Here is some code from filemon that fetches a filename
using IRP_MJ_QUERY_INFORMATION. www.sysinternals.com.
Randy
//----------------------------------------------------------------------
//
// FilemonQueryFileComplete
//
// This routine is used to handle I/O completion for
our self-generated
// IRP that is used to query a file’s name or number.
//
//----------------------------------------------------------------------
NTSTATUS
FilemonQueryFileComplete(
PDEVICE_OBJECT DeviceObject,
PIRP Irp,
PVOID Context
)
{
//
// Copy the status information back into the
“user” IOSB.
//
*Irp->UserIosb = Irp->IoStatus;
if( !NT_SUCCESS(Irp->IoStatus.Status) ) {
DbgPrint((" ERROR ON IRP: %x\n",
Irp->IoStatus.Status ));
}
//
// Set the user event - wakes up the mainline code
doing this.
//
KeSetEvent(Irp->UserEvent, 0, FALSE);
//
// Free the IRP now that we are done with it.
//
IoFreeIrp(Irp);
//
// We return STATUS_MORE_PROCESSING_REQUIRED
because this “magic” return value
// tells the I/O Manager that additional
processing will be done by this driver
// to the IRP - in fact, it might (as it is in
this case) already BE done - and
// the IRP cannot be completed.
//
return STATUS_MORE_PROCESSING_REQUIRED;
}
//----------------------------------------------------------------------
//
// FilemonQueryFile
//
// This function retrieves the “standard” information
for the
// underlying file system, asking for the filename in
particular.
//
//----------------------------------------------------------------------
BOOLEAN
FilemonQueryFile(
PDEVICE_OBJECT DeviceObject,
PFILE_OBJECT FileObject,
FILE_INFORMATION_CLASS FileInformationClass,
PVOID FileQueryBuffer,
ULONG FileQueryBufferLength
)
{
PIRP irp;
KEVENT event;
IO_STATUS_BLOCK IoStatusBlock;
PIO_STACK_LOCATION ioStackLocation;
DbgPrint((“Getting file name for %x\n”,
FileObject));
//
// Initialize the event
//
KeInitializeEvent(&event, SynchronizationEvent,
FALSE);
//
// Allocate an irp for this request. This could
also come from a
// private pool, for instance.
//
irp = IoAllocateIrp(DeviceObject->StackSize,
FALSE);
if(!irp) {
//
// Failure!
//
return FALSE;
}
//
// Build the IRP’s main body
//
irp->AssociatedIrp.SystemBuffer = FileQueryBuffer;
irp->UserEvent = &event;
irp->UserIosb = &IoStatusBlock;
irp->Tail.Overlay.Thread = PsGetCurrentThread();
irp->Tail.Overlay.OriginalFileObject = FileObject;
irp->RequestorMode = KernelMode;
irp->Flags = 0;
//
// Set up the I/O stack location.
//
ioStackLocation = IoGetNextIrpStackLocation(irp);
ioStackLocation->MajorFunction =
IRP_MJ_QUERY_INFORMATION;
ioStackLocation->DeviceObject = DeviceObject;
ioStackLocation->FileObject = FileObject;
ioStackLocation->Parameters.QueryFile.Length =
FileQueryBufferLength;
ioStackLocation->Parameters.QueryFile.FileInformationClass
= FileInformationClass;
//
// Set the completion routine.
//
IoSetCompletionRoutine(irp,
FilemonQueryFileComplete, 0, TRUE, TRUE, TRUE);
//
// Send it to the FSD
//
(void) IoCallDriver(DeviceObject, irp);
//
// Wait for the I/O
//
KeWaitForSingleObject(&event, Executive,
KernelMode, TRUE, 0);
//
// Done! Note that since our completion routine
frees the IRP we cannot
// touch the IRP now.
//
return NT_SUCCESS( IoStatusBlock.Status );
}
— Eric Fowler wrote:
> Oh - I should add that I am using
> IRP_MJ_QUERY_INFORMATION to try to fetch a
> file name.
>
> I am having a h-ll of a time finding documentation
> for it - ?
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf
> Of Alexey Logachyov
> Sent: Thursday, February 13, 2003 12:03 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: How to get logical volume
> object from file system
> filter?
>
>
>
IoGetCurrentIrpStackLocation(IrpPtr)->FileObject->DeviceObject
> will give you
> the volume device object pointer.
>
>
> ----- Original Message -----
> From: “Eric Fowler”
> To: “File Systems Developers”
> Sent: Thursday, February 13, 2003 2:02 AM
> Subject: [ntfsd] How to get logical volume object
> from file system filter?
>
>
> > I have a filter that calls
> IoRegisterFsRegistrationChange() and thus gets
> a
> > pointer to the top of the file system in a
> callback routine. When I filter
> > this file system, I have a need to obtain logical
> volume information from
> a
> > filter (this is to get logical drive information).
> For example, when I
> trap
> > an IRP_MJ_CREATE, I would like the volume object
> pointer.
> >
> > Is that information available to my filter? Where?
> >
> >
> > The problem arises in attempting to filter traffic
> to and from removable
> > media. Using the straightforward NTFILMON approach
> does not work because
> the
> > old filter object is marooned when media is
> removed. Using
> > IoRegisterFsRegistrationChange() obviates this but
> leaves me with a filter
> > that does not (as far as I can see) give me access
> to the volume
> > information.
> >
> > Ideas?
> >
> > Thanks.
> >
> > Eric
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as:
> xxxxx@vba.com.by
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@seanet.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
=====
Randy Cook
__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine’s Day
http://shopping.yahoo.com