Need Information on FILE_SHARE_VALID_FLAGS

OSR_Community_User · March 4, 2009, 1:38am

When we look at the directory enumeration in WinXP and Win7, the Directory Enumeration is uses different Flags.

My First Question :

The Call to ZwOpenFile has different value for SharedAccess, In Win-7, during Directory Enumeration it uses SharedAccess=7, where as in WinXP it uses SharedAccess=3.

When i looked at the wdm.h I found that
#define FILE_SHARE_VALID_FLAGS 0x00000007

But I am not sure, when to use this flag or what is it purpose.

Can Anyone Please let me know about this Flag?

My Second Question :

Whenever cmd.exe executes FindFirstFileEx, the dwAdditionalFlags =2, which is a new flag in Win7, None of the documentation points to this new flag in net, or in this fourm.

Can anyone please let me know what this flag is ?

HANDLE WINAPI FindFirstFileEx(
__in LPCTSTR lpFileName, c.:..t.e.s.t..
__in FINDEX_INFO_LEVELS fInfoLevelId, 00000001
__out LPVOID lpFindFileData, 00314cbc
__in FINDEX_SEARCH_OPS fSearchOp, 00000000
__reserved LPVOID lpSearchFilter, 00000000
__in DWORD dwAdditionalFlags 00000002 \This is new in Win-7

NTSTATUS ZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);

f681ba70 805776f2 nt!IopfCallDriver+0x31
f681bb50 805b3996 nt!IopParseDevice+0xa12
f681bbd8 805afe77 nt!ObpLookupObjectName+0x56a
f681bc2c 8056a431 nt!ObOpenObjectByName+0xeb
f681bca8 8056ada8 nt!IopCreateFile+0x407
f681bd04 8056e58f nt!IoCreateFile+0x8e
f681bd44 8053ca48 nt!NtOpenFile+0x27

In XP, the ShareAccess : 3 and in Win-7 it’s 7, this is also one of the major difference found, and the flags value can be found in wdm.h.
Where the Value of shared access is :

0:000> dc esp
0028e014 0028e084 00100001 0028e038 0028e050 …(…8.(.P.(.
0028e024 00000007 00004021 00344c40 00349c60 …!@…@L4.`.4. 00000007 SHARED_ACCESS_FLAG
0028e034 00000000 00000018 00000000 0028e08c …(.
0028e044 00000040 00000000 00000000 00000000 @…
0028e054 00000000 00000000 00000000 00000000 …
0028e064 00000000 00344c44 00140012 0028e3ac …DL4…(.
0028e074 00000000 003584c8 00020002 003584e0 …5…5.
0028e084 00000000 00000000 00180018 003584c8 …5.

OSR_Community_User · March 4, 2009, 1:43am

There are three things you can define in sharing: read, write and
delete. These are represented as flags - 0x1, 0x2, 0x4. The value of
all three combined is 0x7. Hence, if other bits are used, they are
ignored because they are not considered to be valid flags.

Tony
OSR

OSR_Community_User · March 4, 2009, 2:54am

Thanks Tony for the information,

Can anyone help me with my Question 2?

?

From: Tony Mason
To: Windows File Systems Devs Interest List
Sent: Wednesday, March 4, 2009 12:12:34 PM
Subject: RE: [ntfsd] Need Information on FILE_SHARE_VALID_FLAGS

There are three things you can define in sharing: read, write and
delete.? These are represented as flags - 0x1, 0x2, 0x4.? The value of
all three combined is 0x7.? Hence, if other bits are used, they are
ignored because they are not considered to be valid flags.

Tony
OSR

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 4, 2009, 11:59am

dwAdditionalFlags = 2 is FIND_FIRST_EX_LARGE_FETCH and it indicates that the caller wants to use a larger buffer for directory queries.

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

OSR_Community_User · March 5, 2009, 4:52am

Hi Alexandru,

Thank you very much for the information, MSDN has documented only one flag, It looks like a new flag in WIN-7.

Can you point me to information where i can know what has to be done when my filter driver gets this call.

This call is comming from cmd!FindFirstNt, During Directory Enumeration.

.

?

________________________________
From: Alexandru Carp
To: Windows File Systems Devs Interest List
Sent: Wednesday, March 4, 2009 10:28:16 PM
Subject: RE: [ntfsd] Need Information on FILE_SHARE_VALID_FLAGS

dwAdditionalFlags = 2 is FIND_FIRST_EX_LARGE_FETCH and it indicates that the caller wants to use a larger buffer for directory queries.

Regards,
Alex.
This posting is provided "AS IS" with no warranties, and confers no rights.

---
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 5, 2009, 10:53am

Could you please tell me where exactly you see this in your minifilter ? Which irp ?

Thanks,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

OSR_Community_User · March 5, 2009, 10:16pm

Hi Alexandru,

In Win-7, the Dir Command? calls cmd!FindFirstNt calls FindFirstFileEx, which intern open a file handle for the directory with NtOpenFile, and the NtOpenFile the last parameter of this call is dwAdditionalFlags, which is 2.

I am seeing this in my IRP_MJ_CREATE and also i have see it in my Disposition IRP.

?

From: Alexandru Carp
To: Windows File Systems Devs Interest List
Sent: Thursday, March 5, 2009 9:21:21 PM
Subject: RE: [ntfsd] Need Information on FILE_SHARE_VALID_FLAGS

Could you please tell me where exactly you see this in your minifilter ? Which irp ?

Thanks,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 6, 2009, 12:52am

Actually, the last parameter in NtOpenFile is OpenOptions and has nothing to do with dwAdditionalFlags. You should not see this flag in an IRP at all as it is consumed inside FindFirstFileExW and not passed to the file system. As far as I can tell one would only see this flag if one was hooking FindFirstFileExW…

so could you please paste the Iopb.Parameters for these operations ? I’d like to understand why you see them in the IO path.

At the moment there is no documentation about what needs to be done when you see this flag because, as I said, you should never see it…

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.