Hi All,
Thanks, Ted and Dan.
Ted, did you mean that FltSetInformationFile function needs to be used with
Instance and FileObject passed to the Pre-Cleanup callback?
Anyway, the initial question is still here: why IO_IGNORE_SHARE_ACCESS_CHECK
flag is ignored by LANMAN redirector and how to get around this behavior.
P.S.
I need to open the file, because not all code in my mini-filter driver is
under my control. In current architecture I am not able to follow Dan’s
technique.
-----Original Message-----
HT> I don’t think that will work. At least from what I can tell from the
HT> fastfat sources, this flag is never interrogated.
HT> Try this: in Pre-Cleanup, you should issue a
HT> IRP_MJ_SET_INFORMATION/SetFileDisposition IRP to the FSD if the
HT> DeletePending flag is not already set in FileObject.
HT> /ted
HT> -----Original Message-----
HT> From: xxxxx@lists.osr.com
HT> [mailto:xxxxx@lists.osr.com] On Behalf Of Dan Kyler
HT> Sent: Friday, March 31, 2006 2:38 PM
HT> To: Windows File Systems Devs Interest List
HT> Subject: Re: [ntfsd] Mini-filter and sharing violation in post-cleanup
HT> callback
HT> It would seem much simpler to set the delete bit in pre-cleanup on the
HT> file
HT> object being closed.
HT> - Dan.
HT> “Ivan Keluh” wrote in message
HT> news:…
>> * CROSSPOSTED TO comp.os.ms-windows.programmer.nt.kernel-mode
>>
>> Hi All,
>>
>> I have some troubles with mini-filter driver I am working on, so I am
>> looking for help. Thanks in advance for any help and advice you guys
>> can provide!
>>
>> The mini-filter based on the mini-filter scanner sample from the IFS
>> Kit (\src\filesys\minifilter\scanner). Currently, the mini-filter has
>> four
>> callbacks: pre-create, post-create, pre-write, and post-cleanup. In
>> some cases, mini-filter needs to delete file in post-cleanup callback.
>>
>> Here are my questions:
>> 1. What is the proper way to delete files on the network share in the
>> post-cleanup callback? 2. Why the IO_IGNORE_SHARE_ACCESS_CHECK flag
>> does not have any effect on the network share?
>> 3. Is there another way to accomplish deleting file as a result of
>> cleanup processing?
>>
>>
>> The problem is that the mini-filter fails to delete files in scenario
>> with two networked computers, specifically:
>>
>> 1. The computer “A” connected to computer “B” within the same
>> workgroup. 2. The mini-filter driver is up and running on the
>> computer “A”. 3. The computer “B” has a network share named
>> \MACHINE_B\SHARE. 4. From within Notepad.exe running on the computer
>> “A” save a file to a LANMAN network share \MACHINE_B\SHARE located on
>> the computer “B”. 5. During saving the file the mini-filter decides
>> to delete newly created file on the computer “B” in its post-cleanup
>> callback (to delete a file the mini-filter uses standard calling
>> sequence: open file -> set file information with
>> FileDispositionInformation class -> close file). 6. At the
>> post-cleanup callback the newly created file is already closed, so in
>> order to delete this file the mini-filter needs to open it first.
>> However, for some reason the operating system does not open the file
>> and returns STATUS_SHARING_VIOLATION in the case if the DELETE (or
>> GENERIC_WRITE) bit is set in the DesiredAccess parameter.
>>
>> I have tried the following documented functions/flags to open the file
>> on the network share with DELETE bit in DesiredAccess parameter: 1.
>> FltCreateFile passing correct Instance parameter and
>> IO_IGNORE_SHARE_ACCESS_CHECK flag. 2.
>> IoCreateFileSpecifyDeviceObjectHint with IO_IGNORE_SHARE_ACCESS_CHECK
>> (reentrancy protected); 3. Plain ZwCreateFile (reentrancy protected);
>>
>> None of these functions did succeed in the opening file for deletion
>> on the network share located on the computer “B”. The very same
>> functions do work properly on any of the local file systems on the
>> computer “A”.
>>
>> Below is some additional information:
>>
>> The sequence of File I/O operations coming from Notepad.exe as the
>> mini-filter sees it: 1. IRP_MJ_CREATE (mini-filter receives it as pre-
>> and post-callbacks). 2. IRP_MJ_WRITE (pre-callback).
>> 3. Second IRP_MJ_CREATE (pre-callback). This time mini-filter decides
>> to delete file, and OS returns STATUS_SHARING_VIOLATION. Thus,
>> mini-filter sets file operation status to STATUS_ACCESS_DENIED (using
>> IoStatus field of the passed in FLT_CALLBACK_DATA structure).
>> 4. System works for a couple of milliseconds and I see some unrelated
>> open operations for different files.
>> 5. IRP_MJ_CLEANUP (post-callback). Again, mini-filter tries to delete
>> file, but OS returns STATUS_SHARING_VIOLATION.
>>
>> As it should be, the system passes the same file object for operations
>> 1,2 and 5, and different for operation 3.
>>
>> Observed behavior does not depend on the target file system type on
>> the computer “B”. I have tried to share both FAT and NTFS folders on
>> the computer “B” and behavior is still the same. I also used FILEMON
>> on the computer “B” to monitor File I/O activity locally on the
>> computer “B”. The file system on the computer “B” does not return
>> STATUS_SHARING_VIOLATION during testing. So it seems to be a
>> STATUS_SHARING_VIOLATION problem on the computer “A” only (remember,
>> the mini-filter executes on the computer “A”, but the actual file that
>> mini-filter tries to open located on the LANMAN network share
>> \MACHINE_B\SHARE on the computer “B”).
>>
>> I tried to use work items to delete files and it does not work either.
>> This is because system thread, which executes work items, has
>> different access token in comparison to the Notepad.exe thread that
>> saves the file. This different token does not allow access to the
>> target computer “B” at the time work item is executed.
>>
>> Again, thanks in advance for any help and advice!
>>
>>
>>
>>
>> —
HT> —
HT> Questions? First check the IFS FAQ at
HT> https://www.osronline.com/article.cfm?id=17
HT> You are currently subscribed to ntfsd as: xxxxx@livevault.com To
HT> unsubscribe send a blank email to xxxxx@lists.osr.com
HT> -----------------------------------------
HT> The information contained in this email message and its attachments
HT> is intended only for the private and confidential use of the
HT> recipient(s) named above, unless the sender expressly agrees
HT> otherwise.
HT> Transmission of email over the Internet is not a secure
HT> communications medium. If you are requesting or have requested the
HT> transmittal of personal data, as defined in applicable privacy laws
HT> by means of email or in an attachment to email, you must select a
HT> more secure alternate means of transmittal that supports your
HT> obligations to protect such personal data.
HT> If the reader of this message is not the intended recipient and/or
HT> you have received this email in error, you must take no action
HT> based on the information in this email and you are hereby notified
HT> that any dissemination, misuse or copying or disclosure of this
HT> communication is strictly prohibited. If you have received this
HT> communication in error, please notify us immediately by email and
HT> delete the original message.
HT> —
HT> Questions? First check the IFS FAQ at
HT> https://www.osronline.com/article.cfm?id=17
HT> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
HT> To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Best regards,
Ivan mailto:xxxxx@sys-stor-software.com