Hi all,
I want to track delete file events in my mini filter driver. if any file
created with flag FILE_DELETE_ON_CLOSE before my driver is started ( so I
couln’t get creat options) is there any way to find the delete event for
that file . i could get cleanup IRP. can I identify in precleanup or
postcleanup. or by getting file object.
I could see FO_DELETE_ON_CLOSE flag in fileobject flags. can I use this to
identify if FILE_DELETE_ON_CLOSE is set. or any other ways.
Regards
I am very new to device drivers so take what I saw with a grain of salt. You could monitor for IRP_MJ_CLEANUP and/or IRP_MJ_CLOSE and then call FltQueryInformationFile() with FileStandardInformation. The returned FILE_STANDARD_INFORMATION struct has a DeletePending member which should be what you’re looking for.
This method should work, I just can’t guarantee it’s the best method.
Well, this has been discussed a couple of times already.
This is a good thread : http://www.osronline.com/showThread.cfm?link=142365
Thanks,
Alex.
GOSH that’s a good thread… Thanks for taking the time to find and post that reference, Alex.
Peter
OSR
Yeah, thanks for everyone that contributed to it! The only thing I’d like to
add is that there is a delete minifilter sample in the works from the MS
folks, but I don’t know when it will be available.
Thanks,
Alex.
Ooh, a sample of how to watch for deletion. I look forward to seeing it (and beating it up!)
Tony
OSR
Hi all,
I tried deletepending but in my case it is false. I used
fltqueryinformationfile on fileobject. in cleanup irp deletepending is
false.
i checked the link mentioned. seems to be no direct way for finding delete
operation. I am trying to use CCB_FLAG_DELETE_ON_CLOSE. for ccb and fcb
strucures i need ntfsstru.h. can I know where this file is avilable.
Regards,
On Wed, Nov 10, 2010 at 11:19 AM, Tony Mason wrote:
> Ooh, a sample of how to watch for deletion. I look forward to seeing it
> (and beating it up!)
>
> Tony
> OSR
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
The CCB is a private structure of the file system and you can’t look inside.
The only way to detect a create with FILE_DELETE_ON_CLOSE that is to see the
create. Once the flag is set in the CCB there is no way to get to it until
it moves to the FCB (during CLEANUP for that FILE_OBJECT). See Scott’s post
on this thread: http://www.osronline.com/showthread.cfm?link=154074.
Thanks,
Alex.
Hi Alex,
so you can know from cleanup irp based on fcb_state_delete_on_close. I am
trying to check this flag but FCB struct needs ntfsstru.h, where can I get
this header file.
Regards
On Wed, Nov 10, 2010 at 11:08 PM, Alex Carp wrote:
> The CCB is a private structure of the file system and you can?t look
> inside.
>
>
>
> The only way to detect a create with FILE_DELETE_ON_CLOSE that is to see
> the create. Once the flag is set in the CCB there is no way to get to it
> until it moves to the FCB (during CLEANUP for that FILE_OBJECT). See Scott?s
> post on this thread: http://www.osronline.com/showthread.cfm?link=154074.
>
>
>
> Thanks,
>
> Alex.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
You cannot (and should not) access the FCB directly. This is a private
structure to the file system. What is documented are the
FSRTL_ADVANCED_FCB_HEADER and the FSRTL_COMMON_FCB_HEADER structures.
However, if you want to read the DeletePending state in the FCB then you
don’t need to read the structure directly since that state is returned by
FltQueryInformationFile in FILE_STANDARD_INFORMATION (as Brian pointed out
earlier on this thread).
Please note that in preCleanup the FILE_DELETE_ON_CLOSE has not yet moved to
the FCB.
Ntfsstru.h is a private header file for NTFS and is not publicly available.
Thanks,
Alex.
Thanks Alex.
I tried deletepending in precleanup() but this is not set. is deletepending
will be set in postcleanup()
Regards,
On Thu, Nov 11, 2010 at 9:10 PM, Alex Carp wrote:
> You cannot (and should not) access the FCB directly. This is a private
> structure to the file system. What is documented are the
> FSRTL_ADVANCED_FCB_HEADER and the FSRTL_COMMON_FCB_HEADER structures.
> However, if you want to read the DeletePending state in the FCB then you
> don?t need to read the structure directly since that state is returned by
> FltQueryInformationFile in FILE_STANDARD_INFORMATION (as Brian pointed out
> earlier on this thread).
>
>
>
> Please note that in preCleanup the FILE_DELETE_ON_CLOSE has not yet moved
> to the FCB.
>
>
>
> Ntfsstru.h is a private header file for NTFS and is not publicly available.
>
>
>
>
> Thanks,
>
> Alex.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>>I tried deletepending in precleanup() but this is not set. is deletepending will be set in postcleanup()
You already wrote code in pre cleanup, correct? Now why not just copy that to post callback and see the result yourself?
Additionally you must have read in the links given, FS set this flag in FCB from CCB in cleanup, now when you receive pre cleanup, it means FS has not processed this IRP yet, it will after all pre cleanup calls. Which means and as Alex already said, this will not be available in pre cleanup.
Why don’t you load driver in the start itself and save yourself from all these hassles.