Problem with drive letters for dynamic disks

NTFSD
1

Hi,

In my filter driver, I do the following:

  • call ObQueryNameString on lpFileObject->DeviceObject to get
    the name of the volume where the file resides.
  • for all drive letters:
  • Call ZwOpenSymbolicLinkObject
  • Call ZwQuerySymbolicLinkObject
  • Compare the name with the name I got for
    lpFileObject->DeviceObject
    (This happens in all dispatch routines, until I get the letter,
    or find that it’s a network volume)

On Basic disks this works, and I successfully compare the names.

For Dynamic disks, however, I get
“Device\HarddiskDmVolumes\AlfaDgD\Volume%d” via Zw?SymLink path, and I
always get '\Device\HarddiskDmVolumes\Ph" from the
lpFileObject->DeviceObject.
Anyone know what I’m doing wrong?

Is there another way to get drive letters for a file object’s
device object since the filter attaches via
IoRegisterFsRegistrationChange ?


Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa Registry Monitor - Registry monitoring library for Win32
developers.
Alfa Registry Protector - Registry protection library for Win32
developers.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

Dejan,

I looked at the system I have here with dynamic volumes. The name you get
from that ZwQuery (for a dynamic volume) points to ANOTHER symbolic link.
So, the gist of it is that dmio.sys is using a more complex naming scheme,
with multiple symbolic links.

Of course, that’s the risk with ANY heuristic algorithm in this space -
there’s nothing that stops someone clever from coming along and finding a
mechanism for doing its work in a compatible fashion, but different enough
that it breaks your heuristic.

You may find that working with the mount manager is preferable to using your
own heuristic, as well.

Of course, one of these days I’ll finish up my article on the mount manager
for The NT Insider, too!

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

See the new NTFSD FAQ on the OSR Web Site!

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Wednesday, January 30, 2002 4:15 PM
To: File Systems Developers
Subject: [ntfsd] Problem with drive letters for dynamic disks

Hi,

In my filter driver, I do the following:

  • call ObQueryNameString on lpFileObject->DeviceObject to get
    the name of the volume where the file resides.
  • for all drive letters:
  • Call ZwOpenSymbolicLinkObject
  • Call ZwQuerySymbolicLinkObject
  • Compare the name with the name I got for
    lpFileObject->DeviceObject
    (This happens in all dispatch routines, until I get the letter,
    or find that it’s a network volume)

On Basic disks this works, and I successfully compare the names.

For Dynamic disks, however, I get
“Device\HarddiskDmVolumes\AlfaDgD\Volume%d” via Zw?SymLink path, and I
always get '\Device\HarddiskDmVolumes\Ph" from the
lpFileObject->DeviceObject.
Anyone know what I’m doing wrong?

Is there another way to get drive letters for a file object’s
device object since the filter attaches via
IoRegisterFsRegistrationChange ?


Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa Registry Monitor - Registry monitoring library for Win32
developers.
Alfa Registry Protector - Registry protection library for Win32
developers.

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Tony,

I looked at the system I have here with dynamic volumes. The name you get
from that ZwQuery (for a dynamic volume) points to ANOTHER symbolic link. So,
the gist of it is that dmio.sys is using a more complex naming scheme, with
multiple symbolic links.

Interesting:-)

You may find that working with the mount manager is preferable to using your
own heuristic, as well.

Of course, one of these days I’ll finish up my article on the mount manager
for The NT Insider, too!

I’m looking forward to it!

BTW, I solved my problem with direct instead of reverse lookup (if ZwLink
idea fails, go the old fashioned way of opening the drive link directly and
match the device object)


Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa Registry Monitor - Registry monitoring library for Win32 developers.
Alfa Registry Protector - Registry protection library for Win32 developers.

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

Use MountPointManager. It was made specialy for dynamic disks (though it
works for usual ones). See WinXP DDK (or DDK online on http://www.osr.com)
or mountdev.h/mountmgr.h in Win2k DDK. It works fine!

Alexey Logachyov
xxxxx@vba.com.by
VirusBlokAda ltd.
http://www.vba.com.by

----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Wednesday, January 30, 2002 11:15 PM
Subject: [ntfsd] Problem with drive letters for dynamic disks

>
> Hi,
>
> In my filter driver, I do the following:
> - call ObQueryNameString on lpFileObject->DeviceObject to get
> the name of the volume where the file resides.
> - for all drive letters:
> - Call ZwOpenSymbolicLinkObject
> - Call ZwQuerySymbolicLinkObject
> - Compare the name with the name I got for
> lpFileObject->DeviceObject
> (This happens in all dispatch routines, until I get the letter,
> or find that it’s a network volume)
>
> On Basic disks this works, and I successfully compare the names.
>
> For Dynamic disks, however, I get
> “Device\HarddiskDmVolumes\AlfaDgD\Volume%d” via Zw?SymLink path, and I
> always get '\Device\HarddiskDmVolumes\Ph" from the
> lpFileObject->DeviceObject.
> Anyone know what I’m doing wrong?
>
> Is there another way to get drive letters for a file object’s
> device object since the filter attaches via
> IoRegisterFsRegistrationChange ?
>
> –
> Kind regards, Dejan M. www.alfasp.com
> E-mail: xxxxx@alfasp.com ICQ#: 56570367
> Alfa File Monitor - File monitoring library for Win32 developers.
> Alfa File Protector - File protection and hiding library for Win32
> developers.
> Alfa Registry Monitor - Registry monitoring library for Win32
> developers.
> Alfa Registry Protector - Registry protection library for Win32
> developers.
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com