Hi,
I am currently studying the filemon driver from sysinternals.I try to
distinguish a fileobject is a file or directory in IRP_MJ_READ/WRITE.
Here is part of my modified code:
FILE_STANDARD_INFORMATION fileStandardInfo;
…
case IRP_MJ_WRITE:
…
FilemonQueryFile(hookExt->FileSystem,
currentIrpStack->FileObject,
FileStandardInformation,
&fileStandardInfo,
sizeof(FILE_STANDARD_INFORMATION));
if(fileStandardInfo.Directory)
…
else
…
These codes work well on FAT32. But when hook file write/read operation
on NTFS Filesystem disk,the codes cause a problem.
For example,when i create a new MS WORD .doc file,modify,then save it to
NTFS formated disk.The WinWord.exe doesn’t close as normal and seems to hang
without any error report. And i saw the temporary files were not deleted as
normal.
Why the code doesn’t work well on NTFS? How can i do it correctly?
Thanks.
You can’t query info a file in a read/write dispatch routine if the
read/write IRP being processed is a paging I/O IRP.
xxxxx@hotmail.com wrote:
Hi,
I am currently studying the filemon driver from sysinternals.I try to
distinguish a fileobject is a file or directory in IRP_MJ_READ/WRITE.
Here is part of my modified code:
FILE_STANDARD_INFORMATION fileStandardInfo;
…
case IRP_MJ_WRITE:
…
FilemonQueryFile(hookExt->FileSystem,
currentIrpStack->FileObject,
FileStandardInformation,
&fileStandardInfo,
sizeof(FILE_STANDARD_INFORMATION));
if(fileStandardInfo.Directory)
…
else
…
These codes work well on FAT32. But when hook file write/read operation
on NTFS Filesystem disk,the codes cause a problem.
For example,when i create a new MS WORD .doc file,modify,then save it to
NTFS formated disk.The WinWord.exe doesn’t close as normal and seems to hang
without any error report. And i saw the temporary files were not deleted as
normal.
Why the code doesn’t work well on NTFS? How can i do it correctly?
Thanks.
–
- Nick Ryan
- Microsoft MVP for DDK
Thanks for your reply.But why the code works well on FAT32 formated disk?
And when i replace
FILE_STANDARD_INFORMATION fileStandardInfo;
…
case IRP_MJ_WRITE:
FilemonQueryFile(hookExt->FileSystem,
currentIrpStack->FileObject,
FileStandardInformation,
&fileStandardInfo,
sizeof(FILE_STANDARD_INFORMATION));
…
with
FILE_INTERNAL_INFORMATION fileInternalInfo;
…
case IRP_MJ_WRITE:
FilemonQueryFile( hookExt->FileSystem,
currentIrpStack->FileObject,
FileInternalInformation,
&fileInternalInfo,
sizeof( fileInternalInfo ));
…
,the code works well on NTFS formated disk.
So i can query FileInternalInformation but not FileStandardInformation
in process IRP_MJ_READ/WRITE.Query
FileStandardInformation will cause the WinWord.exe hang,but query
FileInternalInformation will not.There are difference between processing
them?
Thanks.
“Nick Ryan” ???:xxxxx@ntfsd…
> You can’t query info a file in a read/write dispatch routine if the
> read/write IRP being processed is a paging I/O IRP.
>
> xxxxx@hotmail.com wrote:
> > Hi,
> > I am currently studying the filemon driver from sysinternals.I try
to
> > distinguish a fileobject is a file or directory in IRP_MJ_READ/WRITE.
> > Here is part of my modified code:
> >
> > FILE_STANDARD_INFORMATION fileStandardInfo;
> > …
> > case IRP_MJ_WRITE:
> > …
> > FilemonQueryFile(hookExt->FileSystem,
> > currentIrpStack->FileObject,
> > FileStandardInformation,
> > &fileStandardInfo,
> > sizeof(FILE_STANDARD_INFORMATION));
> >
> > if(fileStandardInfo.Directory)
> > …
> > else
> > …
> >
> >
> > These codes work well on FAT32. But when hook file write/read
operation
> > on NTFS Filesystem disk,the codes cause a problem.
> > For example,when i create a new MS WORD .doc file,modify,then save
it to
> > NTFS formated disk.The WinWord.exe doesn’t close as normal and seems to
hang
> > without any error report. And i saw the temporary files were not deleted
as
> > normal.
> >
> > Why the code doesn’t work well on NTFS? How can i do it correctly?
> >
> > Thanks.
> >
> >
> >
>
> –
> - Nick Ryan
> - Microsoft MVP for DDK
>
It works by accident. The more you do outside the bounds of what
Microsoft’s FSDs are written to expect, the more you risk exposing buggy
code paths or situations never anticipated in the code. Sending down
foreign IRPs of a different major code while processing a paging I/O IRP
is one such unanticipated situation (reads while processing a write is
OK, however).
xxxxx@hotmail.com wrote:
Thanks for your reply.But why the code works well on FAT32 formated disk?
And when i replace
FILE_STANDARD_INFORMATION fileStandardInfo;
…
case IRP_MJ_WRITE:
FilemonQueryFile(hookExt->FileSystem,
currentIrpStack->FileObject,
FileStandardInformation,
&fileStandardInfo,
sizeof(FILE_STANDARD_INFORMATION));
…
with
FILE_INTERNAL_INFORMATION fileInternalInfo;
…
case IRP_MJ_WRITE:
FilemonQueryFile( hookExt->FileSystem,
currentIrpStack->FileObject,
FileInternalInformation,
&fileInternalInfo,
sizeof( fileInternalInfo ));
…
,the code works well on NTFS formated disk.
So i can query FileInternalInformation but not FileStandardInformation
in process IRP_MJ_READ/WRITE.Query
FileStandardInformation will cause the WinWord.exe hang,but query
FileInternalInformation will not.There are difference between processing
them?
Thanks.
“Nick Ryan” ???:xxxxx@ntfsd…
>
>>You can’t query info a file in a read/write dispatch routine if the
>>read/write IRP being processed is a paging I/O IRP.
>>
>>xxxxx@hotmail.com wrote:
>>
>>>Hi,
>>> I am currently studying the filemon driver from sysinternals.I try
>
> to
>
>>>distinguish a fileobject is a file or directory in IRP_MJ_READ/WRITE.
>>>Here is part of my modified code:
>>>
>>>FILE_STANDARD_INFORMATION fileStandardInfo;
>>>…
>>>case IRP_MJ_WRITE:
>>>…
>>> FilemonQueryFile(hookExt->FileSystem,
>>> currentIrpStack->FileObject,
>>> FileStandardInformation,
>>> &fileStandardInfo,
>>> sizeof(FILE_STANDARD_INFORMATION));
>>>
>>> if(fileStandardInfo.Directory)
>>> …
>>> else
>>> …
>>>
>>>
>>> These codes work well on FAT32. But when hook file write/read
>
> operation
>
>>>on NTFS Filesystem disk,the codes cause a problem.
>>> For example,when i create a new MS WORD .doc file,modify,then save
>
> it to
>
>>>NTFS formated disk.The WinWord.exe doesn’t close as normal and seems to
>
> hang
>
>>>without any error report. And i saw the temporary files were not deleted
>
> as
>
>>>normal.
>>>
>>> Why the code doesn’t work well on NTFS? How can i do it correctly?
>>>
>>> Thanks.
>>>
>>>
>>>
>>
>>–
>>- Nick Ryan
>>- Microsoft MVP for DDK
>>
>
>
>
>
>
>
–
- Nick Ryan
- Microsoft MVP for DDK