IRP_MJ_READ and Fast I/O

Gene_Allen · August 12, 2005, 2:43pm

I’m written a mini-filter to watch file reads on certain files reads by
using a pre-operation routine on IRP_MJ_READ. It works great with some
programs like notepad, but some programs like MSWord seem to use Fast I/O,
bypassing my IRP_MJ_READ routine.

I was considering trying to deny fast i/o to the doc file that I want to
watch by using an IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, but according to
FileMon, that IRP never happens and according to the documentation that
makes sense since it looks like the FastIoCheckIfPossible only gets called
by FastIORead and FastIOWrite, which doesn’t help me much.

Any ideas on how I can catch the reads withouth have to write ALL the Fast
I/O Dispatch routines? Can I even register Fast I/O Dispatch routines with
a minifilter?

Thanks.

OSR_Community_User · August 12, 2005, 3:04pm

Just write a fast I/O read handler. You’ll see it get invoked. If it
returns FALSE, you’ll then see the IRP handler invoked.

If your concern is network I/O, you’ll need to catch the MDL read case.
Someday (when SRV uses compressed I/O) you’ll have to support that read
operation as well.

Two fast I/O functions to handle now, two more someday in the future.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 2:43 PM
To: ntfsd redirect
Subject: [ntfsd] IRP_MJ_READ and Fast I/O

I’m written a mini-filter to watch file reads on certain files reads by
using a pre-operation routine on IRP_MJ_READ. It works great with some
programs like notepad, but some programs like MSWord seem to use Fast
I/O,
bypassing my IRP_MJ_READ routine.

I was considering trying to deny fast i/o to the doc file that I want to

watch by using an IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, but according to
FileMon, that IRP never happens and according to the documentation that
makes sense since it looks like the FastIoCheckIfPossible only gets
called
by FastIORead and FastIOWrite, which doesn’t help me much.

Any ideas on how I can catch the reads withouth have to write ALL the
Fast
I/O Dispatch routines? Can I even register Fast I/O Dispatch routines
with
a minifilter?

Thanks.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · August 12, 2005, 3:41pm

It’s not clear what you’re asking. For example, in the pre-read or
pre-write routines, you can get the filename of the file being read/written
with FltGetFileNameInformation(). You can deny Fast I/O with:

if( FLT_IS_FASTIO_OPERATION( Data ) )
return FLT_PREOP_DISALLOW_FASTIO;

In this case, the I/O will be performed as a normal (IRP-based) I/O.

Lots of other strange and wonderful things are possible, too. For instance,
the Vpb is only defined for local files. This lets you ignore open files on
remote systems within the pre-read or pre-write routines:

if( NULL == FltObjects->FileObject->Vpb )
return FLT_PREOP_SUCCESS_NO_CALLBACK;

You should consider doing most of your work during the IRP_MJ_CLEAN pre- or
post-op call, though. Create a context and check that context during
pre-read/write and deny Fast I/O at that time.

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 2:43 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] IRP_MJ_READ and Fast I/O

I’m written a mini-filter to watch file reads on certain files reads by
using a pre-operation routine on IRP_MJ_READ. It works great with some
programs like notepad, but some programs like MSWord seem to use Fast I/O,
bypassing my IRP_MJ_READ routine.

I was considering trying to deny fast i/o to the doc file that I want to
watch by using an IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, but according to
FileMon, that IRP never happens and according to the documentation that
makes sense since it looks like the FastIoCheckIfPossible only gets called
by FastIORead and FastIOWrite, which doesn’t help me much.

Any ideas on how I can catch the reads withouth have to write ALL the Fast
I/O Dispatch routines? Can I even register Fast I/O Dispatch routines with
a minifilter?

Thanks.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Gene_Allen · August 12, 2005, 4:57pm

I guess I don’t understand. My Pre-IRP_MJ_READ routine isn’t being called
at all when a FastIO call happens. I tried the test in the IRP_MJ_CREATE,
but that didn’t seem to catch it either. What Pre-read IRP routine are you
suggesting I put the check into?

Here is what FileMon is reporting what is happening when WinWord opens a doc
file (I’ve removed all the non-pertinent data to make is readable).

Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe IRP_MJ_CREATE c:\todo.doc Options: Open Access: All
Winword.exe FASTIO_QUERY_STANDARD_INFO c:\todo.doc Length: 22528
Winword.exe FASTIO_QUERY_STANDARD_INFO c:\todo.doc Length: 22528
Winword.exe FASTIO_QUERY_STANDARD_INFO c:\todo.doc Length: 22528
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483538 Length: 1
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483559 Length: 20
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483559 Length: 20
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483579 Length: 20
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483579 Length: 20
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483599 Length: 20
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483599 Length: 20
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483539 Length: 1
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483559 Length: 1
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483579 Length: 1
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483599 Length: 1
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483579 Length: 1
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483538 Length: 1
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe IRP_MJ_CREATE c:\todo.doc Options: Open Access: All
Winword.exe IRP_MJ_QUERY_VOLUME_INFORMATION c:\todo.doc
FileFsVolumeInformation
Winword.exe IRP_MJ_QUERY_INFORMATION c:\todo.doc FileAllInformation
Winword.exe FSCTL_CREATE_OR_GET_OBJECT_ID c:\todo.doc
Winword.exe IRP_MJ_QUERY_VOLUME_INFORMATION c:\todo.doc
FileFsObjectIdInformation
Winword.exe IRP_MJ_CLEANUP c:\todo.doc
Winword.exe IRP_MJ_CLOSE c:\todo.doc
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N

“Ken Cross” wrote in message news:xxxxx@ntfsd…
> It’s not clear what you’re asking. For example, in the pre-read or
> pre-write routines, you can get the filename of the file being
> read/written
> with FltGetFileNameInformation(). You can deny Fast I/O with:
>
> if( FLT_IS_FASTIO_OPERATION( Data ) )
> return FLT_PREOP_DISALLOW_FASTIO;
>
> In this case, the I/O will be performed as a normal (IRP-based) I/O.
>
> Lots of other strange and wonderful things are possible, too. For
> instance,
> the Vpb is only defined for local files. This lets you ignore open files
> on
> remote systems within the pre-read or pre-write routines:
>
> if( NULL == FltObjects->FileObject->Vpb )
> return FLT_PREOP_SUCCESS_NO_CALLBACK;
>
> You should consider doing most of your work during the IRP_MJ_CLEAN pre-
> or
> post-op call, though. Create a context and check that context during
> pre-read/write and deny Fast I/O at that time.
>
> HTH,
> Ken
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
> Sent: Friday, August 12, 2005 2:43 PM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] IRP_MJ_READ and Fast I/O
>
> I’m written a mini-filter to watch file reads on certain files reads by
> using a pre-operation routine on IRP_MJ_READ. It works great with some
> programs like notepad, but some programs like MSWord seem to use Fast I/O,
> bypassing my IRP_MJ_READ routine.
>
>
>
> I was considering trying to deny fast i/o to the doc file that I want to
> watch by using an IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, but according to
> FileMon, that IRP never happens and according to the documentation that
> makes sense since it looks like the FastIoCheckIfPossible only gets
> called
> by FastIORead and FastIOWrite, which doesn’t help me much.
>
>
>
> Any ideas on how I can catch the reads withouth have to write ALL the Fast
> I/O Dispatch routines? Can I even register Fast I/O Dispatch routines
> with
> a minifilter?
>
>
>
> Thanks.
>
>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

Gene_Allen · August 12, 2005, 5:08pm

Thanks Tony. You wouldn’t happen to know of a simple Fast I/O Routine that
I can start with. The ones in the IFS seem to have all sorts of dependences
that I would have to include.

“Tony Mason” wrote in message news:xxxxx@ntfsd…
Just write a fast I/O read handler. You’ll see it get invoked. If it
returns FALSE, you’ll then see the IRP handler invoked.

If your concern is network I/O, you’ll need to catch the MDL read case.
Someday (when SRV uses compressed I/O) you’ll have to support that read
operation as well.

Two fast I/O functions to handle now, two more someday in the future.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 2:43 PM
To: ntfsd redirect
Subject: [ntfsd] IRP_MJ_READ and Fast I/O

I’m written a mini-filter to watch file reads on certain files reads by
using a pre-operation routine on IRP_MJ_READ. It works great with some
programs like notepad, but some programs like MSWord seem to use Fast
I/O,
bypassing my IRP_MJ_READ routine.

I was considering trying to deny fast i/o to the doc file that I want to

watch by using an IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, but according to
FileMon, that IRP never happens and according to the documentation that
makes sense since it looks like the FastIoCheckIfPossible only gets
called
by FastIORead and FastIOWrite, which doesn’t help me much.

Any ideas on how I can catch the reads withouth have to write ALL the
Fast
I/O Dispatch routines? Can I even register Fast I/O Dispatch routines
with
a minifilter?

Thanks.

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · August 12, 2005, 5:46pm

Winword 2003?

Why are you expecting to see reads? This uses memory mapped I/O - so if
this isn’t the first time you’ve set up to access the file (or if you
ignore paging I/O) then you won’t see it.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 4:57 PM
To: ntfsd redirect
Subject: Re:[ntfsd] IRP_MJ_READ and Fast I/O

I guess I don’t understand. My Pre-IRP_MJ_READ routine isn’t being
called
at all when a FastIO call happens. I tried the test in the
IRP_MJ_CREATE,
but that didn’t seem to catch it either. What Pre-read IRP routine are
you
suggesting I put the check into?

Here is what FileMon is reporting what is happening when WinWord opens a
doc
file (I’ve removed all the non-pertinent data to make is readable).

Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe IRP_MJ_CREATE c:\todo.doc Options: Open Access: All
Winword.exe FASTIO_QUERY_STANDARD_INFO c:\todo.doc Length: 22528
Winword.exe FASTIO_QUERY_STANDARD_INFO c:\todo.doc Length: 22528
Winword.exe FASTIO_QUERY_STANDARD_INFO c:\todo.doc Length: 22528
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483538 Length:
1
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483559 Length:
20
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483559 Length: 20
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483579 Length:
20
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483579 Length: 20
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483599 Length:
20
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483599 Length: 20
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483539 Length:
1
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483559 Length:
1
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483579 Length:
1
Winword.exe FASTIO_LOCK c:\todo.doc Excl: Yes Offset: 2147483599 Length:
1
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483579 Length: 1
Winword.exe FASTIO_UNLOCK c:\todo.doc Offset: 2147483538 Length: 1
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_BASIC_INFO c:\todo.doc Attributes: N
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N
Winword.exe IRP_MJ_CREATE c:\todo.doc Options: Open Access: All
Winword.exe IRP_MJ_QUERY_VOLUME_INFORMATION c:\todo.doc
FileFsVolumeInformation
Winword.exe IRP_MJ_QUERY_INFORMATION c:\todo.doc FileAllInformation
Winword.exe FSCTL_CREATE_OR_GET_OBJECT_ID c:\todo.doc
Winword.exe IRP_MJ_QUERY_VOLUME_INFORMATION c:\todo.doc
FileFsObjectIdInformation
Winword.exe IRP_MJ_CLEANUP c:\todo.doc
Winword.exe IRP_MJ_CLOSE c:\todo.doc
Winword.exe FASTIO_QUERY_OPEN c:\todo.doc Attributes: N

“Ken Cross” wrote in message news:xxxxx@ntfsd…
> It’s not clear what you’re asking. For example, in the pre-read or
> pre-write routines, you can get the filename of the file being
> read/written
> with FltGetFileNameInformation(). You can deny Fast I/O with:
>
> if( FLT_IS_FASTIO_OPERATION( Data ) )
> return FLT_PREOP_DISALLOW_FASTIO;
>
> In this case, the I/O will be performed as a normal (IRP-based) I/O.
>
> Lots of other strange and wonderful things are possible, too. For
> instance,
> the Vpb is only defined for local files. This lets you ignore open
files
> on
> remote systems within the pre-read or pre-write routines:
>
> if( NULL == FltObjects->FileObject->Vpb )
> return FLT_PREOP_SUCCESS_NO_CALLBACK;
>
> You should consider doing most of your work during the IRP_MJ_CLEAN
pre-
> or
> post-op call, though. Create a context and check that context during
> pre-read/write and deny Fast I/O at that time.
>
> HTH,
> Ken
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
> Sent: Friday, August 12, 2005 2:43 PM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] IRP_MJ_READ and Fast I/O
>
> I’m written a mini-filter to watch file reads on certain files reads
by
> using a pre-operation routine on IRP_MJ_READ. It works great with
some
> programs like notepad, but some programs like MSWord seem to use Fast
I/O,
> bypassing my IRP_MJ_READ routine.
>
>
>
> I was considering trying to deny fast i/o to the doc file that I want
to
> watch by using an IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, but according to
> FileMon, that IRP never happens and according to the documentation
that
> makes sense since it looks like the FastIoCheckIfPossible only gets
> called
> by FastIORead and FastIOWrite, which doesn’t help me much.
>
>
>
> Any ideas on how I can catch the reads withouth have to write ALL the
Fast
> I/O Dispatch routines? Can I even register Fast I/O Dispatch routines

> with
> a minifilter?
>
>
>
> Thanks.
>
>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · August 12, 2005, 6:09pm

If you are doing a mini-filter, the samples in the IFS Kit are as simple
as you’re going to get (ok, you could go from five lines to three
lines…)

If you are doing a standard filter, the samples in sfilter.c are (again)
as simple as you are going to get. You could sit there in an editor and
write your own versions with those as a guideline and it shouldn’t take
more than 5-10 lines of code per function.

I’m sure this will sound mean, but if these seem to be daunting tasks
for you, I’d suggest that a file system filter driver is not a good
exercise for you - they are tricky and regularly torture those of us who
work in this field professionally.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 5:08 PM
To: ntfsd redirect
Subject: Re:[ntfsd] IRP_MJ_READ and Fast I/O

Thanks Tony. You wouldn’t happen to know of a simple Fast I/O Routine
that
I can start with. The ones in the IFS seem to have all sorts of
dependences
that I would have to include.

“Tony Mason” wrote in message news:xxxxx@ntfsd…
Just write a fast I/O read handler. You’ll see it get invoked. If it
returns FALSE, you’ll then see the IRP handler invoked.

If your concern is network I/O, you’ll need to catch the MDL read case.
Someday (when SRV uses compressed I/O) you’ll have to support that read
operation as well.

Two fast I/O functions to handle now, two more someday in the future.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 2:43 PM
To: ntfsd redirect
Subject: [ntfsd] IRP_MJ_READ and Fast I/O

I’m written a mini-filter to watch file reads on certain files reads by
using a pre-operation routine on IRP_MJ_READ. It works great with some
programs like notepad, but some programs like MSWord seem to use Fast
I/O,
bypassing my IRP_MJ_READ routine.

I was considering trying to deny fast i/o to the doc file that I want to

watch by using an IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, but according to
FileMon, that IRP never happens and according to the documentation that
makes sense since it looks like the FastIoCheckIfPossible only gets
called
by FastIORead and FastIOWrite, which doesn’t help me much.

Any ideas on how I can catch the reads withouth have to write ALL the
Fast
I/O Dispatch routines? Can I even register Fast I/O Dispatch routines
with
a minifilter?

Thanks.

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Gene_Allen · August 12, 2005, 9:14pm

Thank Tony for the help…Id looked again and you’re exactly right…the
CDO minifilter. Don’t know how I missed it before.

I’m not afraid of the constant hard reboots that I’ve seen so far, and I’ve
gotten most of what my goals are, but I can’t seem to find any source of
information on how to do what I’m trying to do, save this news group,
OSROnline and maybe a presentation or 2 from MS.

Sorry for stupid questions. I’m just getting started on all this driver
stuff.

Anyway, thanks again.

Gene

“Tony Mason” wrote in message news:xxxxx@ntfsd…
If you are doing a mini-filter, the samples in the IFS Kit are as simple
as you’re going to get (ok, you could go from five lines to three
lines…)

If you are doing a standard filter, the samples in sfilter.c are (again)
as simple as you are going to get. You could sit there in an editor and
write your own versions with those as a guideline and it shouldn’t take
more than 5-10 lines of code per function.

I’m sure this will sound mean, but if these seem to be daunting tasks
for you, I’d suggest that a file system filter driver is not a good
exercise for you - they are tricky and regularly torture those of us who
work in this field professionally.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 5:08 PM
To: ntfsd redirect
Subject: Re:[ntfsd] IRP_MJ_READ and Fast I/O

Thanks Tony. You wouldn’t happen to know of a simple Fast I/O Routine
that
I can start with. The ones in the IFS seem to have all sorts of
dependences
that I would have to include.

“Tony Mason” wrote in message news:xxxxx@ntfsd…
Just write a fast I/O read handler. You’ll see it get invoked. If it
returns FALSE, you’ll then see the IRP handler invoked.

If your concern is network I/O, you’ll need to catch the MDL read case.
Someday (when SRV uses compressed I/O) you’ll have to support that read
operation as well.

Two fast I/O functions to handle now, two more someday in the future.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 2:43 PM
To: ntfsd redirect
Subject: [ntfsd] IRP_MJ_READ and Fast I/O

I’m written a mini-filter to watch file reads on certain files reads by
using a pre-operation routine on IRP_MJ_READ. It works great with some
programs like notepad, but some programs like MSWord seem to use Fast
I/O,
bypassing my IRP_MJ_READ routine.

I was considering trying to deny fast i/o to the doc file that I want to

watch by using an IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, but according to
FileMon, that IRP never happens and according to the documentation that
makes sense since it looks like the FastIoCheckIfPossible only gets
called
by FastIORead and FastIOWrite, which doesn’t help me much.

Any ideas on how I can catch the reads withouth have to write ALL the
Fast
I/O Dispatch routines? Can I even register Fast I/O Dispatch routines
with
a minifilter?

Thanks.

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · August 12, 2005, 9:33pm

Gene,

Well, starting to learn drivers with file system filters is a bit like
learning the building trade by building a high-rise office building.
You can do it, but the process is not going to be a pleasant one…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 9:14 PM
To: ntfsd redirect
Subject: Re:[ntfsd] IRP_MJ_READ and Fast I/O

Thank Tony for the help…Id looked again and you’re exactly
right…the
CDO minifilter. Don’t know how I missed it before.

I’m not afraid of the constant hard reboots that I’ve seen so far, and
I’ve
gotten most of what my goals are, but I can’t seem to find any source of

information on how to do what I’m trying to do, save this news group,
OSROnline and maybe a presentation or 2 from MS.

Sorry for stupid questions. I’m just getting started on all this driver
stuff.

Anyway, thanks again.

Gene

“Tony Mason” wrote in message news:xxxxx@ntfsd…
If you are doing a mini-filter, the samples in the IFS Kit are as simple
as you’re going to get (ok, you could go from five lines to three
lines…)

If you are doing a standard filter, the samples in sfilter.c are (again)
as simple as you are going to get. You could sit there in an editor and
write your own versions with those as a guideline and it shouldn’t take
more than 5-10 lines of code per function.

I’m sure this will sound mean, but if these seem to be daunting tasks
for you, I’d suggest that a file system filter driver is not a good
exercise for you - they are tricky and regularly torture those of us who
work in this field professionally.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 5:08 PM
To: ntfsd redirect
Subject: Re:[ntfsd] IRP_MJ_READ and Fast I/O

Thanks Tony. You wouldn’t happen to know of a simple Fast I/O Routine
that
I can start with. The ones in the IFS seem to have all sorts of
dependences
that I would have to include.

“Tony Mason” wrote in message news:xxxxx@ntfsd…
Just write a fast I/O read handler. You’ll see it get invoked. If it
returns FALSE, you’ll then see the IRP handler invoked.

If your concern is network I/O, you’ll need to catch the MDL read case.
Someday (when SRV uses compressed I/O) you’ll have to support that read
operation as well.

Two fast I/O functions to handle now, two more someday in the future.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Friday, August 12, 2005 2:43 PM
To: ntfsd redirect
Subject: [ntfsd] IRP_MJ_READ and Fast I/O

I’m written a mini-filter to watch file reads on certain files reads by
using a pre-operation routine on IRP_MJ_READ. It works great with some
programs like notepad, but some programs like MSWord seem to use Fast
I/O,
bypassing my IRP_MJ_READ routine.

I was considering trying to deny fast i/o to the doc file that I want to

watch by using an IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, but according to
FileMon, that IRP never happens and according to the documentation that
makes sense since it looks like the FastIoCheckIfPossible only gets
called
by FastIORead and FastIOWrite, which doesn’t help me much.

Any ideas on how I can catch the reads withouth have to write ALL the
Fast
I/O Dispatch routines? Can I even register Fast I/O Dispatch routines
with
a minifilter?

Thanks.

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com