Mounting a shadow volume

Ariel_K · December 10, 2007, 12:38pm

Hello guys.

I’m trying to mount a shadow Virtual Volume by using the non-PnP IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION to let the mount manager know a new volume has arrived.

I tried mounting the volume over an existing virtual volume, so they’d have the same starting/end offsets and Physical target device to write to.

I’ve implemented all of the REQUIRED mount manager client IOCTL responses and just about every other IOCTL I received during debug.

I got IOCTL_VOLUME_GET_GPT_ATTRIBUTES,
IOCTL_DISK_GET_PARTITION_INFO_EX,
IOCTL_MOUNTMGR_QUERY_POINTS,
IOCTL_MOUNTDEV_QUERY_DEVICE_NAME,
IOCTL_MOUNTDEV_QUERY_UNIQUE_ID,
IOCTL_MOUNTDEV_QUERY_STABLE_GUID ,
IOCTL_MOUNTDEV_QUERY_SUGGESTED_LINK_NAME,
IOCTL_MOUNTDEV_LINK_CREATED ,
IOCTL_VOLUME_ONLINE ,
IOCTL_MOUNTDEV_UNIQUE_ID_CHANGE_NOTIFY ,
IOCTL_DISK_GET_DRIVE_GEOMETRY ,
IOCTL_DISK_IS_WRITABLE ,
IOCTL_DISK_GET_LENGTH_INFO
all to which I answer, more or less (either answer STATUS_SUCCESS or pass down)

I started getting read/write requests for the beginning of my virtual volume and then some random read requests I couldn’t make out (their destination was some where in the middle of my volume).

sometime along the way I received a FT_BALANCED_READ_MODE IOCTL, which I think means the FS realized I was mounted over some other existing Volume (I mounted my volume over an existing NTFS partition and over an existing FAT partition and there were some minor changes, but nothing seems to work)

I can see that the Mount manager created a symbolic link to my volume,but I can’t access it through the explorer

I believe that some upper FS driver reads data from the physical disk, , finds out that there is already a mounted device over it and ignores my volume.

The entire issue is very poorly documented and I couldn’t find anything similar online.

Have you ever dealt with this issue?

Thanks a bunch,
Ariel

Maxim_S_Shatskih · December 10, 2007, 6:49pm

Set breakpoints in the NTFS’s or FAT’s mount path and look at how and when
will it fail.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> Hello guys.
>
> I’m trying to mount a shadow Virtual Volume by using the non-PnP
IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION to let the mount manager know a new
volume has arrived.
>
> I tried mounting the volume over an existing virtual volume, so they’d have
the same starting/end offsets and Physical target device to write to.
>
> I’ve implemented all of the REQUIRED mount manager client IOCTL responses and
just about every other IOCTL I received during debug.
>
> I got IOCTL_VOLUME_GET_GPT_ATTRIBUTES,
> IOCTL_DISK_GET_PARTITION_INFO_EX,
> IOCTL_MOUNTMGR_QUERY_POINTS,
> IOCTL_MOUNTDEV_QUERY_DEVICE_NAME,
> IOCTL_MOUNTDEV_QUERY_UNIQUE_ID,
> IOCTL_MOUNTDEV_QUERY_STABLE_GUID ,
> IOCTL_MOUNTDEV_QUERY_SUGGESTED_LINK_NAME,
> IOCTL_MOUNTDEV_LINK_CREATED ,
> IOCTL_VOLUME_ONLINE ,
> IOCTL_MOUNTDEV_UNIQUE_ID_CHANGE_NOTIFY ,
> IOCTL_DISK_GET_DRIVE_GEOMETRY ,
> IOCTL_DISK_IS_WRITABLE ,
> IOCTL_DISK_GET_LENGTH_INFO
> all to which I answer, more or less (either answer STATUS_SUCCESS or pass
down)
>
> I started getting read/write requests for the beginning of my virtual volume
and then some random read requests I couldn’t make out (their destination was
some where in the middle of my volume).
>
> sometime along the way I received a FT_BALANCED_READ_MODE IOCTL, which I
think means the FS realized I was mounted over some other existing Volume (I
mounted my volume over an existing NTFS partition and over an existing FAT
partition and there were some minor changes, but nothing seems to work)
>
> I can see that the Mount manager created a symbolic link to my volume,but I
can’t access it through the explorer
>
> I believe that some upper FS driver reads data from the physical disk, ,
finds out that there is already a mounted device over it and ignores my volume.
>
> The entire issue is very poorly documented and I couldn’t find anything
similar online.
>
> Have you ever dealt with this issue?
>
> Thanks a bunch,
> Ariel
>

Ariel_K · December 11, 2007, 4:28am

Hi Maxim.

How could I do that?
I couldn’t find any documentation on how the mounting process actually works.
The only way I think of is RE the mount manager, which is a ball game I prefer not to play…
Ariel

OSR_Community_User · December 11, 2007, 12:48pm

See IOCTL_MOUNTMGR_NEXT_DRIVE_LETTER (possibly among others). It’s
pretty easy.

Good luck,

mm
xxxxx@hotmail.com wrote:

Hi Maxim.

How could I do that?
I couldn’t find any documentation on how the mounting process actually works.
The only way I think of is RE the mount manager, which is a ball game I prefer not to play…
Ariel

Ariel_K · December 12, 2007, 2:14am

Hi.

One other fun fact - I’ve found that the Mount manager created a symbolic link to my volume’s GUID, and It appears when I use the WinObg. the link seems fine.

In response to mm’s post -
I tried using IOCTL_MOUNTMGR_NEXT_DRIVE_LETTER, I received the next free Driver letter, which was ‘F’, but the letter wasn’t assigned (according to the MOUNTMGR_DRIVE_LETTER_INFORMATION I got back from the call to the mount manager).
As I said earlier, I don’t think it’s a simple problem of mismatched drive letters, but something deeper (and more malevolent… ) .
In either case, There is no ‘F’ drive in the explorer (although, as I mentioned above, ‘F:’ is a symbolic link to my volume’s MOUNTMGR_TARGET_NAME as I defined it when I called the mount manager using IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION)

Any Ideas?

Ariel

Ariel_K · December 12, 2007, 2:31am

On the plus side, I don’t receive FT_BALANCED_READ_MODE_ anymore, and when I tried copying a file from the user space from C:\temt.txt to F:\temp.txt the operation supposedly succeeded.

I still can’t access ‘F:’ from the explorer.
Ariel