Hi there,
I am trying to encrypt/decrypt page files in my file system filter driver. I made the driver bootable and am using SL_OPEN_PAGING_FILE flag to filter create/open IRP for page file.
The problem is that i am unable to intercept any call to create/open page file. I have printed IoStackLocation->Flags for all the calls and
all of them are either 0 or 1 which means that none of those file opened are page files.
When the system is started the page file is there which means that i wasn’t able to intercept create/open calls for page files. I read on the list that sometimes the page files are not opened as page files. Does this mean that the flag (SL_OPEN_PAGING_FILE) is not present in open/create calls?
Does the load order of my filter is important for intercepting create/open request for page files?
What is a good way to intercept create/open call to page files?
I am using Windows XP SP2 and also using OSR FDDK.
Feedback would be greatly appreciated.
Thanks
Suhail Ansari
Climb to the top of the charts!? Play Star Shuffle:? the word scramble challenge with star power.
http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_oct
Hi,
The pagefile is opened with no share access very early on at boot time I suspect your driver is not loaded and would be denied access anyway. Also if your filter code contains pageable code/data it could yield some obvious pbs. I would suggest revisiting the design and move the encryption at another level (low level disk layer).
J.
“Suhail Ansari” wrote in message news:xxxxx@ntfsd…
Hi there,
…
Files such as pagefile.sys are ‘special’ and should not be encrypted. I know of only one way that will work and that is to use something like Seagate’s FDE drives. If a system crashes, memory is written out to the page file and on the next boot it is renamed to a dump file and a new page file is created. Attempts to encrypt it will only frustrate this normal behavior. I do believe SafeBoot provides this capability and BitLocker in Vista Ultimate & Enterprise may also provide it, but they both do it at the storage level and not the filesystem level.
“Suhail Ansari” wrote in message news:xxxxx@ntfsd…
Hi there,
I am trying to encrypt/decrypt page files in my file system filter driver. I made the driver bootable and am using SL_OPEN_PAGING_FILE flag to filter create/open IRP for page file.
The problem is that i am unable to intercept any call to create/open page file. I have printed IoStackLocation->Flags for all the calls and
all of them are either 0 or 1 which means that none of those file opened are page files.
When the system is started the page file is there which means that i wasn’t able to intercept create/open calls for page files. I read on the list that sometimes the page files are not opened as page files. Does this mean that the flag (SL_OPEN_PAGING_FILE) is not present in open/create calls?
Does the load order of my filter is important for intercepting create/open request for page files?
What is a good way to intercept create/open call to page files?
I am using Windows XP SP2 and also using OSR FDDK.
Feedback would be greatly appreciated.
Thanks
Suhail Ansari
------------------------------------------------------------------------------
Climb to the top of the charts! Play Star Shuffle: the word scramble challenge with star power. Play Now!