If you simply want to stop the files being deleted after the reboot…
Just remove them from the list of files under that registry key.
Be careful not to remove files that shouldn’t be deleted.
That registry key is just left as a persistent list of files to delete
after reboot. The system checks for this key on startup and
Performs the rename/delet operations, then the key is removed.
I’m not quite sure what you mean by data structure…
If you mean the list its just pairs of file names… Source/target.
If the entry for target is NULL then the file is deleted.
I think a double NULL entry indicates the end of the list.
BR,
Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 08 November 2004 11:47
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] logging file which get Deleted on Reboot
Hello Rob,
Thanks! This is great piece of information. I can see these files in the
registry specified in the article.
I would like to make a log of this file when they are marked for rename
on reboot.
Can I simply check for the instance when REG_MULTI_SZ registry in
Written with this file name in IRP_MJ_WRITE and make a log.
I guess I will need the data structure which stores the file name which
is going to be written in REG_MULTI_SZ registry.
Any more ideas on this ?
Regards,
Anurag
-----Original Message-----
From: Rob Linegar [mailto:xxxxx@des.co.uk]
Sent: Monday, November 08, 2004 3:58 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] logging file which get Deleted on Reboot
Hi,
There is a registry key that stores if files are marked for deletion (or
rename) upon reboot.
It is called PendingFileRenameOperations and can be found in HKLM under
SYSTEM\CurrentControlSet\Control\Session Manager
http://www.microsoft.com/resources/documentation/Windows/2000/server/res
kit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/r
eskit/en-us/regentry/58499.asp
BR,
Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: 08 November 2004 10:00
To: Windows File Systems Devs Interest List
Subject: [ntfsd] logging file which get Deleted on Reboot
Hello all,
I have my Filter Driver who Fails all deletes by setting all
PFILE_DISPOSITION_INFORMATION ->DeleteFile as FALSE.
Now if I want to protect my system from any software getting
uninstalled. I can do it successfully by doing it the above mentioned
way. But not with the files which get deleted on Reboot !.
Like in case of Winzip uninstallation , Winzip deletes winzip.exe on
next reboot. My driver is attached after a long time on next reboot
hence cannot detect this delete operation.
So how do I acurately detect that this file is marked for deletion on
next reboot.???
I see from other mail listing a: FILE_FLAG_DELETE_ON_CLOSE field . Is
traping this a good choice??? If so where and how to trap it ??.
regards,
Anurag
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com