I have a filter to encrypt/decrypt all files in a special folder. I only
handle IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO. It works
well before I met WinWord.I was confused by the temp files winword created.
When I open the doc file whose name is a.doc, winword create a temp file
named ~$a.doc. it created another temp file named ~WRD0000.tmp(the numbers
can be different). When I edit and save a.doc, Winword writes data into the
temp file ~WRD0000.tmp, then rename and delete it. I found when I click the
save button, winword write data into the file ~WRD0000.tmp several times and
the sum of the length it wrote is much large then the filesize of a.doc.So a
part of the file is encrypt right and the others is encrypt wrong. Who can
give me some advice on it?
I found that the first 4096 bytes never been encrypt, but the rest are
encrypted right.Does winword write the first 4k bytes by a special way?
I have a filter to encrypt/decrypt all files in a special folder. I only
handle IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO. It works
well before I met WinWord.I was confused by the temp files winword
created.
When I open the doc file whose name is a.doc, winword create a temp file
named ~$a.doc. it created another temp file named ~WRD0000.tmp(the
numbers
can be different). When I edit and save a.doc, Winword writes data into
the
temp file ~WRD0000.tmp, then rename and delete it. I found when I click
the
save button, winword write data into the file ~WRD0000.tmp several times
and
the sum of the length it wrote is much large then the filesize of a.doc.So
a
part of the file is encrypt right and the others is encrypt wrong. Who can
give me some advice on it?
I suppose it depends upon what you mean by “a special way”. If you mean
“does WinWord have some special way of writing to the file that bypasses
my filter” the answer is No. If you mean “does WinWord use some
different way to write the first 4096 bytes of the file” the answer is
"it could, but you would have to analyze the specifics of the trace to
determine if that is the case.
The one thing I notice is that you say you “only handle IRP_NOCACHE |
IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO”. I just want to make sure
that it is clear that this will skip some I/O operations that will be
written to disk:
- user level non-cached I/O (IRP_NOCACHE but not paging or synchronous
paging) - asynchronous page write operations (IRP_NOCACHE and IRP_PAGING but not
IRP_SYNCHRONOUS_PAGING) - asynchronous page read operations (IRP_NOCACHE and IRP_PAGING but not
IRP_SYNCHRONOUS_PAGING)
It is possible that you are missing one of these; you should look at
your trace information to see if you are skipping any I/O operations
that are IRP_NOCACHE. I suspect you will find your missing I/O
operation.
Regards,
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Kathe Zhou
Sent: Tuesday, May 11, 2004 7:18 AM
To: ntfsd redirect
Subject: Re:[ntfsd] Question about winword
I found that the first 4096 bytes never been encrypt, but the rest are
encrypted right.Does winword write the first 4k bytes by a special way?
I have a filter to encrypt/decrypt all files in a special folder. I
only
handle IRP_NOCACHE | IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO. It
works
well before I met WinWord.I was confused by the temp files winword
created.
When I open the doc file whose name is a.doc, winword create a temp
file
named ~$a.doc. it created another temp file named ~WRD0000.tmp(the
numbers
can be different). When I edit and save a.doc, Winword writes data
into
the
temp file ~WRD0000.tmp, then rename and delete it. I found when I
click
the
save button, winword write data into the file ~WRD0000.tmp several
times
and
the sum of the length it wrote is much large then the filesize of
a.doc.So
a
part of the file is encrypt right and the others is encrypt wrong. Who
can
give me some advice on it?
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
thanks for your suggestion.
I use if( Irp->Flags & (IRP_NOCACHE | IRP_PAGING_IO |
IRP_SYNCHRONOUS_PAGING_IO) ) to judge whether the data need to be encrypted
or not. I think if one of the three bits is set, my filter will encrypt the
data. Did I miss anything?
I am not very clear about asynchronous page read operations you mentioned.
Did this read operation write data to disk?
I encrypted the data when MajorFunction is IRP_MJ_WRITE, Are there still
other operations write data to disk?
I return false for fastio_write, there is no effect.
-----Original Message-----
I suppose it depends upon what you mean by “a special way”. If you mean
“does WinWord have some special way of writing to the file that bypasses
my filter” the answer is No. If you mean “does WinWord use some
different way to write the first 4096 bytes of the file” the answer is
"it could, but you would have to analyze the specifics of the trace to
determine if that is the case.
The one thing I notice is that you say you “only handle IRP_NOCACHE |
IRP_PAGING_IO | IRP_SYNCHRONOUS_PAGING_IO”. I just want to make sure
that it is clear that this will skip some I/O operations that will be
written to disk:
- user level non-cached I/O (IRP_NOCACHE but not paging or synchronous
paging) - asynchronous page write operations (IRP_NOCACHE and IRP_PAGING but not
IRP_SYNCHRONOUS_PAGING) - asynchronous page read operations (IRP_NOCACHE and IRP_PAGING but not
IRP_SYNCHRONOUS_PAGING)
It is possible that you are missing one of these; you should look at
your trace information to see if you are skipping any I/O operations
that are IRP_NOCACHE. I suspect you will find your missing I/O
operation.
Regards,
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc
http://www.osr.com