Hi,
In my FS minifilter driver, I want to get filename with FltGetFileNameInformation.
I have tracked PRE_READ, PRE_WRITE, but to my surprise is below:
When I call FltGetFileNameInformation in PRE_WRITE, it return SUCCESS, and I can get filename Information ONLY when IrpFlags is equal to 0xa00.
Also, I call FltGetFileNameInformation in PRE_READ, but when I am reading a file with notepad, it return ERROR, I can NOT get filename information whatever IrpFlags is. To my surprise, when I am reading a file with wordpad “.doc”, it return SUCCESS ONLY when IrpFlags is equal to 0x900 and 0 ( 0 means FAST_IO, not IRP operation );
Why it returns ERROR when IrpFlags is equal to 0x43 (that is ,IRP_NOCACHE is ON) both in PRE_WRITE and PRE_READ. But I want to encrypt/decrypt data ONLY when IrpFlags is equal to 0x43 (that is ,IRP_NOCACHE is ON).
As we know, in PRE_READ and PRE_WRITE, FileObject->FileName is NOT valid, it is valid in PRE_CREATE, but I think the filename get by calling FltGetFileNameInformation is valid. But when I am reading a file with notepad, I can NOT get filename information by calling FltGetFileNameInformation. Hope your help…
Best wishes!
RTFM (Read The Filesystem Manual :D)
Don’t call it from read/write, get the name during create/rename and keep it in your context.
xxxxx@yahoo.com.cn wrote:
Hi,
In my FS minifilter driver, I want to get filename with FltGetFileNameInformation.
I have tracked PRE_READ, PRE_WRITE, but to my surprise is below:
When I call FltGetFileNameInformation in PRE_WRITE, it return SUCCESS, and I can get filename Information ONLY when IrpFlags is equal to 0xa00.
Also, I call FltGetFileNameInformation in PRE_READ, but when I am reading a file with notepad, it return ERROR, I can NOT get filename information whatever IrpFlags is. To my surprise, when I am reading a file with wordpad “.doc”, it return SUCCESS ONLY when IrpFlags is equal to 0x900 and 0 ( 0 means FAST_IO, not IRP operation );
Why it returns ERROR when IrpFlags is equal to 0x43 (that is ,IRP_NOCACHE is ON) both in PRE_WRITE and PRE_READ. But I want to encrypt/decrypt data ONLY when IrpFlags is equal to 0x43 (that is ,IRP_NOCACHE is ON).
As we know, in PRE_READ and PRE_WRITE, FileObject->FileName is NOT valid, it is valid in PRE_CREATE, but I think the filename get by calling FltGetFileNameInformation is valid. But when I am reading a file with notepad, I can NOT get filename information by calling FltGetFileNameInformation. Hope your help…
Best wishes!
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.
What to be specific does FltGetFileNameInformation return? What does the WDK
docs for the function say about this return value?
wrote in message news:xxxxx@ntfsd…
> Hi,
> In my FS minifilter driver, I want to get filename with
> FltGetFileNameInformation.
>
> I have tracked PRE_READ, PRE_WRITE, but to my surprise is below:
>
> When I call FltGetFileNameInformation in PRE_WRITE, it return SUCCESS,
> and I can get filename Information ONLY when IrpFlags is equal to 0xa00.
>
> Also, I call FltGetFileNameInformation in PRE_READ, but when I am
> reading a file with notepad, it return ERROR, I can NOT get filename
> information whatever IrpFlags is. To my surprise, when I am reading a file
> with wordpad “.doc”, it return SUCCESS ONLY when IrpFlags is equal to
> 0x900 and 0 ( 0 means FAST_IO, not IRP operation );
>
> Why it returns ERROR when IrpFlags is equal to 0x43 (that is ,IRP_NOCACHE
> is ON) both in PRE_WRITE and PRE_READ. But I want to encrypt/decrypt data
> ONLY when IrpFlags is equal to 0x43 (that is ,IRP_NOCACHE is ON).
>
> As we know, in PRE_READ and PRE_WRITE, FileObject->FileName is NOT valid,
> it is valid in PRE_CREATE, but I think the filename get by calling
> FltGetFileNameInformation is valid. But when I am reading a file with
> notepad, I can NOT get filename information by calling
> FltGetFileNameInformation. Hope your help…
>
> Best wishes!
>
>
>