Hi Folks !
I am having an issue that might have been discussed long before but I
can’t seem to find it in the old posts.
I am writing a FSD (part of a pseudo file system) that calls
ZwCreateFile to open a file from the local disk when it gets an
IRP_MJ_CREATE. If Notepad is the application that sends the create irp
and while processing the irp if I call ZwCreateFile, then I don’t see
IRP_MJ_Reads from Notepad, but the file opens up with it’s encrypted
contents. I need those IRP_MJ_Reads so that I can decrypt the file. I
know that notepad uses memory mapped files which could be the reason
don’t see the irp_mj_reads. Is there anything I can do to get the
IRP_MJ_Reads from Notepad ?
I have tried specifying FILE_NO_INTERMEDIATE_BUFFERING in ZwCreateFile
but that didn’t make the difference. Please send me some suggestions or
point me in the right direction. I absolutely need to understand what’s
going on here.
Here are some specifics :
ZwCreateFile (&cache, FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
&attr, &iosb, 0, FILE_ATTRIBUTE_HIDDEN, FILE_SHARE_READ |
FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN_IF, options |
FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_ALERT, NULL, 0);
Thanks.
Amitabh Mathrawala | xxxxx@viack.com | 425 605 7483
Notepad uses memory-mapped files. So, monitor the noncached reads.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Amitabh Mathrawala”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, April 19, 2005 10:18 PM
Subject: [ntfsd] No IRP_MJ_READ if I use ZwCreateFile
Hi Folks !
I am having an issue that might have been discussed long before but I
can’t seem to find it in the old posts.
I am writing a FSD (part of a pseudo file system) that calls
ZwCreateFile to open a file from the local disk when it gets an
IRP_MJ_CREATE. If Notepad is the application that sends the create irp
and while processing the irp if I call ZwCreateFile, then I don’t see
IRP_MJ_Reads from Notepad, but the file opens up with it’s encrypted
contents. I need those IRP_MJ_Reads so that I can decrypt the file. I
know that notepad uses memory mapped files which could be the reason
don’t see the irp_mj_reads. Is there anything I can do to get the
IRP_MJ_Reads from Notepad ?
I have tried specifying FILE_NO_INTERMEDIATE_BUFFERING in ZwCreateFile
but that didn’t make the difference. Please send me some suggestions or
point me in the right direction. I absolutely need to understand what’s
going on here.
Here are some specifics :
ZwCreateFile (&cache, FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
&attr, &iosb, 0, FILE_ATTRIBUTE_HIDDEN, FILE_SHARE_READ |
FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN_IF, options |
FILE_WRITE_THROUGH | FILE_SYNCHRONOUS_IO_ALERT, NULL, 0);
Thanks.
Amitabh Mathrawala | xxxxx@viack.com | 425 605 7483
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
> I am having an issue that might have been discussed long before but I
can’t seem to find it in the old posts.
Yes, you’re right
The reason why you don’t see anything is because the file
is already in the cache. You will not see reads because
when the file is memory mapped by notepad, the pages
are already loaded and it is not necessary to read them again.
So you have to attach to the local volume in the moment
of volume mount, then you can watch for the file open and
read.
L.