logging file which get Deleted on Reboot

Hello all,

I have my Filter Driver who Fails all deletes by setting all
PFILE_DISPOSITION_INFORMATION ->DeleteFile as FALSE.

Now if I want to protect my system from any software getting
uninstalled. I can do it successfully by doing it the above mentioned
way. But not with the files which get deleted on Reboot !.
Like in case of Winzip uninstallation , Winzip deletes winzip.exe on
next reboot. My driver is attached after a long time on next reboot
hence cannot detect this delete operation.

So how do I acurately detect that this file is marked for deletion on
next reboot.???

I see from other mail listing a: FILE_FLAG_DELETE_ON_CLOSE field . Is
traping this a good choice??? If so where and how to trap it ??.

regards,
Anurag

Hi,

There is a registry key that stores if files are marked for deletion (or
rename) upon reboot.

It is called PendingFileRenameOperations and can be found in HKLM under
SYSTEM\CurrentControlSet\Control\Session Manager

http://www.microsoft.com/resources/documentation/Windows/2000/server/res
kit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/r
eskit/en-us/regentry/58499.asp

BR,

Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 08 November 2004 10:00
To: Windows File Systems Devs Interest List
Subject: [ntfsd] logging file which get Deleted on Reboot

Hello all,

I have my Filter Driver who Fails all deletes by setting all
PFILE_DISPOSITION_INFORMATION ->DeleteFile as FALSE.

Now if I want to protect my system from any software getting
uninstalled. I can do it successfully by doing it the above mentioned
way. But not with the files which get deleted on Reboot !.
Like in case of Winzip uninstallation , Winzip deletes winzip.exe on
next reboot. My driver is attached after a long time on next reboot
hence cannot detect this delete operation.

So how do I acurately detect that this file is marked for deletion on
next reboot.???

I see from other mail listing a: FILE_FLAG_DELETE_ON_CLOSE field . Is
traping this a good choice??? If so where and how to trap it ??.

regards,
Anurag


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hello Rob,

Thanks! This is great piece of information. I can see these files in the
registry specified in the article.

I would like to make a log of this file when they are marked for rename
on reboot.
Can I simply check for the instance when REG_MULTI_SZ registry in
Written with this file name in IRP_MJ_WRITE and make a log.
I guess I will need the data structure which stores the file name which
is going to be written in REG_MULTI_SZ registry.
Any more ideas on this ?

Regards,
Anurag

-----Original Message-----
From: Rob Linegar [mailto:xxxxx@des.co.uk]
Sent: Monday, November 08, 2004 3:58 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] logging file which get Deleted on Reboot

Hi,

There is a registry key that stores if files are marked for deletion (or
rename) upon reboot.

It is called PendingFileRenameOperations and can be found in HKLM under
SYSTEM\CurrentControlSet\Control\Session Manager

http://www.microsoft.com/resources/documentation/Windows/2000/server/res
kit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/r
eskit/en-us/regentry/58499.asp

BR,

Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 08 November 2004 10:00
To: Windows File Systems Devs Interest List
Subject: [ntfsd] logging file which get Deleted on Reboot

Hello all,

I have my Filter Driver who Fails all deletes by setting all
PFILE_DISPOSITION_INFORMATION ->DeleteFile as FALSE.

Now if I want to protect my system from any software getting
uninstalled. I can do it successfully by doing it the above mentioned
way. But not with the files which get deleted on Reboot !.
Like in case of Winzip uninstallation , Winzip deletes winzip.exe on
next reboot. My driver is attached after a long time on next reboot
hence cannot detect this delete operation.

So how do I acurately detect that this file is marked for deletion on
next reboot.???

I see from other mail listing a: FILE_FLAG_DELETE_ON_CLOSE field . Is
traping this a good choice??? If so where and how to trap it ??.

regards,
Anurag


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com

If you simply want to stop the files being deleted after the reboot…
Just remove them from the list of files under that registry key.

Be careful not to remove files that shouldn’t be deleted.

That registry key is just left as a persistent list of files to delete
after reboot. The system checks for this key on startup and
Performs the rename/delet operations, then the key is removed.

I’m not quite sure what you mean by data structure…
If you mean the list its just pairs of file names… Source/target.
If the entry for target is NULL then the file is deleted.
I think a double NULL entry indicates the end of the list.

BR,

Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 08 November 2004 11:47
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] logging file which get Deleted on Reboot

Hello Rob,

Thanks! This is great piece of information. I can see these files in the
registry specified in the article.

I would like to make a log of this file when they are marked for rename
on reboot.
Can I simply check for the instance when REG_MULTI_SZ registry in
Written with this file name in IRP_MJ_WRITE and make a log.
I guess I will need the data structure which stores the file name which
is going to be written in REG_MULTI_SZ registry.
Any more ideas on this ?

Regards,
Anurag

-----Original Message-----
From: Rob Linegar [mailto:xxxxx@des.co.uk]
Sent: Monday, November 08, 2004 3:58 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] logging file which get Deleted on Reboot

Hi,

There is a registry key that stores if files are marked for deletion (or
rename) upon reboot.

It is called PendingFileRenameOperations and can be found in HKLM under
SYSTEM\CurrentControlSet\Control\Session Manager

http://www.microsoft.com/resources/documentation/Windows/2000/server/res
kit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/r
eskit/en-us/regentry/58499.asp

BR,

Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 08 November 2004 10:00
To: Windows File Systems Devs Interest List
Subject: [ntfsd] logging file which get Deleted on Reboot

Hello all,

I have my Filter Driver who Fails all deletes by setting all
PFILE_DISPOSITION_INFORMATION ->DeleteFile as FALSE.

Now if I want to protect my system from any software getting
uninstalled. I can do it successfully by doing it the above mentioned
way. But not with the files which get deleted on Reboot !.
Like in case of Winzip uninstallation , Winzip deletes winzip.exe on
next reboot. My driver is attached after a long time on next reboot
hence cannot detect this delete operation.

So how do I acurately detect that this file is marked for deletion on
next reboot.???

I see from other mail listing a: FILE_FLAG_DELETE_ON_CLOSE field . Is
traping this a good choice??? If so where and how to trap it ??.

regards,
Anurag


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Message Attach at boot. This is a usual way of attaching FS filters.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Anurag Sarin
To: Windows File Systems Devs Interest List
Sent: Monday, November 08, 2004 1:00 PM
Subject: [ntfsd] logging file which get Deleted on Reboot

Hello all,

I have my Filter Driver who Fails all deletes by setting all PFILE_DISPOSITION_INFORMATION ->DeleteFile as FALSE.

Now if I want to protect my system from any software getting uninstalled. I can do it successfully by doing it the above mentioned way. But not with the files which get deleted on Reboot !.
Like in case of Winzip uninstallation , Winzip deletes winzip.exe on next reboot. My driver is attached after a long time on next reboot hence cannot detect this delete operation.

So how do I acurately detect that this file is marked for deletion on next reboot.???

I see from other mail listing a: FILE_FLAG_DELETE_ON_CLOSE field . Is traping this a good choice??? If so where and how to trap it ??.

regards,
Anurag


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Message> Attach at boot. This is a usual way of attaching FS filters.

Yes, this will solve your problems. And you will not
have to care about registry entries.
Just handle the files being deleted as normal deletes.

L.

Maxim , Ladislav & Rob,

I log all deletion, fail them and hide them in a boot session . And I
want to show as if no deletion happened on next boot session, so I show
all file logged by me on the next boot session .
In case of these software uninstallations some files get deleted at next
boot session.

Even if I attach at boot time and get a log for these files(ie on the 2
boot session where PendingFileRenameOperations marked files get deleted)
. I will be able to show them on the 3rd Boot session which is not the
requirement.

So ideally I need to detect which files are logged in as
PendingFileRenameOperations, fail the operation of
PendingFileRenameOperations on these files. Hide these files and show
them in the next boot session.

I can trap when some data is been written in registry
(HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations )

but how to know that winzip32.exe is been written into

HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations from kernel mode.

Then I can hide wizip32.exe and show the same in the next boot session.

Hope you know what I mean.

regards,
Anurag

-----Original Message-----
From: Ladislav Zezula [mailto:xxxxx@volny.cz]
Sent: Monday, November 08, 2004 6:10 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] logging file which get Deleted on Reboot

Attach at boot. This is a usual way of attaching FS filters.

Yes, this will solve your problems. And you will not
have to care about registry entries.
Just handle the files being deleted as normal deletes.

L.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com