Hi,
what i’ve done: i changed the scanner example to reject all type of files.
[C:\WinDDK\6001.18002\src\filesys\miniFilter\scanner]
I am not allowed to create files with data > 0 bytes.
But i am allowed to create files with 0 bytes, dirs and subdirs.
(right click in explorer -> new *.txt file) Now this file does not contain any data i try to add some with notepad -> access denied, so far so good.
Now i add the following code after reading a lot of comments on FltCancelFileOpen:
In ScannerPostCreate i add the following lines:
ScannerPostCreate ()
…snip…
//
// Check if we are interested in this file.
//
status = FltIsDirectory(FltObjects->FileObject, FltObjects->Instance, &IsDirectory);
if (!NT_SUCCESS( status )) {
if (IsDirectory == TRUE)
{
FltCancelFileOpen(FltObjects->Instance, FltObjects->FileObject);
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
return FLT_POSTOP_FINISHED_PROCESSING;
}
}
status = FltGetFileNameInformation( … );
…snip…
return returnStatus;
}
Now i expect that a new dir will be canceled also after creation by explorer.
Any hint on this ?
Thanks,
Sven
>>Now i expect that a new dir will be canceled also after creation by explorer. Any hint on this ?
By this statement; are you expecting the directory created to be deleted?
In case yes, than you may want to take a look at WDK docs which clearly states that "FltCancelFileOpen does not delete a newly created file or restore a file that was overwritten or superseded to its previous state. "
Thanks
Adita
>>By this statement; are you expecting the directory created to be deleted?
Yes.
Thanks a lot, i missed this important information.
So, if i want to prevent creation of dirs or 0 byte files is it possible to do it with the scanner demo
and look for IRP_MJ_CREATE and block or modify these messages
or do i have to do it with a “normal filter driver” and not with minifilter ?
Then i would try to use the filterspy example and when the IRP_MJ_CREATE event occurs i can
prevent the creation of dirs or 0 byte files ?
Is it a good start to look into ?
Thanks a lot.
Sven
Hi Sven,
A minifilter will work.
I still don’t exactly understand your statement about creation of 0 bytes files? All files are created empty.
If you want block creation of all new directories (and files too, but then I don’t quite get the 0 bytes part), you could change the CreateDisposition in pre-create so that the file system will never create a new object if one doesn’t exist.
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.
@Alex
>I still don’t exactly understand your statement about creation of 0 bytes files? All files are created empty.
I guess OP’s thinking is based on the behavior he noticed in explorer, for example when you create a text file; explorer shows it is as a zero byte whereas in case of a word its 11 KB approx.
@SvenK
In case my assumption is true than you need to understand that what you see in explorer is actually after a lots of IRP handling behind the scene, suggest you to use filespy and observe the behavior first.
Mostly it will be like,
A create for empty files, than few writes and setinformation depending upon the type of file, and hence your approach will allow creation of all files.
Thanks
Aditya
Thanks Alex,
> A minifilter will work.
Yes, thats fine.
> If you want block creation of all new directories (and files too, but then I don’t quite get the 0 bytes >> part), you could change the CreateDisposition in pre-create so that the file system will never create >> a new object if one doesn’t exist.
Thats exactly what i want to do.
@Aditya
> I guess OP’s thinking is based on the behavior he noticed in explorer, for example when you
> create a text file; explorer shows it is as a zero byte whereas in case of a word its 11 KB approx.
Indeed, i started my first tests with explorer.
Thanks for your information.
I know there are a lot of IRP messages when the explorer create a new *.txt file.
So, for my next step i try to modify the IRP handling in ScannerPreCreate.
Regards,
Sven
>>So, for my next step i try to modify the IRP handling in ScannerPreCreate.
you are missing the actual point from a long distance. Do not jump into conclusions at this stage, just monitor the behavior from a monitoring tool like filespy and improve your understanding, once you attain the required level, go ahead with actual Implementation.
Thanks
Aditya