Hi,
Thanks Max and Lyndon.
Yes, I was querying for the file information in the callback for
IRP_MJ_READ which is incorrect as Max and Lyndon specified. Since the name
could not be obtained in the read callback, my callback would not handle the
IRP_READ_MJ with IRP_NOCACHE and IRP_PAGING_IO. The problem is solved when
the file name is remembered in the PreCreate path. Also, in my case the file
name is set correctly in the FileObject passed to the IRP_MJ_READ callback
(However, according to some previous posts this is not the correct way. Also
I have not tested my filter in trivial cases only).
The notion of FLT_PREOP_DISALLOW_FAST_IO being honored by
notepad.exe/devenv.exe is incorrect as well (is in fact nonsense). There is
no reason as to why I should be disallowing the paging read. The end user
mode applications like notepad.exe / devenv.exe do not have any knowledge of
this.
Now I have got the code working for notepad.exe and Devenv.exe as
well.
Thanks to all,
Vishal
From: Vishal Pai [mailto:xxxxx@persistent.co.in]
Sent: Sunday, April 09, 2006 11:18 PM
To: ‘xxxxx@lists.osr.com’
Subject: RE: Memory mapped API and mini filter
Hi,
Please accept my apologies for asking an incomplete and hence a wrong
question.
I do understand what IRP_MJ_READ is and all the other IRPS mentioned in
the IFS help document. It is the FileMon utility that shows for the benefit
of the user IRP_MJ_READ*. If you google for IRP_MJ_READ* and FileMon one
link shows that IRP_MJ_READ followed by an asterix represents paging I/O.
The problem was while I was determining the file name (Test.txt) in the
IRP_MJ_READ. As a result of which I could not see the IRP_MJ_READ with
PAGING IO and NO CACHE flags set and thus wrongly assumed that I did not get
the READ call. With this change I have been able to make my solution work
with Devenv.exe (Visual Studio 7.0) by denying the I/O with the above
mentioned flags set for Test.txt. This works because Devenv.exe honors the
FLT_PREOP_DISALLOW_FAST_IO return status.
Hopefully I will be able to find some similar workaround for notepad as
well (Notepad does not honor FLT_PREOP_DISALLOW_FAST_IO status and fails to
open the file).
Thanks,
Vishal
From: Vishal Pai [mailto:xxxxx@persistent.co.in]
Sent: Sunday, April 09, 2006 5:33 PM
To: ‘xxxxx@lists.osr.com’
Subject: RE: Memory mapped API and mini filter
Hi,
I have now purged the cache (CcPurgeCacheSection) from which notepad
reads the file. The purging of the cache is done in the PostCreate callback
for IRP_MJ_CREATE. I was monitoring the requests generated during notepad’s
access to my file Test.txt using the FileMon utility.
Before purging the chronological sequence was as follows:
After purging the chronological sequence is as follows:
I have following questions:
-
Although the FASTIO_QUERY_STANDARD_INFO callback is implemented by
my mini filter, I do not get the control in my callback function.
-
What is IRP_MJ_READ*? I understand that this is paging I/O. How
should I handle this in my mini filter? I have implemented the callback
routines for IRP_MJ_READ. However I do not get the control in my callback. I
think this is the paging I/O path that previous articles talk about. How
should I proceed here?
Kindly let me know if I am doing anything incorrect.
Thanks,
Vishal
From: Vishal Pai [mailto:xxxxx@persistent.co.in]
Sent: Saturday, April 08, 2006 11:50 PM
To: ‘xxxxx@lists.osr.com’
Subject: RE: Memory mapped API and mini filter
Hi,
Could anybody please help me on this? This is really urgent.
Thanks,
Vishal
From: Vishal Pai [mailto:xxxxx@persistent.co.in]
Sent: Saturday, April 08, 2006 11:03 PM
To: ‘xxxxx@lists.osr.com’
Subject: Memory mapped API and mini filter
Hi,
I am writing a simple mini filter (using Microsoft IFS kit) to skip 3
characters from a file named Test.txt. For e.g. if the file contains
characters “123456789” then all the applications e.g. text editors viewing
the file should see “456789” as “123” have been skipped by my mini filter
driver. My development platform is Windows 2003.
My filter is working fine with command line utility like ‘TYPE’. The
filter is also working fine with WordPad.exe, TextPad.exe and MSDEV.exe.
However, my filter does not work with notepad.exe (similar is the case with
devenv.exe). When the file is viewed with notepad, the characters that
appear are “123456” and “789” are skipped.
I have implemented callbacks for IRP_MJ_CREATE, IRP_MJ_READ (Set the
file start offset 3 characters ahead.), IRP_MJ_WRITE,
IRP_MJ_DIRECTORY_CONTROL (Reduce the file size by 3 characters in the
information passed to the querying application) and IRP_MJ_QUERY_INFORMATION
(reduce the file size by 3 characters in the information passed to the
querying application). In case of Textpad.exe, Wordpad.exe and MSDEV.exe a
read operation is first seen which moves the file pointer 3 characters
ahead. Since the file size has been set to six in the DIRECTORY_CONTROL and
QUERY_INFORMATION these editors read the last six characters correctly as
expected.
I understand that notepad.exe uses memory mapping to read files and
hence I do not get IRP_MJ_READ call (and also the fast i/o read call). Thus
the read operation is not seen and hence notepad.exe reads the first six
characters and skips the last three which is not correct from what I am
trying to achieve.
One way out for me is to append the header at the end of the file. But,
I would like my header to be at the start of the file.
I have registered for fast I/O (by filling the FastIoDispatch member of
the DRIVER_OBJECT) without any help. I cannot see any fast I/O requests
coming in. I was looking into the SectionObjectPointers as suggested in
similar (cases where file could not be opened by notepad on XP) old posts
but I have not been able to understand that correctly.
Could somebody tell me how am I supposed to proceed on this? How should
I handle applications that use memory mapped I/O? How should I cleanup the
cache only for certain files so that notepad always goes through IRP_MJ_READ
to read those files (I know that there will be a performance hit)?
Please advice.
Thanks in advance,
Vishal