minifilter treat delete as rename,deadlock in win2K!

in my minifilter,I want to implement:
if a file will be deleted,I will cancel the delete operation and rename it to a bak file.

I trace a deletepending flag in my streamcontext according to:
in PostCreate,the FILE_DELETE_ON_CLOSE flag;
in postSetInfo,the DeleteFile flag in FileDispositionInformation;

in PreCleanup:
if the deletepending flag is TRUE in my streamcontext,I do the following:
1.I want to cancel the delete operation:
I build a FileDisPositionInformation,and DeleteFile=FALSE,and call FltSetInformationFile;
2.I want to rename the file:
I build a valid FileRenameInformation,and call FltSetInformationFile;

In winxp,win2K3,everything is OK.
the file that the application want to delete will be renamed to a bak file.

But in Win2K(sp4+rollup1),deadlock!
many threads will wait for “Ntfs!NtfsAcquireExclusiveVcb”

ChildEBP RetAddr Args to Child
be31b9dc 8042c2ad 00000000 818854f4 814fc120 nt!KiSwapThread+0xc5
be31ba04 80415082 818a32a8 00000000 00000000 nt!KeWaitForSingleObject+0x1a1
be31ba44 8041457c 81550328 008854f4 be31ba5c nt!ExpWaitForResource+0x1ac
be31ba54 804145c1 be31baf8 bfeafa81 818854f4 nt!ExpAcquireResourceExclusiveLite+0x64
be31ba5c bfeafa81 818854f4 e135d101 81550328 nt!ExAcquireResourceExclusiveLite+0x37
be31ba6c bfe98c75 81550328 818850f0 00000000 Ntfs!NtfsAcquireExclusiveVcb+0x1b
be31baf8 bfe980d7 81550328 e13149b8 e13148e8 Ntfs!NtfsCommonClose+0xe7
be31bbb8 8041dded 81885020 8152d648 00000000 Ntfs!NtfsFsdClose+0x225
be31bbcc bff523ce 81856260 8152d648 81856908 nt!IopfCallDriver+0x35
be31bbf0 bff527e3 be31bc10 81856260 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20e
be31bc28 8041dded 81856260 8152d648 8152d658 fltmgr!FltpDispatch+0x10f
be31bc3c 80428b01 00000000 814e9364 804289c0 nt!IopfCallDriver+0x35
be31bc74 804d5d98 81885000 814e9350 818792a0 nt!IopDeleteFile+0x141
be31bc90 8044e9a5 814e9368 e2104070 814e9350 nt!ObpRemoveObjectRoutine+0xd6
be31bcb4 8044ece4 be31bd64 00125fe4 8044eaec nt!ObfDereferenceObject+0x149
be31bd58 80464f84 00000438 00000000 00000000 nt!NtClose+0x1f8
be31bd58 77f88203 00000438 00000000 00000000 nt!KiSystemService+0xc4
00126020 00000000 00000000 00000000 00000000 NTDLL!NtClose+0xb

why???And what should I do?

Find who is holding ERESOURCE (!locks).

You can’t let the file to be opened with FILE_DELETE_ON_CLOSE flag, because
this state can’t be undo with FileDispositionInformation. You need to remove
this flag in pre-Create and mark it in your context that the file should
have been opened with this flag (in post-Create, according to status code).
Othewise this flag would delete your renamed .bak file

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: 16. ?ervence 2009 12:53
To: Windows File Systems Devs Interest List
Subject: [ntfsd] minifilter treat delete as rename,deadlock in win2K!

in my minifilter,I want to implement:
if a file will be deleted,I will cancel the delete operation and rename it
to a bak file.

I trace a deletepending flag in my streamcontext according to:
in PostCreate,the FILE_DELETE_ON_CLOSE flag;
in postSetInfo,the DeleteFile flag in FileDispositionInformation;

in PreCleanup:
if the deletepending flag is TRUE in my streamcontext,I do the following:
1.I want to cancel the delete operation:
I build a FileDisPositionInformation,and DeleteFile=FALSE,and call
FltSetInformationFile;
2.I want to rename the file:
I build a valid FileRenameInformation,and call FltSetInformationFile;

In winxp,win2K3,everything is OK.
the file that the application want to delete will be renamed to a bak file.

But in Win2K(sp4+rollup1),deadlock!
many threads will wait for “Ntfs!NtfsAcquireExclusiveVcb”

ChildEBP RetAddr Args to Child
be31b9dc 8042c2ad 00000000 818854f4 814fc120 nt!KiSwapThread+0xc5
be31ba04 80415082 818a32a8 00000000 00000000
nt!KeWaitForSingleObject+0x1a1
be31ba44 8041457c 81550328 008854f4 be31ba5c
nt!ExpWaitForResource+0x1ac
be31ba54 804145c1 be31baf8 bfeafa81 818854f4
nt!ExpAcquireResourceExclusiveLite+0x64
be31ba5c bfeafa81 818854f4 e135d101 81550328
nt!ExAcquireResourceExclusiveLite+0x37
be31ba6c bfe98c75 81550328 818850f0 00000000
Ntfs!NtfsAcquireExclusiveVcb+0x1b
be31baf8 bfe980d7 81550328 e13149b8 e13148e8
Ntfs!NtfsCommonClose+0xe7
be31bbb8 8041dded 81885020 8152d648 00000000 Ntfs!NtfsFsdClose+0x225
be31bbcc bff523ce 81856260 8152d648 81856908 nt!IopfCallDriver+0x35
be31bbf0 bff527e3 be31bc10 81856260 00000000
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20e
be31bc28 8041dded 81856260 8152d648 8152d658
fltmgr!FltpDispatch+0x10f
be31bc3c 80428b01 00000000 814e9364 804289c0 nt!IopfCallDriver+0x35
be31bc74 804d5d98 81885000 814e9350 818792a0 nt!IopDeleteFile+0x141
be31bc90 8044e9a5 814e9368 e2104070 814e9350
nt!ObpRemoveObjectRoutine+0xd6
be31bcb4 8044ece4 be31bd64 00125fe4 8044eaec
nt!ObfDereferenceObject+0x149
be31bd58 80464f84 00000438 00000000 00000000 nt!NtClose+0x1f8
be31bd58 77f88203 00000438 00000000 00000000 nt!KiSystemService+0xc4
00126020 00000000 00000000 00000000 00000000 NTDLL!NtClose+0xb

why???And what should I do?

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I don’t see your driver in the stack here so it’s hard to comment. The
problem here is that by the time you ‘sure’ a file is going to be deleted
such as in cleanup or close, it’s too late to take action so you should act
immediately upon receiving a destructive create or SetInformation and build
in the undo functionality to reverse the operation if the delete flag is
cleared (with subsequent SetInformation IRPs with DeleteFile set to FALSE).

I put up a working sample of a minifilter that demonstrates. This also works
on remote drives, supports ADS but has no provisions to support transactions
which I should give some thought. It can be found here:

http://www.resplendence.com/source

//Daniel

wrote in message news:xxxxx@ntfsd…
> in my minifilter,I want to implement:
> if a file will be deleted,I will cancel the delete operation and rename it
> to a bak file.
>
> I trace a deletepending flag in my streamcontext according to:
> in PostCreate,the FILE_DELETE_ON_CLOSE flag;
> in postSetInfo,the DeleteFile flag in FileDispositionInformation;
>
> in PreCleanup:
> if the deletepending flag is TRUE in my streamcontext,I do the following:
> 1.I want to cancel the delete operation:
> I build a FileDisPositionInformation,and DeleteFile=FALSE,and call
> FltSetInformationFile;
> 2.I want to rename the file:
> I build a valid FileRenameInformation,and call FltSetInformationFile;
>
> --------------------------------------------------------------
> In winxp,win2K3,everything is OK.
> the file that the application want to delete will be renamed to a bak
> file.
>
> But in Win2K(sp4+rollup1),deadlock!
> many threads will wait for “Ntfs!NtfsAcquireExclusiveVcb”
>
> ChildEBP RetAddr Args to Child
> be31b9dc 8042c2ad 00000000 818854f4 814fc120 nt!KiSwapThread+0xc5
> be31ba04 80415082 818a32a8 00000000 00000000
> nt!KeWaitForSingleObject+0x1a1
> be31ba44 8041457c 81550328 008854f4 be31ba5c
> nt!ExpWaitForResource+0x1ac
> be31ba54 804145c1 be31baf8 bfeafa81 818854f4
> nt!ExpAcquireResourceExclusiveLite+0x64
> be31ba5c bfeafa81 818854f4 e135d101 81550328
> nt!ExAcquireResourceExclusiveLite+0x37
> be31ba6c bfe98c75 81550328 818850f0 00000000
> Ntfs!NtfsAcquireExclusiveVcb+0x1b
> be31baf8 bfe980d7 81550328 e13149b8 e13148e8
> Ntfs!NtfsCommonClose+0xe7
> be31bbb8 8041dded 81885020 8152d648 00000000
> Ntfs!NtfsFsdClose+0x225
> be31bbcc bff523ce 81856260 8152d648 81856908 nt!IopfCallDriver+0x35
> be31bbf0 bff527e3 be31bc10 81856260 00000000
> fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20e
> be31bc28 8041dded 81856260 8152d648 8152d658
> fltmgr!FltpDispatch+0x10f
> be31bc3c 80428b01 00000000 814e9364 804289c0 nt!IopfCallDriver+0x35
> be31bc74 804d5d98 81885000 814e9350 818792a0 nt!IopDeleteFile+0x141
> be31bc90 8044e9a5 814e9368 e2104070 814e9350
> nt!ObpRemoveObjectRoutine+0xd6
> be31bcb4 8044ece4 be31bd64 00125fe4 8044eaec
> nt!ObfDereferenceObject+0x149
> be31bd58 80464f84 00000438 00000000 00000000 nt!NtClose+0x1f8
> be31bd58 77f88203 00000438 00000000 00000000
> nt!KiSystemService+0xc4
> 00126020 00000000 00000000 00000000 00000000 NTDLL!NtClose+0xb
>
> ---------------------------------------------------------------------
> why???And what should I do?
>

Daniel Terhell,your rspundelex can’t run in win2K.
when I installed it,and fltmc load rspundelex
it failed.

This makes use of the filter manager which requires SP4 + update rollup 1.
Otherwise it might be useful to mention how it failed.

//Daniel

wrote in message news:xxxxx@ntfsd…
> Daniel Terhell,your rspundelex can’t run in win2K.
> when I installed it,and fltmc load rspundelex
> it failed.
>

because it use RtlHashUnicodeString.
the function is introduced by winxp,not win2K.

OK,I use myRtlHashUnicodeString replace RtlHashUnicodeString in your code.
(the myRtlHashUnicodeString is according to reactos).

it can be load by fltmc.
But,if I attach c:,and shift+del a file,BSOD.

fltmc attach rspundelex C:
(I can see the bottom instance is on).

That’s weird, this code has been thoroughly tested for a long time with
verifier. Anything else you changed ? In any case you can hook up a debugger
and see what goes wrong, I would like to hear about any bugs you may find.
This was never meant to be boilerplate code to be used without consideration
but was intended for concept and educational purposes.

//Daniel

wrote in message news:xxxxx@ntfsd…
> OK,I use myRtlHashUnicodeString replace RtlHashUnicodeString in your code.
> (the myRtlHashUnicodeString is according to reactos).
>
> it can be load by fltmc.
> But,if I attach c:,and shift+del a file,BSOD.
>
> fltmc attach rspundelex C:
> (I can see the bottom instance is on).
>

yes,I just test your minifilter for verify the concept is valid:
when create with FILE_DELETE_ON_CLOSE ,you rename it.
when FileDispositionInfo,you rename it(and rename it back).

If it can work,I will implement mine.
And,the function is a tiny part in my minifilter

Yes the concept is valid, you must store information to reverse the
operation if the file eventually is not deleted. So I just gave the driver
a test on Win2000, and I found the problem or at least one. If the filter is
started from the command line, the file name include and exclude filters are
empty. Then it calls FsRtlIsNameInExpression with an empty pattern string
which makes no sense and this bugchecks on Win2000. Add the following line
to the top of function FilematchesFilters:

if (filters->Length==0)
return TRUE;

//Daniel

wrote in message news:xxxxx@ntfsd…
> yes,I just test your minifilter for verify the concept is valid:
> when create with FILE_DELETE_ON_CLOSE ,you rename it.
> when FileDispositionInfo,you rename it(and rename it back).
>
> If it can work,I will implement mine.
> And,the function is a tiny part in my minifilter
>
>

>>If the filter is started from the command line, the file name include and exclude filters are
empty.
To start the rspundelex,there is a only way: fltmc load rspundelex!!
other ways is possible?
or,maybe edit the reg,modify the start from 3 to 0.

sorry,I can’t test your rspundelex!
1.install the inf
2.fltmc load rspundelex
3.fltmc attach rspundelex C:

I shift+del c:\1.txt in explorer.
But I can’t see the 1.txt renamed.
And I can’t see the UNDELEX directory.

I think the cause is ReadConfig and DriverConfigChanged.

can you give me the test config?or the config format?

sorry,I can’t download the whole rspundelex suit,I just download the minifilter source.
can you send it to me?(including the application).
my email:
xxxxx@hotmail.com

I have modify your rspundelex.

it can shows the function in Win2K sp4+rollup 1.

But ,deadlock!

your rspundelex don’t support win2K sp4+rollup 1 at all.It will lead the system frozen!

Yes,just the same as my code.

to run your rspundelex in win2K,I modify the following:

1.call MyRtlHashUnicodeString ,not call RtlHashUnicodeString.

Because the RtlHashUnicodeString don’t be supported in win2K.

2.implement MyRtlHashUnicodeString according to reactos.

3.in CheckIfFilePassesFilters,I just return TRUE.

4.in ReadConfig,I added:

rspInitUnicodeStr (&driverConfig->UndeleteDir, DEFAULTUNDELETEDIR,MAXPATHLEN);

5.in FileMatchesFilters,I added:

if (filters->Length==0)
return TRUE;

But,the 5th should be unnecessary.

when I shift+del a txt file,I can see the file renamed to undel\test.txt

but,after a while,the system frozen,it should be deadlock.

Just the same with my minifilter.

and,the accessories is rspundelex sourcecode I modified.

you can compare it with your original rspundelex.

this deadlock just happen in win2K + NTFS.
if it’s FAT32 + win2K ,that’s OK.
if it’s winxp,vista…,FAT32 or NTFS,all are OK.

I think maybe a bug in win2K NTFS?

In my test,I use notepad.exe open d:\1.txt (D: is NTFS).
And click the manu : file/open…
In open-file dialog ,I shift+del d:\2.txt.
All my work is complete,everything is OK.

after a while,the system deadlock.
the following is the details in windbg:
according to the output from windbg,I think the owning thread 0x81586020(it’s notepad.exe) hold the lock,but it don’t release the lock because some cause.
It’s very strange,I don’t operate the lock directly,I just call FltSetInformationFile to rename it.

kd> !locks -v 0x8164c694

Resource @ 0x8164c694 Shared 1 owning threads
Contention Count = 2
NumberOfSharedWaiters = 1
NumberOfExclusiveWaiters = 1
Threads: 81586020-01<*>

THREAD 81586020 Cid 2bc.2e8 Teb: 7ffde000 Win32Thread: e21c4ba8 WAIT: (WrUserRequest) UserMode Non-Alertable
816131c0 SynchronizationEvent
Not impersonating
Owning Process 81555020
Wait Start TickCount 8749 Elapsed Ticks: 263
Context Switch Count 2376 LargeStack
UserTime 0:00:00.0015
KernelTime 0:00:00.0421
Start Address 0x77e6b70c
Win32 Start Address 0x01006420
Stack Init be38f000 Current be38ec20 Base be38f000 Limit be389000 Call 0
Priority 14 BasePriority 8 PriorityDecrement 4 DecrementCount 16

ChildEBP RetAddr Args to Child
be38ec38 8042c2ad 00000000 e21c4ba8 00000001 nt!KiSwapThread+0xc5
be38ec60 a00019c2 816131c0 0000000d 00000001 nt!KeWaitForSingleObject+0x1a1
be38ec9c a0000b72 000021ff 00000000 00000001 win32k!xxxSleepThread+0x18a
be38ece0 a007531d be38ed10 000021ff 00000000 win32k!xxxInternalGetMessage+0x36e
be38ed4c 80464f84 0006ff08 00000000 00000000 win32k!NtUserGetMessage+0x43
be38ed4c 77e21eb3 0006ff08 00000000 00000000 nt!KiSystemService+0xc4
0006fee4 00000000 00000000 00000000 00000000 +0x77e21eb3

81554380-01

THREAD 81554380 Cid 374.394 Teb: 7ffdd000 Win32Thread: e20a7a08 WAIT: (Executive) KernelMode Non-Alertable
8152fa28 Semaphore Limit 0x7fffffff
81554468 NotificationTimer
Not impersonating
Owning Process 814f1820
Wait Start TickCount 8933 Elapsed Ticks: 79
Context Switch Count 1492 LargeStack
UserTime 0:00:00.0031
KernelTime 0:00:00.0421
Start Address 0x77e6b700
Win32 Start Address 0x76e1a4b0
Stack Init be3fe8f0 Current be3fdbf8 Base be3ff000 Limit be3f9000 Call be3fe8f4
Priority 14 BasePriority 8 PriorityDecrement 2 DecrementCount 16

ChildEBP RetAddr Args to Child
be3fdc10 8042c2ad 00000000 8164c694 81554380 nt!KiSwapThread+0xc5
be3fdc38 80415082 8152fa28 00000000 00000000 nt!KeWaitForSingleObject+0x1a1
be3fdc78 80414712 be3fdfec be3fdfec 81526834 nt!ExpWaitForResource+0x1ac
be3fdc90 8041465d 8164c694 8152fa28 be3fdf9c nt!ExpAcquireResourceSharedLite+0xb0
be3fdca0 bfe96d8b 8164c694 00000001 00000100 nt!ExAcquireResourceSharedLite+0x41
be3fdcb0 bfec28ce be3fdfec 8164c290 00000001 Ntfs!NtfsAcquireSharedVcb+0x1b
be3fdf9c bfe9c684 be3fdfec 815266c8 00000000 Ntfs!NtfsCommonCreate+0x1de
be3fe120 bff51caf 815266c8 be3fe500 8164c1c0 Ntfs!NtfsNetworkOpenCreate+0xae
be3fe144 bff5170c 81531af2 81531a00 81531aa0 fltmgr!FltpPerformFastIoCall+0x2d1
be3fe170 bff5f855 be3fe100 00000000 815266c8 fltmgr!FltpPassThroughFastIo+0x76
be3fe1a4 804bf86b 815266c8 be3fe500 8164cde0 fltmgr!FltpFastIoQueryOpen+0xf9
be3fe340 80450893 81896030 00000000 be3fe3f8 nt!IopParseDevice+0x9b1
be3fe3b8 804d59a0 00000000 81881b00 00000040 nt!ObpLookupObjectName+0x4e7
be3fe4c8 804a10cf 00000000 00000000 be3fe601 nt!ObOpenObjectByName+0xc8
be3fe644 80464f84 00e4d1a8 00e4d180 be3fe6d8 nt!NtQueryAttributesFile+0xe3
be3fe644 77f88817 00e4d1a8 00e4d180 be3fe6d8 nt!KiSystemService+0xc4
00e4d1d4 00000000 00000000 00000000 00000000 NTDLL!ZwQueryAttributesFile+0xb

Threads Waiting On Exclusive Access:
815a1b20
1 total locks, 1 locks currently held
kd> !process 0x81555020 0
PROCESS 81555020 SessionId: 0 Cid: 02bc Peb: 7ffdf000 ParentCid: 0374
DirBase: 0f996000 ObjectTable: 81533488 TableSize: 144.
Image: notepad.exe

kd> !thread 0x815a1b20
THREAD 815a1b20 Cid 1b0.19c Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
814ea1e8 SynchronizationEvent
815a1c08 NotificationTimer
IRP List:
81513bc8: (0006,0190) Flags: 00000884 Mdl: 00000000
Not impersonating
Owning Process 815bf640
Wait Start TickCount 8923 Elapsed Ticks: 89
Context Switch Count 140
UserTime 0:00:00.0000
KernelTime 0:00:00.0046
Start Address 0x77e6b700
Win32 Start Address 0x7c3494f6
Stack Init be8d9000 Current be8d8638 Base be8d9000 Limit be8d6000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
be8d8650 8042c2ad 00000000 8164c694 815a1b20 nt!KiSwapThread+0xc5
be8d8678 80415082 814ea1e8 00000000 00000000 nt!KeWaitForSingleObject+0x1a1
be8d86b8 8041457c 8164c694 0064c694 be8d86d0 nt!ExpWaitForResource+0x1ac
be8d86c8 804145c1 be8d86ec 8041456d 8164c694 nt!ExpAcquireResourceExclusiveLite+0x64
be8d86d0 8041456d 8164c694 00000001 8164c290 nt!ExAcquireResourceExclusiveLite+0x37
be8d86ec 804145c1 be8d8780 bfeafa81 8164c694 nt!ExpAcquireResourceExclusiveLite+0x55
be8d86f4 bfeafa81 8164c694 81513d01 816284e8 nt!ExAcquireResourceExclusiveLite+0x37
be8d8704 bfeb1965 816284e8 8164c290 00000001 Ntfs!NtfsAcquireExclusiveVcb+0x1b
be8d8780 bfe9462d 816284e8 81513bc8 8164c1c0 Ntfs!NtfsCommonVolumeOpen+0xad
be8d882c 8041dded 8164c1c0 81513bc8 00000000 Ntfs!NtfsFsdCreate+0x14d
be8d8840 bff523ce 00000000 81513bc8 814e9e78 nt!IopfCallDriver+0x35
be8d8864 bff5de5f be8d8884 8164cde0 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20e
be8d88a0 8041dded 8164cde0 81513d34 81513bd8 fltmgr!FltpCreate+0x29d
be8d88b4 804bf978 804824e0 804beeba be8d8bb8 nt!IopfCallDriver+0x35
be8d8a44 80450893 81896030 00000000 be8d8afc nt!IopParseDevice+0xabe
be8d8abc 804d59a0 00000000 81881b00 00000040 nt!ObpLookupObjectName+0x4e7
be8d8bcc 8049f9f1 00000000 00000000 804da001 nt!ObOpenObjectByName+0xc8
be8d8ca8 8049f596 00dfec9c 80100080 00dfec38 nt!IopCreateFile+0x407
be8d8cf0 804a6fde 00dfec9c 80100080 00dfec38 nt!IoCreateFile+0x36
be8d8d30 80464f84 00dfec9c 80100080 00dfec38 nt!NtCreateFile+0x2e
be8d8d30 77f88283 00dfec9c 80100080 00dfec38 nt!KiSystemService+0xc4
00dfec94 00000000 00000000 00000000 00000000 NTDLL!NtCreateFile+0xb

I think the problem maybe I don’t open the target file by SL_OPEN_TARGET_DIRECTORY.
I just use the fileobject(it want to FileDisPosition orignially) to call FltSetInfomationFile for renaming.

Maybe it’s the problem,I will test it.

A suggested before please hook up a debugger and step through the
preoperation callback. That should give you an idea what happens. No more
replies from me in this thread.

//Daniel

wrote in message news:xxxxx@ntfsd…
> I have modify your rspundelex.
>
> it can shows the function in Win2K sp4+rollup 1.
>
> But ,deadlock!
>
> your rspundelex don’t support win2K sp4+rollup 1 at all.It will lead the
> system frozen!
>
> Yes,just the same as my code.
>
>
>
> to run your rspundelex in win2K,I modify the following:
>
> 1.call MyRtlHashUnicodeString ,not call RtlHashUnicodeString.
>
> Because the RtlHashUnicodeString don’t be supported in win2K.
>
> 2.implement MyRtlHashUnicodeString according to reactos.
>
> 3.in CheckIfFilePassesFilters,I just return TRUE.
>
> 4.in ReadConfig,I added:
>
> rspInitUnicodeStr (&driverConfig->UndeleteDir,
> DEFAULTUNDELETEDIR,MAXPATHLEN);
>
> 5.in FileMatchesFilters,I added:
>
> if (filters->Length==0)
> return TRUE;
>
> But,the 5th should be unnecessary.
>
>
>
> when I shift+del a txt file,I can see the file renamed to undel\test.txt
>
> but,after a while,the system frozen,it should be deadlock.
>
> Just the same with my minifilter.
>
>
>
> and,the accessories is rspundelex sourcecode I modified.
>
> you can compare it with your original rspundelex.
>
>
>

Daniel,you can test your rspundelex in win2K,deadlock.
I want you know your rspundelex not stable in win2K,deadlock too.
So,the problem is not easy!

I have test the SL_OPEN_TARGET_DIRECTORY,but the result is same.
I will trace the workflow in NTFS in asm,want to know what’s happen.

> Threads: 81586020-01<*>

THREAD 81586020 Cid 2bc.2e8 Teb: 7ffde000 Win32Thread: e21c4ba8 WAIT:
(WrUserRequest) UserMode Non-Alertable
816131c0 SynchronizationEvent
Not impersonating
Owning Process 81555020
Wait Start TickCount 8749 Elapsed Ticks: 263
Context Switch Count 2376 LargeStack
UserTime 0:00:00.0015
KernelTime 0:00:00.0421
Start Address 0x77e6b70c
Win32 Start Address 0x01006420
Stack Init be38f000 Current be38ec20 Base be38f000 Limit be389000 Call 0
Priority 14 BasePriority 8 PriorityDecrement 4 DecrementCount 16

ChildEBP RetAddr Args to Child
be38ec38 8042c2ad 00000000 e21c4ba8 00000001 nt!KiSwapThread+0xc5
be38ec60 a00019c2 816131c0 0000000d 00000001 nt!KeWaitForSingleObject+0x1a1
be38ec9c a0000b72 000021ff 00000000 00000001 win32k!xxxSleepThread+0x18a
be38ece0 a007531d be38ed10 000021ff 00000000 win32k!xxxInternalGetMessage+0x36e
be38ed4c 80464f84 0006ff08 00000000 00000000 win32k!NtUserGetMessage+0x43
be38ed4c 77e21eb3 0006ff08 00000000 00000000 nt!KiSystemService+0xc4
0006fee4 00000000 00000000 00000000 00000000 +0x77e21eb3

This really looks like a w2k bug. How the resource lock can be held by the thread which just called into win32k from user mode?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com