Problem in IRP_MJ_CLOSE with FO_DELETE_ON_CLOSE

Hello,
I’m trying to catch the deletion of files through IRP_MJ_CLOSE.
I do this by checking the DeletePending flag in irpSp->FileObject.
The problem is that there are files that are created with the
FILE_FLAG_DELETE_ON_CLOSE, that don’t have the DeletePending flag set.
So I tried to check like this if a file is about to be deleted:
if( ( irpSp->FileObject->DeletePending ) || ( irpSp->FileObject->Flags &
FO_DELETE_ON_CLOSE ) )
{
//file about to be deleted
}

I made a test app, created a file with FILE_FLAG_DELETE_ON_CLOSE, but
the corresponding FO_DELETE_ON_CLOSE flag is not set in
irpSp->FileObject->Flags.

Can somebody explain how can I catch files created with the
FILE_FLAG_DELETE_ON_CLOSE flag?

This is a better discussion for NTFSD. Tracking file deletion comes up all
the time though (it’s harder than one would think), so you’re probably best
advised to start with the archives. Here’s a good thread to begin with:

http://www.osronline.com/showThread.cfm?link=142365

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Marian” wrote in message news:xxxxx@ntdev…
> Hello,
> I’m trying to catch the deletion of files through IRP_MJ_CLOSE.
> I do this by checking the DeletePending flag in irpSp->FileObject.
> The problem is that there are files that are created with the
> FILE_FLAG_DELETE_ON_CLOSE, that don’t have the DeletePending flag set.
> So I tried to check like this if a file is about to be deleted:
> if( ( irpSp->FileObject->DeletePending ) || ( irpSp->FileObject->Flags &
> FO_DELETE_ON_CLOSE ) )
> {
> //file about to be deleted
> }
>
> I made a test app, created a file with FILE_FLAG_DELETE_ON_CLOSE, but the
> corresponding FO_DELETE_ON_CLOSE flag is not set in
> irpSp->FileObject->Flags.
>
> Can somebody explain how can I catch files created with the
> FILE_FLAG_DELETE_ON_CLOSE flag?
>

Wrong group, try ntfsd

d

Sent from my phone with no t9, all spilling mistakes are not intentional.

-----Original Message-----
From: Marian
Sent: Tuesday, October 27, 2009 6:30 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem in IRP_MJ_CLOSE with FO_DELETE_ON_CLOSE

Hello,
I’m trying to catch the deletion of files through IRP_MJ_CLOSE.
I do this by checking the DeletePending flag in irpSp->FileObject.
The problem is that there are files that are created with the
FILE_FLAG_DELETE_ON_CLOSE, that don’t have the DeletePending flag set.
So I tried to check like this if a file is about to be deleted:
if( ( irpSp->FileObject->DeletePending ) || ( irpSp->FileObject->Flags &
FO_DELETE_ON_CLOSE ) )
{
//file about to be deleted
}

I made a test app, created a file with FILE_FLAG_DELETE_ON_CLOSE, but
the corresponding FO_DELETE_ON_CLOSE flag is not set in
irpSp->FileObject->Flags.

Can somebody explain how can I catch files created with the
FILE_FLAG_DELETE_ON_CLOSE flag?


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer