Is there a way in my filter driver’s IRP_MJ_CLOSE routine to tell whether a
file has been closed for the final time? I.e., no more cache sections exist
for it and all references to it have been cleared out?
Thanks.
Neil
IRP_MJ_CLOSE is only sent for the “final time”. You can observe multiple
IRP_MJ_CLE|ANUP for a file object, but only one close.
Dan
----- Original Message -----
From: “Neil Weicher”
To: “File Systems Developers”
Sent: Friday, August 23, 2002 4:56 PM
Subject: [ntfsd] How to tell if file closed for final time?
> Is there a way in my filter driver’s IRP_MJ_CLOSE routine to tell whether
a
> file has been closed for the final time? I.e., no more cache sections
exist
> for it and all references to it have been cleared out?
>
> Thanks.
>
> Neil
>
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
Peter Scott
xxxxx@KernelDrivers.com
http://www.KernelDrivers.com
>-----Original Message-----
>From: Peter Scott [mailto:xxxxx@KernelDrivers.com]
>Sent: Friday, August 23, 2002 1:38 PM
>To: ‘File Systems Developers’
>Subject: RE: [ntfsd] Re: How to tell if file closed for final time?
>
>
>Well, really only if no STREAM FO was created and the file was opened
only
>once. Otherwise, the IRP_MJ_CLOSE is sent when the pointer count
reaches
>zero. IRP_MJ_CLEANUP is sent when the handle count reaches zero.
>
>You can check the SectionObjectPointers->DataSectionObject is NULL.
>
>Pete
>
>Peter Scott
>xxxxx@KernelDrivers.com
>http://www.KernelDrivers.com
>
>
>>>-----Original Message-----
>>>From: xxxxx@lists.osr.com [mailto:bounce-ntfsd-
>>>xxxxx@lists.osr.com] On Behalf Of Dan Partelly
>>>Sent: Friday, August 23, 2002 7:53 AM
>>>To: File Systems Developers
>>>Subject: [ntfsd] Re: How to tell if file closed for final time?
>>>
>>>IRP_MJ_CLOSE is only sent for the “final time”. You can observe
multiple
>>>IRP_MJ_CLE|ANUP for a file object, but only one close.
>>>
>>>Dan
>>>
>>>
>>>----- Original Message -----
>>>From: “Neil Weicher”
>>>>To: “File Systems Developers”
>>>>Sent: Friday, August 23, 2002 4:56 PM
>>>>Subject: [ntfsd] How to tell if file closed for final time?
>>>>
>>>>
>>>>> Is there a way in my filter driver’s IRP_MJ_CLOSE routine to tell
>>>>whether
>>>>a
>>>>> file has been closed for the final time? I.e., no more cache
sections
>>>>exist
>>>>> for it and all references to it have been cleared out?
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Neil
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
>>>>> To unsubscribe send a blank email to %%email.unsub%%
>>>>>
>>>>
>>>>
>>>>
>>>>—
>>>>You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
>>>>To unsubscribe send a blank email to %%email.unsub%%
Sorry for the fat finger on that last one.
Well, really only if no STREAM FO was created and the file was opened
only
once. Otherwise, the IRP_MJ_CLOSE is sent when the pointer count reaches
zero. IRP_MJ_CLEANUP is sent when the handle count reaches zero.
You can check the SectionObjectPointers->DataSectionObject is NULL.
Pete
Peter Scott
xxxxx@KernelDrivers.com
http://www.KernelDrivers.com
>>>>>-----Original Message-----
>>>>>From: xxxxx@lists.osr.com [mailto:bounce-ntfsd-
>>>>>xxxxx@lists.osr.com] On Behalf Of Dan Partelly
>>>>>Sent: Friday, August 23, 2002 7:53 AM
>>>>>To: File Systems Developers
>>>>>Subject: [ntfsd] Re: How to tell if file closed for final time?
>>>>>
>>>>>IRP_MJ_CLOSE is only sent for the “final time”. You can observe
>multiple
>>>>>IRP_MJ_CLE|ANUP for a file object, but only one close.
>>>>>
>>>>>Dan
>>>>>
>>>>>
>>>>>----- Original Message -----
>>>>>From: “Neil Weicher”
>>>>>>To: “File Systems Developers”
>>>>>>Sent: Friday, August 23, 2002 4:56 PM
>>>>>>Subject: [ntfsd] How to tell if file closed for final time?
>>>>>>
>>>>>>
>>>>>>> Is there a way in my filter driver’s IRP_MJ_CLOSE routine to
tell
>>>>>>whether
>>>>>>a
>>>>>>> file has been closed for the final time? I.e., no more cache
>>sections
>>>>>>exist
>>>>>>> for it and all references to it have been cleared out?
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>> Neil
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> —
>>>>>>> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
>>>>>>> To unsubscribe send a blank email to %%email.unsub%%
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>—
>>>>>>You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
>>>>>>To unsubscribe send a blank email to
%%email.unsub%%
And to be 100% accurate, for the purpose of reference counting based on
FileObject->Context, I think he have to check both
SectionObjectPointers->DataSectionObject &&
SectionObjectPointers->ImageSectionObject are null.
However, I made a mistake in my previous post. Thx for messaging Peter, this
way I realized how I bringed my share of stupidity to the list. I think I
was dreaming green cows
on purple walls.
Ciao, Dan
----- Original Message -----
From: “Peter Scott”
To: “File Systems Developers”
Sent: Friday, August 23, 2002 10:51 PM
Subject: [ntfsd] Re: How to tell if file closed for final time?
>
> Sorry for the fat finger on that last one.
>
> Well, really only if no STREAM FO was created and the file was opened
> only
> once. Otherwise, the IRP_MJ_CLOSE is sent when the pointer count reaches
> zero. IRP_MJ_CLEANUP is sent when the handle count reaches zero.
>
> You can check the SectionObjectPointers->DataSectionObject is NULL.
>
> Pete
>
> Peter Scott
> xxxxx@KernelDrivers.com
> http://www.KernelDrivers.com
>
>
> >>>>>>-----Original Message-----
> >>>>>>From: xxxxx@lists.osr.com [mailto:bounce-ntfsd-
> >>>>>>xxxxx@lists.osr.com] On Behalf Of Dan Partelly
> >>>>>>Sent: Friday, August 23, 2002 7:53 AM
> >>>>>>To: File Systems Developers
> >>>>>>Subject: [ntfsd] Re: How to tell if file closed for final time?
> >>>>>>
> >>>>>>IRP_MJ_CLOSE is only sent for the “final time”. You can observe
> >>multiple
> >>>>>>IRP_MJ_CLE|ANUP for a file object, but only one close.
> >>>>>>
> >>>>>>Dan
> >>>>>>
> >>>>>>
> >>>>>>----- Original Message -----
> >>>>>>From: “Neil Weicher”
> >>>>>>To: “File Systems Developers”
> >>>>>>Sent: Friday, August 23, 2002 4:56 PM
> >>>>>>Subject: [ntfsd] How to tell if file closed for final time?
> >>>>>>
> >>>>>>
> >>>>>>> Is there a way in my filter driver’s IRP_MJ_CLOSE routine to
> tell
> >>>>>>whether
> >>>>>>a
> >>>>>>> file has been closed for the final time? I.e., no more cache
> >>sections
> >>>>>>exist
> >>>>>>> for it and all references to it have been cleared out?
> >>>>>>>
> >>>>>>> Thanks.
> >>>>>>>
> >>>>>>> Neil
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> —
> >>>>>>> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> >>>>>>> To unsubscribe send a blank email to %%email.unsub%%
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>—
> >>>>>>You are currently subscribed to ntfsd as: xxxxx@KernelDrivers.com
> >>>>>>To unsubscribe send a blank email to
> %%email.unsub%%
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
That’s what I always thought. but it looked to me as if IRP_MJ_CLOSE was being
called more than once
with the same FileObject->FsContext. Maybe that’s the wrong field to look at?
Neil
Subject: Re: How to tell if file closed for final time?
From: “Dan Partelly”
Date: Fri, 23 Aug 2002 16:52:31 +0300
X-Message-Number: 9
IRP_MJ_CLOSE is only sent for the “final time”. You can observe multiple
IRP_MJ_CLE|ANUP for a file object, but only one close.
Dan
----- Original Message -----
From: “Neil Weicher”
To: “File Systems Developers”
Sent: Friday, August 23, 2002 4:56 PM
Subject: [ntfsd] How to tell if file closed for final time?
> Is there a way in my filter driver’s IRP_MJ_CLOSE routine to tell whether
a
> file has been closed for the final time? I.e., no more cache sections
exist
> for it and all references to it have been cleared out?
>
> Thanks.
>
> Neil
>
No, No.
The ideea is to separate the concept of FILE_OBJECT of the concept of on
disk file stream.
There can be multiple FILE_OBJECTS representing the same on disk file
stream (as represented by FileObject->FsContext). Each such FILE_OBJECT
representing an on disk file stream will sooner or later receive only one
IRP_MJ_CLOSE. This is what I wanted to say in my previous mail. I was
talking about FILE_OBJECTs , while you obiviously where after a referenc
counting scheme against FsContexts. What you are need here is to know how
many references exist for the FCB which “represents” the on disk file
stream.
NT Insider has a cool article about different reference counting techniques
for file system filter drivery which key by FsContext. Also, thechniques for
reference counting where discussed here like 5-6 weeks ago, try to search
the archive, or get NT Insider. If you dont find the information you need,
reask your question and most likely someone will illustrate how to keep
reference counting.
Ciao, Dan
----- Original Message -----
From: “Neil Weicher”
To: “File Systems Developers”
Sent: Saturday, August 24, 2002 4:38 PM
Subject: [ntfsd] Re: How to tell if file closed for final time?
> That’s what I always thought. but it looked to me as if IRP_MJ_CLOSE was
being
> called more than once
> with the same FileObject->FsContext. Maybe that’s the wrong field to look
at?
>
> Neil
>
> -----------------------------------------------------------
>
> Subject: Re: How to tell if file closed for final time?
> From: “Dan Partelly”
> Date: Fri, 23 Aug 2002 16:52:31 +0300
> X-Message-Number: 9
>
> IRP_MJ_CLOSE is only sent for the “final time”. You can observe multiple
> IRP_MJ_CLE|ANUP for a file object, but only one close.
>
> Dan
>
>
> ----- Original Message -----
> From: “Neil Weicher”
> To: “File Systems Developers”
> Sent: Friday, August 23, 2002 4:56 PM
> Subject: [ntfsd] How to tell if file closed for final time?
>
>
> > Is there a way in my filter driver’s IRP_MJ_CLOSE routine to tell
whether
> a
> > file has been closed for the final time? I.e., no more cache sections
> exist
> > for it and all references to it have been cleared out?
> >
> > Thanks.
> >
> > Neil
> >
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
Yes, it’s called more than once sometimes for the same FsContext, but not for
the same file object.
Depending on the purpose of your driver, you can either:
- increment the internal reference count of your tracking structure during
IRP_MJ_CREATE - and decrement it during IRP_MJ_CLOSE if FO_STREAM_FILE flag is not set
- Delete the tracking structure if reference count is zero and both
ImageSectionObject and DataSectionObject are NULL.
This will work if you make an encryption driver, or any driver that is
interested in I/O operations only.
For other purposes, you will need to track each file object in your tracking
structure (so a non constant size structure or linked list of file objects per
tracking structure), including those not seen via IRP_MJ_CREATE (for those who
match the FsContext member).
Regards, Dejan.
P.S. It would be nice if the authors of the article about Reference Counting
in NT Insider would allow for it to be posted online. (I already have a hardcopy,
but I see many are looking for that specific information now)
Neil Weicher wrote:
That’s what I always thought. but it looked to me as if IRP_MJ_CLOSE was being
called more than once with the same FileObject->FsContext. Maybe that’s the
wrong field to look at?
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.
MJ_CLOSE will be sent just before deleting a file object.
No more cache and MM structures are referencing the file at that
moment.
Max
----- Original Message -----
From: “Neil Weicher”
To: “File Systems Developers”
Sent: Friday, August 23, 2002 5:56 PM
Subject: [ntfsd] How to tell if file closed for final time?
> Is there a way in my filter driver’s IRP_MJ_CLOSE routine to tell
whether a
> file has been closed for the final time? I.e., no more cache
sections exist
> for it and all references to it have been cleared out?
>
> Thanks.
>
> Neil
>
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>