Hi !
I’m making a FSD filter…
And I have a question…
How can I check if a IRP_MJ_WRITE is writing or deleting ?
I need block delete files in Windows NT/2K/XP and NOT block the write…
Thank you
Files are deleted on NT using IRP_MJ_SET_INFORMATION with a
FileInformationClass of FILE_DISPOSITION_INFORMATION, and not
IRP_MJ_WRITE. You can filter based on this parameter.
An IRP_MJ_WRITE always writes, it has nothing to do with file deletion.
To prevent deletion, you need to filter out the FILE_DELETE_ON_CLOSE
flag on IRP_MJ_CREATE, and also prevent IRP_MJ_SET_INFORMATION requests
where FileDispositionInformation is being set with the DeleteFile
parameter as TRUE.
- Nicholas Ryan
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marcos Velasco
Sent: Friday, March 07, 2003 10:49 AM
To: File Systems Developers
Subject: [ntfsd] IRP_MJ_WRITEHi !
I’m making a FSD filter…
And I have a question…How can I check if a IRP_MJ_WRITE is writing or deleting ?
I need block delete files in Windows NT/2K/XP and NOT block
the write…Thank you
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Write is not the place to check. Check the file create flags for delete
access.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marcos Velasco
Sent: Friday, March 07, 2003 10:49 AM
To: File Systems Developers
Subject: [ntfsd] IRP_MJ_WRITE
Hi !
I’m making a FSD filter…
And I have a question…
How can I check if a IRP_MJ_WRITE is writing or deleting ?
I need block delete files in Windows NT/2K/XP and NOT block the write…
Thank you
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi Nicholas Ryan !
The your help was essential for me…
The program works fine…
Thank you
----- Original Message -----
From: “Nicholas Ryan”
To: “File Systems Developers”
Sent: Friday, March 07, 2003 4:24 PM
Subject: [ntfsd] RE: IRP_MJ_WRITE
> An IRP_MJ_WRITE always writes, it has nothing to do with file deletion.
> To prevent deletion, you need to filter out the FILE_DELETE_ON_CLOSE
> flag on IRP_MJ_CREATE, and also prevent IRP_MJ_SET_INFORMATION requests
> where FileDispositionInformation is being set with the DeleteFile
> parameter as TRUE.
>
> - Nicholas Ryan
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Marcos Velasco
> > Sent: Friday, March 07, 2003 10:49 AM
> > To: File Systems Developers
> > Subject: [ntfsd] IRP_MJ_WRITE
> >
> >
> > Hi !
> >
> > I’m making a FSD filter…
> > And I have a question…
> >
> > How can I check if a IRP_MJ_WRITE is writing or deleting ?
> > I need block delete files in Windows NT/2K/XP and NOT block
> > the write…
> >
> > Thank you
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@uol.com.br
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>An IRP_MJ_WRITE always writes, it has nothing to do with file deletion.
To prevent deletion, you need to filter out the FILE_DELETE_ON_CLOSE
flag on IRP_MJ_CREATE, and also prevent IRP_MJ_SET_INFORMATION requests
where FileDispositionInformation is being set with the DeleteFile
parameter as TRUE.
Actually there is one more way to delete file - rename specifing target
path of existing file and setting ReplaceIfExists to true.
Alexei.
Well, you can also ‘delete’ by opening with the supersede or overwrite
flags, or just by setting the length to 0. Or just renaming the file
into another directory where it will never be found again. If the
intention is to prevent corruption of the file’s contents, the original
poster should have his filter fail any opens that ask for write access,
and also spoof the read-only attribute (which will prevent destructive
renames).
- Nicholas Ryan
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexei Jelvis
Sent: Friday, March 07, 2003 2:48 PM
To: File Systems Developers
Subject: [ntfsd] RE: IRP_MJ_WRITE>An IRP_MJ_WRITE always writes, it has nothing to do with
file deletion.
>To prevent deletion, you need to filter out the FILE_DELETE_ON_CLOSE
>flag on IRP_MJ_CREATE, and also prevent
IRP_MJ_SET_INFORMATION requests
>where FileDispositionInformation is being set with the DeleteFile
>parameter as TRUE.Actually there is one more way to delete file - rename
specifing target path of existing file and setting
ReplaceIfExists to true.Alexei.
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
>Well, you can also ‘delete’ by opening with the supersede or overwrite
flags, or just by setting the length to 0. Or just renaming the file
into another directory where it will never be found again.
NT has DELETE flag in desired access. Operations that require ability of
the caller to open file with the DELETE flag set in desired access could
be considered as “deletion”. For example open with supersede is considered
as deletion of the file followed by creation of a new file. When file is
being opened with supersede file system adds DELETE to desired access
specified by caller and verifies caller’s permissions against this new
desired access. Open for overwrite is not considered as a deletion and
doesn’t require caller’s rights to open file for deletion.
Alexei.
All true, but the data is still gone either way. If he doesn’t care what
gets written to the file but wants to ensure that the file always
persist with the same set of metadata (security descriptor, etc) then he
can be more lenient than if he must prevent any modification of the file
whatsoever. It’s all in the use case (god now I sound like my program
manager).
- Nicholas Ryan
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexei Jelvis
Sent: Saturday, March 08, 2003 11:37 AM
To: File Systems Developers
Subject: [ntfsd] RE: IRP_MJ_WRITE>Well, you can also ‘delete’ by opening with the supersede or
overwrite
>flags, or just by setting the length to 0. Or just renaming the file
>into another directory where it will never be found again.NT has DELETE flag in desired access. Operations that require
ability of the caller to open file with the DELETE flag set
in desired access could be considered as “deletion”. For
example open with supersede is considered as deletion of the
file followed by creation of a new file. When file is being
opened with supersede file system adds DELETE to desired
access specified by caller and verifies caller’s permissions
against this new desired access. Open for overwrite is not
considered as a deletion and doesn’t require caller’s rights
to open file for deletion.Alexei.
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com