Hi Folks,
I’m writing a classic cross-volume file system mini-filter driver that redirects all I/O requests from one volume (C:) to another (say, X:). I achieve this by using the famous reparse approach i.e.
// Change filename in Data->Iopb->TargetFileObject using IoReplaceFileObjectName
// So e.g. replacing L"\??\Volume{dd9d0273-0000-0000-0000-602200000000}\Users\Admin" with L"\??\Volume{e53ce0d4-0000-0000-0000-100000000000}\Users\Admin"
Data->IoStatus.Information = IO_REPARSE;
Data->IoStatus.Status = STATUS_REPARSE;
Data->Iopb->TargetFileObject->RelatedFileObject = NULL;
FltSetCallbackDataDirty(Data);
return FLT_PREOP_COMPLETE;
This seems to be working fine until I launch Microsoft edge. The browser gets launched but it fails to load home page contents, suggestions etc.
After putting in long debugging / investigation hours here’s what I see in the Procmon:
MicrosoftEdgeCP.exe (FAILURE LOGS)
MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded
MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded
MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded
MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded
MicrosoftEdgeCP.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded
MicrosoftEdge.exe (SUCCESS LOGS)
MicrosoftEdge.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Disallow Exclusive, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Superseded
MicrosoftEdge.exe CreateFile X:\Users\Admin SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Disallow Exclusive, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
MicrosoftEdge.exe CloseFile X:\Users\Admin SUCCESS
MicrosoftEdge.exe CreateFile C:\Users\Admin REPARSE Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Superseded
MicrosoftEdge.exe CreateFile X:\Users\Admin SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
MicrosoftEdge.exe CloseFile X:\Users\Admin SUCCESS
In the Procmon, there’s simply no entry corresponding to IRP_MJ_CREATE for X:\Users\Admin for EdgeCP.exe whereas that’s not the case with Edge.exe.
Its literally like IO manager / object manager has not re-issued a new IRP_MJ_CREATE for the new filename.
So what are those mysterious circumstances during which IO manager / object manager decides to do this.
Thanks