IRP_MJ_CREATE before file deleted

Alexey_Logachyov · October 3, 2001, 6:06pm

I’ve just encountered a problem. I’m [re]writing a driver for our antivirus
monitor and I here’s what I found. When system deletes a file it first sends
IRP_MJ_CREATE and then IRP_MJ_SET_INFORMATION/FileDispositionInformation.
The problem is that when IRP_MJ_CREATE is received event is triggered and
file is checked. But we don’t want to check files which are deleted!

Is there a way to know that this file is opened for deletion?

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 4, 2001, 3:53am

Postpone any checks till first operation except IRP_MJ_SET_INFORMATION/FileDispositionInformation.

Max

----- Original Message -----
From: “Alexey Logachyov”
To: “File Systems Developers”
Sent: Thursday, October 04, 2001 2:05 AM
Subject: [ntfsd] IRP_MJ_CREATE before file deleted

> I’ve just encountered a problem. I’m [re]writing a driver for our antivirus
> monitor and I here’s what I found. When system deletes a file it first sends
> IRP_MJ_CREATE and then IRP_MJ_SET_INFORMATION/FileDispositionInformation.
> The problem is that when IRP_MJ_CREATE is received event is triggered and
> file is checked. But we don’t want to check files which are deleted!
>
> Is there a way to know that this file is opened for deletion?
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · October 7, 2001, 3:40pm

If:

Disposition is SUPERSEDE
DesiredAccess has DELETE
FILE_FLAG_DELETE_ON_CLOSE is set
the file will be deleted.
Still, there’s no way to tell if it’s really going to happen, or if access
is just asked for:-)

Regards, Dejan.

Alexey Logachyov wrote:

I’ve just encountered a problem. I’m [re]writing a driver for our antivirus
monitor and I here’s what I found. When system deletes a file it first sends
IRP_MJ_CREATE and then IRP_MJ_SET_INFORMATION/FileDispositionInformation.
The problem is that when IRP_MJ_CREATE is received event is triggered and
file is checked. But we don’t want to check files which are deleted!

Is there a way to know that this file is opened for deletion?

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

–
Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Alfa File Monitor - File monitoring system for Win32 developers.
Alfa File Protector - File protection and hiding system for Win32 developers.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com