IRP_MJ_CREATE not received!

Driver_Developer · February 21, 2011, 8:40am

Hello Everyone,

I have a file system filter driver where I am monitoring IRP_MJ_CREATE. After starting the filter driver, I receive all calls in my function for calls that are made by the local system.

But when I share a folder on the system where the driver is installed, and create a file into the shared folder from another machine, I don’t receive any calls in my callback function.

Is there any other IRP that I need to monitor for files created using shared folders from network?

Any tip will be useful.

Thank you!

Don_Burn_1 · February 21, 2011, 8:48am

Well first you should only post in one forum at a time, and it should
have been NTFSD. Also be aware that hooking is a really bad idea, and
for what you want is unnecessary and in fact is the reason you are not
seeing the requests since the remote requests do not go through
NtCreateFile!

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:

> Hello Everyone,
>
> I have a file system filter driver where I am monitoring IRP_MJ_CREATE. After starting the filter driver, I receive all calls in my function for calls that are made by the local system.
>
> But when I share a folder on the system where the driver is installed, and create a file into the shared folder from another machine, I don’t receive any calls in my callback function.
>
> Is there any other IRP that I need to monitor for files created using shared folders from network?
>
> Any tip will be useful.
>
> Thank you!

Driver_Developer · February 21, 2011, 8:55am

Hello Don,

Yes, I understand hooking is bad, but the file system filter drive will not work on all OS and limitations of service packs. I have a filter driver which works well on OS supporting filter drivers.

So, if the call is not going to NtCreateFile which function it it?

Thank you for your time!

NTDEV-26 · February 21, 2011, 9:15am

Design says it should come.

Are you sure that your filter is attached to the file system device on
which share is exposed?
You get IRP_MJ_CREATE if you do createfile on that folder locally?

-Deepak

On Mon, Feb 21, 2011 at 7:26 PM, wrote:

> Hello Don,
>
> Yes, I understand hooking is bad, but the file system filter drive will not
> work on all OS and limitations of service packs. I have a filter driver
> which works well on OS supporting filter drivers.
>
> So, if the call is not going to NtCreateFile which function it it?
>
> Thank you for your time!
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Don_Burn_1 · February 21, 2011, 9:16am

The call is nothing you can hook since it creating an IRP and calling
into the system. Why do you think a file system filter driver will not
work on all systems? It is true that Minifilters require certain
service packs for 2000 and XP, but in most cases that is not an issue.
If you really need to do this for versions that the minifilter does not
support a legacy file system filter can be made to work will all
systems.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:

> Hello Don,
>
> Yes, I understand hooking is bad, but the file system filter drive will not work on all OS and limitations of service packs. I have a filter driver which works well on OS supporting filter drivers.
>
> So, if the call is not going to NtCreateFile which function it it?
>
> Thank you for your time!

Driver_Developer · February 21, 2011, 9:44am

Hello Don,

Yes, I am currently using a mini-filter driver. As of now, its not possible for me to start developing a legacy driver from scratch. The product is already in the market and I don’t have the required time to change the design today.

All I can do is provide a quick fix for this particular issue in the kernel driver. Is there really nothing that can be done to achieve this in the hooked driver?

Can I not monitor the system creating an IRP for this call?

Thank you for your interest!

Driver_Developer · February 21, 2011, 9:50am

Hello Deepak,

In-case of mini-filter I found the issue!

if(Data->RequestorMode == KernelMode)

I was ignoring calls made by the kernel!

Thank you for your time!

Bill_Wandel · February 21, 2011, 10:34am

Srv.sys uses IoCreateFile to open/create files from the network. This is pre
Vista.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Monday, February 21, 2011 9:46 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] IRP_MJ_CREATE not received!

Hello Don,

Yes, I am currently using a mini-filter driver. As of now, its not possible
for me to start developing a legacy driver from scratch. The product is
already in the market and I don’t have the required time to change the
design today.

All I can do is provide a quick fix for this particular issue in the kernel
driver. Is there really nothing that can be done to achieve this in the
hooked driver?

Can I not monitor the system creating an IRP for this call?

Thank you for your interest!

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Driver_Developer · February 22, 2011, 12:28am

Thank you Bill Wandel! You are a life saver!