hi ,i’m developing a driver based on minifilter, and got some problems.
How can i determine whether an operation means "open an exist file " or “create a new file” in pre-create operation.The only way i know is use FltCreateFIle api in the process,but sometimes it case blue screen.Is there some othter methods like to check flags or
something in this case?
sorry for my poor English >_<.
> How can i determine whether an operation means "open an exist file "
or “create a new file” in pre-create operation.The only way i know is
use FltCreateFIle api in the process,
Yes, but all that tells you is that at some time earlier the file existed.
It doesn’t mean it exists now. This is a fundamental drawback of filtering
file systems. You never know the state, you just have to speculate on state
based upon observation. You also should not try to fix this by locking out
other operations while your one probing create goes down - you *will* cause
deadlocks when someone calls you re-entrantly.
but sometimes it case blue screen.
Then you have a bug in your code. This is a pefectly acceptable thing to do
(but beware of the cost of potentially doubling the number of creates that
the FSD sees (this on top of the doubling that other MS filters above you
might provoke).
Is there some othter methods like to check flags or
something in this case?
No - I suppose you *could* open the parent directory and do a lookup. Note
however that in some Dispositions you know the assumed state
FILE_OPEN, FILE_OVERWRITE - the file must exist
FILE_CREATE - the file must not exist
All others the file is in either state.
Also, look out for SL_OPENTARGETDIR which is associated with rename and is
an open to the parent directory.
My filter driver uses a flag in the IoStatus field in the callback data to see if the file was an open or a create. This is not guarantee that the file did not exist when the flag is set though. I believe this flag can also be set if the file is replaced in some circumstances. Maybe someone else could give a more definitive answer. Here is the code I use in my post-create callback.
//
// Determine if this is an open of an existing file or a create
//
if (FlagOn(Data->IoStatus.Information, FILE_CREATED)) {
// file create
}
else {
// file open
}
Don’t forget about destructive opens as well, FILE_OVERWRITTEN and
FILE_SUPERSEDED. And in the case where the flag OPEN_TARGET_DIRECTORY is
being specified then the Information field can be either FILE_EXISTS or
FILE_DOES_NOT_EXIST.
Finally, these are not bit-wise flags, they are values ranging from 0 ->
5 so use an equate not a FlagOn() since FILE_OVERWRITTEN would trigger
for the check you have below.
Pete
On 8/27/2014 8:47 AM, xxxxx@lenovo.com wrote:
My filter driver uses a flag in the IoStatus field in the callback data to see if the file was an open or a create. This is not guarantee that the file did not exist when the flag is set though. I believe this flag can also be set if the file is replaced in some circumstances. Maybe someone else could give a more definitive answer. Here is the code I use in my post-create callback.
//
// Determine if this is an open of an existing file or a create
//
if (FlagOn(Data->IoStatus.Information, FILE_CREATED)) {// file create
}
else {// file open
}
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Also, the caller was specifically asking about preCreate and the IoStatus
is set in postCreate.
Thanks,
Alex.
On Wed, Aug 27, 2014 at 7:47 AM, wrote:
> My filter driver uses a flag in the IoStatus field in the callback data to
> see if the file was an open or a create. This is not guarantee that the
> file did not exist when the flag is set though. I believe this flag can
> also be set if the file is replaced in some circumstances. Maybe someone
> else could give a more definitive answer. Here is the code I use in my
> post-create callback.
>
> //
> // Determine if this is an open of an existing file or a
> create
> //
> if (FlagOn(Data->IoStatus.Information, FILE_CREATED)) {
>
> // file create
> }
> else {
>
> // file open
> }
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Peter,
Thanks for pointing out that error in my code! Looks like I got carried away with the bit fields, good catch. This explains why I was seeing a few false positives on this too.