Hi,
Does anyone know in what order does NTFS detect if a file can be opened or
writing? As far as I understand, there are two things which need to be
considered:
- share access and desired access (currently desired as well as the one
currently active on the file depending on who has opened it) - It needs to check if the file has any mapped views.
What does NTFS do? 1 followed by 2 or the reverse?
I was thinking that checks for 1, would rely on the share access + desired
access fields in the fobj and the FCB and 2 would rely on the SOP.
I am experimenting with some stuff in my filter driver where I replace the
SOP of a file object. However, this is screwing up the share access checks
(1). Any ideas why?
To give more perspective when windows opens a file for execution it opens
the file with FILE_SHARE_READ | FILE_SHARE_DELETE, so delete on a file which
is currently executing should be passed by check 1 and failed by check 2.
However an attempt to write to a file which is executing should be kicked by
1 and 2 both, depending on which is done first. However, when I muck around
with the SOP, I can successfully open a file for writing even when it is
being executed. Why does this happen?
I tried putting a break point on IoCheckShareAccess(), but it doesn’t seem
like NTFS calls that function in this case.
Thanks