memory mapped files

hi,

i’m writing a filter fsd.
how can i tell if the file was mapped into memory by the user application.

thanks,
amir

In FILE_OBJECT->FsContext which points to the “common header
(FSRTL_COMMON_FCB_HEADER)”, you can check the Flags attribute for a
FSRTL_FLAG_USER_MAPPED (0x20) value. This is what I was using to see if the

file in question is memory mapped.

FSRTL_FLAG_USER_MAPPED is a #define in ntifs.h

mkr

hi,

i’m writing a filter fsd.
how can i tell if the file was mapped into memory by the user application.

thanks,
amir
b???m???>*??zf?-?%y??z??w~??
)b??(??(

>i’m writing a filter fsd.

how can i tell if the file was mapped into memory by the user application.

Check for FSRTL_FLAG_USER_MAPPED_FILE in FSRTL_COMMON_FCB_HEADER flags.

Max