Intercept delete operation + Legacy File Filter Driver

NTFSD
1

Hi Guys

i wanna intercept name of file which is being deleted via legacy file filter driver.

any idea?

2

Not possible. It will be better it you define your ultimate goal. What is the problem you are trying to solve this way.

3

goal is simple. i wanna log open/create/delete/read/write operations for file and directory.

4

you will have to create your own context.

the file name is only sent at the time of an create/open operation, no other
IRP will have it. so you will need to store away the name and the
coresponding important info in ur data struct.

then when a delete comes on the FO (set_info IRP), you will have to meander
thru ur context data struct, and match the FO and get the name.

ofcourse there will be other gotchas, which u will have to cater too.

have fun

amitr0

On Tue, Sep 14, 2010 at 5:16 PM, wrote:

> goal is simple. i wanna log open/create/delete/read/write operations for
> file and directory.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>



- amitr0

5

>>i wanna log open/create/delete/read/write operations for file and directory.

Well, It is really hard to figure that out from your first post.

Either attach a DS with FO as stated or do book keeping for FO -> Name at the time of create and use it in other operations. Legacy filters does not comes with context support.

6

Tracking delete is more difficult than you expect it to be. We’ve discussed
it here many times, search the archives for more info. Here’s a starting
point:

http://www.osronline.com/showThread.cfm?link=97311

Also, you should really, really think about doing this as a minifilter. Why
are you doing this in a legacy filter?

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@ntfsd…
> goal is simple. i wanna log open/create/delete/read/write operations for
> file and directory.
>

7

i know that minifilter is the best way to do this but we have a legacy driver and minifilter does not work on all os.

8

On Tue, Sep 14, 2010 at 6:02 PM, wrote:
> i know that minifilter is the best way to do this but we have a legacy driver and minifilter does not work on all os.

Yes it does. File system minifilters work on all OSes starting from
Windows 2000. Are you targeting NT 4?


Aram Hăvărneanu

9

Make that “Windows 2000 SP4 with Update Rollup 1” – I *think* that’s correct. Minifilters are not supported on early released of Win2K… I just wanted to be sure the OP was aware of this so he didn’t get “stuck” if he needs to support some ancient Win2K version.

Peter
OSR

10

On 9/16/2010 8:09 AM, xxxxx@osr.com wrote:

Make that “Windows 2000 SP4 with Update Rollup 1” – I *think* that’s correct. Minifilters are not supported on early released of Win2K… I just wanted to be sure the OP was aware of this so he didn’t get “stuck” if he needs to support some ancient Win2K version.

Just for completeness, the mini-filter model is supported on the
following platforms and above, for each OS:

  • Windows 2000 sp4 + URP 1
  • Windows XP sp2
  • Windows 2k3 sp1
  • Windows Vista and beyond …

Pete

Peter
OSR

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

11

You should really consider a minifilter. You can implement stream contexts in a legacy filter, but it is more work that in a minifilter.

If you need the file name only for logging purposes, please note that in general it doesn’t matter exactly what the name of the file was at the time it went away because that time is in fact arbitrary for the user. It simply matters what the name was at some point in the past (preferably not too far back). For more details on why I wrote a blog post a while back which you can find here: http://fsfilters.blogspot.com/2010/02/names-and-file-systems-filters.html.

Do you have any restriction on the file system or will any file system do ? The reason i’m asking is that the methods to detect if a stream has actually been deleted might be different from FS to FS…

There was a talk about this at the plugfest in Feb 2010… There should be a sample in the WDK at some point as well…

12

Thanks, Alex

i just wanna logging i/o operation nothing else to do.

13

Then as I said, for logging I wouldn’t try too hard to figure out what the
name of the file was precisely at the time it went away, because it probably
doesn’t matter.

Some things you need to worry about (off the top of my head) are
transactions (a file might be deleted in a transaction and then the
transaction might be rolled back) and superseding renames (where the file
might go away without it being opened in the first place). The approach
outlined during plugfest was to identify operations that return different
error codes in postCleanup depending on whether the file was deleted or not
and then in any cleanup that looked like it might delete the file, try that
operation and see how it failed. This is FS and potentially OS version
dependent. Also, this doesn’t work for when the file is deleted without
being opened (that’s why I mentioned superseding renames).

Good luck!

Thanks,
Alex.