Windows
Native) - that’s really all the information that is going to be
available at FS API level.

I’ve never seen any OS that supported an “oh, by the way this file is
associated with this other file” hint in its API.

The best you can do is associate other opens by the same process - so if
process ‘X’ opens file ‘Y’ and then creates file ‘B’ you could infer
there might be a relationship between the two. But if process ‘X’ opens
files ‘A’, ‘B’ and ‘C’ and then creates ‘X’, ‘Y’, and ‘Z’ then nobody
(but the application writer) knows what the relationship between the
files is.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Shreshth Luthra
Sent: Saturday, April 08, 2006 12:53 AM
To: ntfsd redirect
Subject: Re: [ntfsd] Getting original file name for temporary files
formed by MS Word

Please explain how you think this has anything at all to do with
windows nt
file systems development.

I explored on Microsoft’s site before mailing it to NTFSD.

See, my requirement at that stage is to log all the IRP calls coming on
all these temporary files and display the original .DOC filename along
with the temporary file name.

And i thought, there might be a possiblity that some field in the IRPs
corresponding to these temporary files, points to or can be made to
point to the DOC file originating the operation.

May be someone on NTFSD has explored on something similar because my
ultimate motive is something not very uncommon.

Also, consider if the user decides to quit without saving. This simply
deletes the .tmp files. What would you do in that case?

As per my understanding, the tmp files are formed only on save operation
(except for a few standard ones for WinWord.exe such as ~WR*0000.tmp).
Please correct me if i am wrong.

Couldn’t you just monitor opening of .doc files? You know if they’re
opened
for read/write/delete.

Consider a case here. Suppose that i have opened a file TestFile.Doc for
read/write. And i do a series of save operations. In the meantime, some
other process simply accesses some intermediate tmp file for some write
operation (whose contents are ultimately going to reach the TestFile.doc
on close operation). So if i am not able to link it with the original
TestFile.doc in the output logs, i would not be able to analyze if
file’s contents are as expected or some other intruder process has
changed it.

Regards,

Shreshth Luthra

— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed
to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a
blank email to xxxxx@lists.osr.com

I see, and I undertsand why you might have thought there is some sort of
windows nt file systems asepct here, but you are much mistaken. There is
nothing of the nature of what you suggest available at the file systems
level. The problem you attempt to solve seems to be inference of higher
level observations from a sequence of lower level observations. This is a
general problem.

“Shreshth Luthra” wrote in message
news:xxxxx@ntfsd…
>Please explain how you think this has anything at all to do with windows nt
>file systems development.

I explored on Microsoft’s site before mailing it to NTFSD.
See, my requirement at that stage is to log all the IRP calls coming on all
these temporary files and display the original .DOC filename along with the
temporary file name.
And i thought, there might be a possiblity that some field in the IRPs
corresponding to these temporary files, points to or can be made to point to
the DOC file originating the operation.

May be someone on NTFSD has explored on something similar because my
ultimate motive is something not very uncommon.

>Also, consider if the user decides to quit without saving. This simply
>deletes the .tmp files. What would you do in that case?
As per my understanding, the tmp files are formed only on save operation
(except for a few standard ones for WinWord.exe such as ~WR*0000.tmp).
Please correct me if i am wrong.

>Couldn’t you just monitor opening of .doc files? You know if they’re
>opened
>for read/write/delete.

Consider a case here. Suppose that i have opened a file TestFile.Doc for
read/write. And i do a series of save operations. In the meantime, some
other process simply accesses some intermediate tmp file for some write
operation (whose contents are ultimately going to reach the TestFile.doc on
close operation). So if i am not able to link it with the original
TestFile.doc in the output logs, i would not be able to analyze if file’s
contents are as expected or some other intruder process has changed it.

Regards,
Shreshth Luthra

Hey Tony, it seems, you *do* know some stuff about user mode programs,
despite everything

“Tony Mason” wrote in message news:xxxxx@ntfsd…
Think of this in another way - if you are writing an application program, do
you tell the OS the purpose for which you are opening a file? For example,
look at CreateFile (Win32) or NtCreateFile (Windows Native) - that’s really
all the information that is going to be available at FS API level.

I’ve never seen any OS that supported an “oh, by the way this file is
associated with this other file” hint in its API.

The best you can do is associate other opens by the same process - so if
process ‘X’ opens file ‘Y’ and then creates file ‘B’ you could infer there
might be a relationship between the two. But if process ‘X’ opens files ‘A’,
‘B’ and ‘C’ and then creates ‘X’, ‘Y’, and ‘Z’ then nobody (but the
application writer) knows what the relationship between the files is.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Boston,
MA April 18-21, 2006.

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Shreshth Luthra
Sent: Saturday, April 08, 2006 12:53 AM
To: ntfsd redirect
Subject: Re: [ntfsd] Getting original file name for temporary files formed
by MS Word

>Please explain how you think this has anything at all to do with windows nt
>file systems development.

I explored on Microsoft’s site before mailing it to NTFSD.
See, my requirement at that stage is to log all the IRP calls coming on all
these temporary files and display the original .DOC filename along with the
temporary file name.
And i thought, there might be a possiblity that some field in the IRPs
corresponding to these temporary files, points to or can be made to point to
the DOC file originating the operation.

May be someone on NTFSD has explored on something similar because my
ultimate motive is something not very uncommon.

>Also, consider if the user decides to quit without saving. This simply
>deletes the .tmp files. What would you do in that case?
As per my understanding, the tmp files are formed only on save operation
(except for a few standard ones for WinWord.exe such as ~WR*0000.tmp).
Please correct me if i am wrong.

>Couldn’t you just monitor opening of .doc files? You know if they’re
>opened
>for read/write/delete.

Consider a case here. Suppose that i have opened a file TestFile.Doc for
read/write. And i do a series of save operations. In the meantime, some
other process simply accesses some intermediate tmp file for some write
operation (whose contents are ultimately going to reach the TestFile.doc on
close operation). So if i am not able to link it with the original
TestFile.doc in the output logs, i would not be able to analyze if file’s
contents are as expected or some other intruder process has changed it.

Regards,
Shreshth Luthra

— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com