Question about IRP_MJ_CREATE

OSR_Community_User · June 30, 2003, 3:50am

Hi All,

I am developing a FSFD based filespy sample.I want system to popup verify
dialog before user want to open the attached volume(C:,D:,ie…),so I have
to interrupt IRP_MJ_CREATE in FS filter driver.

First,The FSFD notify USERMODE App when user want to open C:.
Second, USERMODE App call DeviceIoControl with the IOCTL that my private
defined IOCTL(FILESPY_SetOk)if USERMODE App allow user to open C:.

By DbgView,I find a strange instance that IO Manager will send
IRP_MJ_CREATE to My FSFD seven times.Why seven times?PLS help me!

regards.

sailing_an

Brian_Hutchison · June 30, 2003, 9:57am

Anti-Virus programs often open a file multiple times for each time an
application process opens the file. Are you running an anti-virus
program?
If so, disable the file system filter of the virus program to eliminate
the
extra opens. But ultimately you will need to handle this sort of
situation if you want to interoperate with the anti-virus software.

Brian

Hi All,

I am developing a FSFD based filespy sample.I want system to popup verify
dialog before user want to open the attached volume(C:,D:,ie…),so I have
to interrupt IRP_MJ_CREATE in FS filter driver.

First,The FSFD notify USERMODE App when user want to open C:.
Second, USERMODE App call DeviceIoControl with the IOCTL that my private
defined IOCTL(FILESPY_SetOk)if USERMODE App allow user to open C:.

By DbgView,I find a strange instance that IO Manager will send
IRP_MJ_CREATE to My FSFD seven times.Why seven times?PLS help me!

regards.

sailing_an

OSR_Community_User · July 1, 2003, 3:18am

Hi Brian,

Thank you for your reply!
I am running an anti-virus program.However,Io Manager still send
IRP_MJ_CREATE multiple times after I disabled anti-virus program!

I runned filemon to monitor irp.
///////////////////////////////////////////////////
when I single click driver letter D:,filemon output:

189809 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021
189810 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS FileFsQuotaSetInformation

189811 IRP_MJ_CLEANUP D:\ SUCCESS
189812 IRP_MJ_CLOSE D:\ SUCCESS
189813 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189814 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189815 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000
189816 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189817 IRP_MJ_CLEANUP D:\ SUCCESS
189818 IRP_MJ_CLOSE D:\ SUCCESS
189819 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021
189820 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS FileFsQuotaSetInformation

189821 IRP_MJ_CLEANUP D:\ SUCCESS
189822 IRP_MJ_CLOSE D:\ SUCCESS

//////////////////////////////////////////////////////////////
when I double click driver letter d: to open D:,filemon output:

189656 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021
189657 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS FileFsQuotaSetInformation

189658 IRP_MJ_CLEANUP D:\ SUCCESS
189659 IRP_MJ_CLOSE D:\ SUCCESS
189660 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189661 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189662 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000
189663 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189664 IRP_MJ_CLEANUP D:\ SUCCESS
189665 IRP_MJ_CLOSE D:\ SUCCESS
189666 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021
189667 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS FileFsQuotaSetInformation

189668 IRP_MJ_CLEANUP D:\ SUCCESS
189669 IRP_MJ_CLOSE D:\ SUCCESS
189670 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000
189671 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189672 IRP_MJ_CLEANUP D:\ SUCCESS
189673 IRP_MJ_CLOSE D:\ SUCCESS
189674 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000
189675 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189676 IRP_MJ_CLEANUP D:\ SUCCESS
189677 IRP_MJ_CLOSE D:\ SUCCESS
189678 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000
189679 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189680 IRP_MJ_CLEANUP D:\ SUCCESS
189681 IRP_MJ_CLOSE D:\ SUCCESS
189682 IRP_MJ_CREATE D:\desktop.ini FILE NOT FOUND Attributes:0000
Options:01200000
189683 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01000021
189684 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
189685 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
…

.

Which IRP_MJ_CREATE should I interrupt?

regards,

sailing_an

Anti-Virus programs often open a file multiple times for each time an
application process opens the file. Are you running an anti-virus
program?
If so, disable the file system filter of the virus program to eliminate
the
extra opens. But ultimately you will need to handle this sort of
situation if you want to interoperate with the anti-virus software.

Brian
> Hi All,
>
> I am developing a FSFD based filespy sample.I want system to popup verify
> dialog before user want to open the attached volume(C:,D:,ie…),so I have
> to interrupt IRP_MJ_CREATE in FS filter driver.
>
> First,The FSFD notify USERMODE App when user want to open C:.
> Second, USERMODE App call DeviceIoControl with the IOCTL that my private
> defined IOCTL(FILESPY_SetOk)if USERMODE App allow user to open C:.
>
> By DbgView,I find a strange instance that IO Manager will send
> IRP_MJ_CREATE to My FSFD seven times.Why seven times?PLS help me!
>
> regards.
>
> sailing_an

OSR_Community_User · July 1, 2003, 3:31am

Explorer is a complex beast, and applications like Microsoft Word are
even more so. You may see dozens, if not hundreds, of creates generated
as a result of a seemingly simple operation like clicking on a volume in
Explorer or opening a document. You just have to design for this (e.g.
only handle the first create, then cache the knowledge that you did see
this create for five minutes or so in a hash table keyed by pathname).

Nick Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of beginner_an
Sent: Tuesday, July 01, 2003 12:18 AM
To: File Systems Developers
Subject: [ntfsd] Re: Question about IRP_MJ_CREATE

Hi Brian,

Thank you for your reply!
I am running an anti-virus program.However,Io Manager still
send IRP_MJ_CREATE multiple times after I disabled anti-virus program!

I runned filemon to monitor irp.
///////////////////////////////////////////////////
when I single click driver letter D:,filemon output:

189809 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01800021
189810 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189811 IRP_MJ_CLEANUP D:\ SUCCESS
189812 IRP_MJ_CLOSE D:\ SUCCESS
189813 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
Attributes:0000
Options:01000060
189814 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
Attributes:0000
Options:01000060
189815 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01200000
189816 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189817 IRP_MJ_CLEANUP D:\ SUCCESS
189818 IRP_MJ_CLOSE D:\ SUCCESS
189819 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01800021
189820 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189821 IRP_MJ_CLEANUP D:\ SUCCESS
189822 IRP_MJ_CLOSE D:\ SUCCESS

//////////////////////////////////////////////////////////////
when I double click driver letter d: to open D:,filemon output:

189656 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01800021
189657 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189658 IRP_MJ_CLEANUP D:\ SUCCESS
189659 IRP_MJ_CLOSE D:\ SUCCESS
189660 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
Attributes:0000
Options:01000060
189661 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
Attributes:0000
Options:01000060
189662 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01200000
189663 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189664 IRP_MJ_CLEANUP D:\ SUCCESS
189665 IRP_MJ_CLOSE D:\ SUCCESS
189666 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01800021
189667 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189668 IRP_MJ_CLEANUP D:\ SUCCESS
189669 IRP_MJ_CLOSE D:\ SUCCESS
189670 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01200000
189671 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189672 IRP_MJ_CLEANUP D:\ SUCCESS
189673 IRP_MJ_CLOSE D:\ SUCCESS
189674 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01200000
189675 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189676 IRP_MJ_CLEANUP D:\ SUCCESS
189677 IRP_MJ_CLOSE D:\ SUCCESS
189678 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01200000
189679 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189680 IRP_MJ_CLEANUP D:\ SUCCESS
189681 IRP_MJ_CLOSE D:\ SUCCESS
189682 IRP_MJ_CREATE D:\desktop.ini FILE NOT FOUND
Attributes:0000
Options:01200000
189683 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
Options:01000021
189684 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
189685 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS

…

.

Which IRP_MJ_CREATE should I interrupt?

regards,

sailing_an

> Anti-Virus programs often open a file multiple times for
each time an
> application process opens the file. Are you running an anti-virus
> program? If so, disable the file system filter of the virus
program to
> eliminate the
> extra opens. But ultimately you will need to handle this sort of
> situation if you want to interoperate with the anti-virus software.
>
> Brian
> > Hi All,
> >
> > I am developing a FSFD based filespy sample.I want system
to popup
> > verify dialog before user want to open the attached
> > volume(C:,D:,ie…),so I have to interrupt IRP_MJ_CREATE in FS
> > filter driver.
> >
> > First,The FSFD notify USERMODE App when user want to open C:.
> > Second, USERMODE App call DeviceIoControl with the IOCTL that my
> > private defined IOCTL(FILESPY_SetOk)if USERMODE App allow user to
> > open C:.
> >
> > By DbgView,I find a strange instance that IO Manager will send
> > IRP_MJ_CREATE to My FSFD seven times.Why seven times?PLS help me!
> >
> > regards.
> >
> > sailing_an

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · July 1, 2003, 5:13am

Hi Nick Ryan,

Thank you for your reply!

You saied:“You just have to design for this (e.g.
only handle the first create, then cache the knowledge that you did see
this create for five minutes or so in a hash table keyed by pathname).”

Can you explain above?

regards,

sailing_an

Explorer is a complex beast, and applications like Microsoft Word are
even more so. You may see dozens, if not hundreds, of creates generated
as a result of a seemingly simple operation like clicking on a volume in
Explorer or opening a document. You just have to design for this (e.g.
only handle the first create, then cache the knowledge that you did see
this create for five minutes or so in a hash table keyed by pathname).

Nick Ryan

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of beginner_an
> Sent: Tuesday, July 01, 2003 12:18 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: Question about IRP_MJ_CREATE
>
>
> Hi Brian,
>
> Thank you for your reply!
> I am running an anti-virus program.However,Io Manager still
> send IRP_MJ_CREATE multiple times after I disabled anti-virus program!
>
> I runned filemon to monitor irp.
> ///////////////////////////////////////////////////
> when I single click driver letter D:,filemon output:
>
> 189809 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01800021
> 189810 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
> FileFsQuotaSetInformation
>
> 189811 IRP_MJ_CLEANUP D:\ SUCCESS
> 189812 IRP_MJ_CLOSE D:\ SUCCESS
> 189813 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
> Attributes:0000
> Options:01000060
> 189814 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
> Attributes:0000
> Options:01000060
> 189815 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01200000
> 189816 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> 189817 IRP_MJ_CLEANUP D:\ SUCCESS
> 189818 IRP_MJ_CLOSE D:\ SUCCESS
> 189819 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01800021
> 189820 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
> FileFsQuotaSetInformation
>
> 189821 IRP_MJ_CLEANUP D:\ SUCCESS
> 189822 IRP_MJ_CLOSE D:\ SUCCESS
>
> //////////////////////////////////////////////////////////////
> when I double click driver letter d: to open D:,filemon output:
>
> 189656 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01800021
> 189657 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
> FileFsQuotaSetInformation
>
> 189658 IRP_MJ_CLEANUP D:\ SUCCESS
> 189659 IRP_MJ_CLOSE D:\ SUCCESS
> 189660 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
> Attributes:0000
> Options:01000060
> 189661 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
> Attributes:0000
> Options:01000060
> 189662 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01200000
> 189663 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> 189664 IRP_MJ_CLEANUP D:\ SUCCESS
> 189665 IRP_MJ_CLOSE D:\ SUCCESS
> 189666 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01800021
> 189667 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
> FileFsQuotaSetInformation
>
> 189668 IRP_MJ_CLEANUP D:\ SUCCESS
> 189669 IRP_MJ_CLOSE D:\ SUCCESS
> 189670 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01200000
> 189671 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> 189672 IRP_MJ_CLEANUP D:\ SUCCESS
> 189673 IRP_MJ_CLOSE D:\ SUCCESS
> 189674 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01200000
> 189675 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> 189676 IRP_MJ_CLEANUP D:\ SUCCESS
> 189677 IRP_MJ_CLOSE D:\ SUCCESS
> 189678 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01200000
> 189679 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> 189680 IRP_MJ_CLEANUP D:\ SUCCESS
> 189681 IRP_MJ_CLOSE D:\ SUCCESS
> 189682 IRP_MJ_CREATE D:\desktop.ini FILE NOT FOUND
> Attributes:0000
> Options:01200000
> 189683 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> Options:01000021
> 189684 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
> 189685 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
>
> …
>
> .
>
> Which IRP_MJ_CREATE should I interrupt?
>
> regards,
>
> sailing_an
>
> > Anti-Virus programs often open a file multiple times for
> each time an
> > application process opens the file. Are you running an anti-virus
> > program? If so, disable the file system filter of the virus
> program to
> > eliminate the
> > extra opens. But ultimately you will need to handle this sort of
> > situation if you want to interoperate with the anti-virus software.
> >
> > Brian
> > > Hi All,
> > >
> > > I am developing a FSFD based filespy sample.I want system
> to popup
> > > verify dialog before user want to open the attached
> > > volume(C:,D:,ie…),so I have to interrupt IRP_MJ_CREATE in FS
> > > filter driver.
> > >
> > > First,The FSFD notify USERMODE App when user want to open C:.
> > > Second, USERMODE App call DeviceIoControl with the IOCTL that my
> > > private defined IOCTL(FILESPY_SetOk)if USERMODE App allow user to
> > > open C:.
> > >
> > > By DbgView,I find a strange instance that IO Manager will send
> > > IRP_MJ_CREATE to My FSFD seven times.Why seven times?PLS help me!
> > >
> > > regards.
> > >
> > > sailing_an
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · July 1, 2003, 1:13pm

There is no one-to-one relationship; your design is screwed… Time to
start all over again

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of beginner_an
Sent: Tuesday, July 01, 2003 12:18 AM
To: File Systems Developers
Subject: [ntfsd] Re: Question about IRP_MJ_CREATE

Hi Brian,

Thank you for your reply!
I am running an anti-virus program.However,Io Manager still send
IRP_MJ_CREATE multiple times after I disabled anti-virus program!

I runned filemon to monitor irp.
///////////////////////////////////////////////////
when I single click driver letter D:,filemon output:

189809 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021

189810 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189811 IRP_MJ_CLEANUP D:\ SUCCESS
189812 IRP_MJ_CLOSE D:\ SUCCESS
189813 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189814 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189815 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189816 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189817 IRP_MJ_CLEANUP D:\ SUCCESS
189818 IRP_MJ_CLOSE D:\ SUCCESS
189819 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021

189820 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189821 IRP_MJ_CLEANUP D:\ SUCCESS
189822 IRP_MJ_CLOSE D:\ SUCCESS

//////////////////////////////////////////////////////////////
when I double click driver letter d: to open D:,filemon output:

189656 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021

189657 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189658 IRP_MJ_CLEANUP D:\ SUCCESS
189659 IRP_MJ_CLOSE D:\ SUCCESS
189660 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189661 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189662 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189663 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189664 IRP_MJ_CLEANUP D:\ SUCCESS
189665 IRP_MJ_CLOSE D:\ SUCCESS
189666 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021

189667 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189668 IRP_MJ_CLEANUP D:\ SUCCESS
189669 IRP_MJ_CLOSE D:\ SUCCESS
189670 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189671 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189672 IRP_MJ_CLEANUP D:\ SUCCESS
189673 IRP_MJ_CLOSE D:\ SUCCESS
189674 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189675 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189676 IRP_MJ_CLEANUP D:\ SUCCESS
189677 IRP_MJ_CLOSE D:\ SUCCESS
189678 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189679 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189680 IRP_MJ_CLEANUP D:\ SUCCESS
189681 IRP_MJ_CLOSE D:\ SUCCESS
189682 IRP_MJ_CREATE D:\desktop.ini FILE NOT FOUND Attributes:0000
Options:01200000
189683 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01000021

189684 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
189685 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
…

.

Which IRP_MJ_CREATE should I interrupt?

regards,

sailing_an

Anti-Virus programs often open a file multiple times for each time an
application process opens the file. Are you running an anti-virus
program?
If so, disable the file system filter of the virus program to
eliminate
the
extra opens. But ultimately you will need to handle this sort of
situation if you want to interoperate with the anti-virus software.

Brian
> Hi All,
>
> I am developing a FSFD based filespy sample.I want system to popup
verify
> dialog before user want to open the attached volume(C:,D:,ie…),so
I have
> to interrupt IRP_MJ_CREATE in FS filter driver.
>
> First,The FSFD notify USERMODE App when user want to open C:.
> Second, USERMODE App call DeviceIoControl with the IOCTL that my
private
> defined IOCTL(FILESPY_SetOk)if USERMODE App allow user to open C:.
>
> By DbgView,I find a strange instance that IO Manager will send
> IRP_MJ_CREATE to My FSFD seven times.Why seven times?PLS help me!
>
> regards.
>
> sailing_an

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · July 2, 2003, 1:22am

HI Jamey,

Can you explain this?

best regards,

sailing_an

There is no one-to-one relationship; your design is screwed… Time to
start all over again

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of beginner_an
Sent: Tuesday, July 01, 2003 12:18 AM
To: File Systems Developers
Subject: [ntfsd] Re: Question about IRP_MJ_CREATE

Hi Brian,

Thank you for your reply!
I am running an anti-virus program.However,Io Manager still send
IRP_MJ_CREATE multiple times after I disabled anti-virus program!

I runned filemon to monitor irp.
///////////////////////////////////////////////////
when I single click driver letter D:,filemon output:

189809 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021

189810 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189811 IRP_MJ_CLEANUP D:\ SUCCESS
189812 IRP_MJ_CLOSE D:\ SUCCESS
189813 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189814 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189815 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189816 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189817 IRP_MJ_CLEANUP D:\ SUCCESS
189818 IRP_MJ_CLOSE D:\ SUCCESS
189819 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021

189820 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189821 IRP_MJ_CLEANUP D:\ SUCCESS
189822 IRP_MJ_CLOSE D:\ SUCCESS

//////////////////////////////////////////////////////////////
when I double click driver letter d: to open D:,filemon output:

189656 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021

189657 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189658 IRP_MJ_CLEANUP D:\ SUCCESS
189659 IRP_MJ_CLOSE D:\ SUCCESS
189660 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189661 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND Attributes:0000
Options:01000060
189662 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189663 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189664 IRP_MJ_CLEANUP D:\ SUCCESS
189665 IRP_MJ_CLOSE D:\ SUCCESS
189666 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01800021

189667 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
FileFsQuotaSetInformation

189668 IRP_MJ_CLEANUP D:\ SUCCESS
189669 IRP_MJ_CLOSE D:\ SUCCESS
189670 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189671 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189672 IRP_MJ_CLEANUP D:\ SUCCESS
189673 IRP_MJ_CLOSE D:\ SUCCESS
189674 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189675 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189676 IRP_MJ_CLEANUP D:\ SUCCESS
189677 IRP_MJ_CLOSE D:\ SUCCESS
189678 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01200000

189679 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
189680 IRP_MJ_CLEANUP D:\ SUCCESS
189681 IRP_MJ_CLOSE D:\ SUCCESS
189682 IRP_MJ_CREATE D:\desktop.ini FILE NOT FOUND Attributes:0000
Options:01200000
189683 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000 Options:01000021

189684 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
189685 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
…

.

Which IRP_MJ_CREATE should I interrupt?

regards,

sailing_an

> Anti-Virus programs often open a file multiple times for each time an
> application process opens the file. Are you running an anti-virus
> program?
> If so, disable the file system filter of the virus program to
eliminate
> the
> extra opens. But ultimately you will need to handle this sort of
> situation if you want to interoperate with the anti-virus software.
>
> Brian
> > Hi All,
> >
> > I am developing a FSFD based filespy sample.I want system to popup
verify
> > dialog before user want to open the attached volume(C:,D:,ie…),so
I have
> > to interrupt IRP_MJ_CREATE in FS filter driver.
> >
> > First,The FSFD notify USERMODE App when user want to open C:.
> > Second, USERMODE App call DeviceIoControl with the IOCTL that my
private
> > defined IOCTL(FILESPY_SetOk)if USERMODE App allow user to open C:.
> >
> > By DbgView,I find a strange instance that IO Manager will send
> > IRP_MJ_CREATE to My FSFD seven times.Why seven times?PLS help me!
> >
> > regards.
> >
> > sailing_an

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · July 2, 2003, 2:37am

Here is what I think your situation is:

You have a pathname that represents a volume, directory, or file that
you wish to perform some sort of validation on. You only need to perform
this validation the first time this pathname itself or anything under it
is opened (or better yet, opened with read or read/write permission
being asked for - this will filter out most of the spurious creates).

Therefore, what you want to do is perform the validation the first time
you see the pathname, but not anytime afterward. You can do this by
maintaining some sort of data structure that associates pathnames with a
boolean value that you set to TRUE the first time you see the pathname.
This data structure can be a hash table where the key is the pathname.
If you don’t know what a hash table is, you should pick up a good
computer science textbook or do a Google search on the term.

Nick Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of beginner_an
Sent: Tuesday, July 01, 2003 2:13 AM
To: File Systems Developers
Subject: [ntfsd] Re: Question about IRP_MJ_CREATE

Hi Nick Ryan,

Thank you for your reply!

You saied:“You just have to design for this (e.g.
only handle the first create, then cache the knowledge that
you did see this create for five minutes or so in a hash
table keyed by pathname).”

Can you explain above?

regards,

sailing_an

> Explorer is a complex beast, and applications like
Microsoft Word are
> even more so. You may see dozens, if not hundreds, of creates
> generated as a result of a seemingly simple operation like
clicking on
> a volume in Explorer or opening a document. You just have to design
> for this (e.g. only handle the first create, then cache the
knowledge
> that you did see this create for five minutes or so in a hash table
> keyed by pathname).
>
> - Nick Ryan
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of beginner_an
> > Sent: Tuesday, July 01, 2003 12:18 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Question about IRP_MJ_CREATE
> >
> >
> > Hi Brian,
> >
> > Thank you for your reply!
> > I am running an anti-virus program.However,Io Manager still
> > send IRP_MJ_CREATE multiple times after I disabled
anti-virus program!
> >
> > I runned filemon to monitor irp.
> > ///////////////////////////////////////////////////
> > when I single click driver letter D:,filemon output:
> >
> > 189809 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01800021
> > 189810 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
> > FileFsQuotaSetInformation
> >
> > 189811 IRP_MJ_CLEANUP D:\ SUCCESS
> > 189812 IRP_MJ_CLOSE D:\ SUCCESS
> > 189813 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
> > Attributes:0000
> > Options:01000060
> > 189814 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
> > Attributes:0000
> > Options:01000060
> > 189815 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01200000
> > 189816 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> > 189817 IRP_MJ_CLEANUP D:\ SUCCESS
> > 189818 IRP_MJ_CLOSE D:\ SUCCESS
> > 189819 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01800021
> > 189820 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
> > FileFsQuotaSetInformation
> >
> > 189821 IRP_MJ_CLEANUP D:\ SUCCESS
> > 189822 IRP_MJ_CLOSE D:\ SUCCESS
> >
> > //////////////////////////////////////////////////////////////
> > when I double click driver letter d: to open D:,filemon output:
> >
> > 189656 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01800021
> > 189657 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
> > FileFsQuotaSetInformation
> >
> > 189658 IRP_MJ_CLEANUP D:\ SUCCESS
> > 189659 IRP_MJ_CLOSE D:\ SUCCESS
> > 189660 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
> > Attributes:0000
> > Options:01000060
> > 189661 IRP_MJ_CREATE D:\Desktop.ini FILE NOT FOUND
> > Attributes:0000
> > Options:01000060
> > 189662 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01200000
> > 189663 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> > 189664 IRP_MJ_CLEANUP D:\ SUCCESS
> > 189665 IRP_MJ_CLOSE D:\ SUCCESS
> > 189666 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01800021
> > 189667 IRP_MJ_QUERY_VOLUME_INFORMATION D:\ SUCCESS
> > FileFsQuotaSetInformation
> >
> > 189668 IRP_MJ_CLEANUP D:\ SUCCESS
> > 189669 IRP_MJ_CLOSE D:\ SUCCESS
> > 189670 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01200000
> > 189671 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> > 189672 IRP_MJ_CLEANUP D:\ SUCCESS
> > 189673 IRP_MJ_CLOSE D:\ SUCCESS
> > 189674 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01200000
> > 189675 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> > 189676 IRP_MJ_CLEANUP D:\ SUCCESS
> > 189677 IRP_MJ_CLOSE D:\ SUCCESS
> > 189678 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01200000
> > 189679 FASTIO_QUERY_BASIC_INFO D:\ SUCCESS Attributes:0010
> > 189680 IRP_MJ_CLEANUP D:\ SUCCESS
> > 189681 IRP_MJ_CLOSE D:\ SUCCESS
> > 189682 IRP_MJ_CREATE D:\desktop.ini FILE NOT FOUND
> > Attributes:0000
> > Options:01200000
> > 189683 IRP_MJ_CREATE D:\ SUCCESS Attributes:0000
> > Options:01000021
> > 189684 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
> > 189685 IRP_MJ_DIRECTORY_CONTROL D:\ SUCCESS
> >
> > …
> >
> > .
> >
> > Which IRP_MJ_CREATE should I interrupt?
> >
> > regards,
> >
> > sailing_an
> >
> > > Anti-Virus programs often open a file multiple times for
> > each time an
> > > application process opens the file. Are you running an
anti-virus
> > > program? If so, disable the file system filter of the virus
> > program to
> > > eliminate the
> > > extra opens. But ultimately you will need to handle
this sort of
> > > situation if you want to interoperate with the anti-virus
> > > software.
> > >
> > > Brian
> > > > Hi All,
> > > >
> > > > I am developing a FSFD based filespy sample.I want system
> > to popup
> > > > verify dialog before user want to open the attached
> > > > volume(C:,D:,ie…),so I have to interrupt
IRP_MJ_CREATE in FS
> > > > filter driver.
> > > >
> > > > First,The FSFD notify USERMODE App when user want to open C:.
> > > > Second, USERMODE App call DeviceIoControl with the
IOCTL that my
> > > > private defined IOCTL(FILESPY_SetOk)if USERMODE App
allow user to
> > > > open C:.
> > > >
> > > > By DbgView,I find a strange instance that IO Manager
will send
> > > > IRP_MJ_CREATE to My FSFD seven times.Why seven
times?PLS help me!
> > > >
> > > > regards.
> > > >
> > > > sailing_an
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · July 2, 2003, 5:11am

> Here is what I think your situation is:

You have a pathname that represents a volume, directory, or file that
Hi Nick,

Thank you very much!!!

Best regards,

sailing_an

you wish to perform some sort of validation on. You only need to perform
this validation the first time this pathname itself or anything under it
is opened (or better yet, opened with read or read/write permission
being asked for - this will filter out most of the spurious creates).

Therefore, what you want to do is perform the validation the first time
you see the pathname, but not anytime afterward. You can do this by
maintaining some sort of data structure that associates pathnames with a
boolean value that you set to TRUE the first time you see the pathname.
This data structure can be a hash table where the key is the pathname.
If you don’t know what a hash table is, you should pick up a good
computer science textbook or do a Google search on the term.

Nick Ryan

OSR_Community_User · July 13, 2003, 8:30pm

why I can receive mail list since two weeks ago?Is there anything wrong?
----- Original Message -----
From:
To: “File Systems Developers”
Sent: Monday, June 30, 2003 9:56 PM
Subject: [ntfsd] Re: Question about IRP_MJ_CREATE

> Anti-Virus programs often open a file multiple times for each time an
> application process opens the file. Are you running an anti-virus
> program?
> If so, disable the file system filter of the virus program to eliminate
> the
> extra opens. But ultimately you will need to handle this sort of
> situation if you want to interoperate with the anti-virus software.
>
> Brian
> > Hi All,
> >
> > I am developing a FSFD based filespy sample.I want system to popup verify
> > dialog before user want to open the attached volume(C:,D:,ie…),so I have
> > to interrupt IRP_MJ_CREATE in FS filter driver.
> >
> > First,The FSFD notify USERMODE App when user want to open C:.
> > Second, USERMODE App call DeviceIoControl with the IOCTL that my private
> > defined IOCTL(FILESPY_SetOk)if USERMODE App allow user to open C:.
> >
> > By DbgView,I find a strange instance that IO Manager will send
> > IRP_MJ_CREATE to My FSFD seven times.Why seven times?PLS help me!
> >
> > regards.
> >
> > sailing_an
>
> —
> You are currently subscribed to ntfsd as: xxxxx@emgsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com