> Should we write samples that are complete and that
work well in all possible cases (which are basically products) or
samples that just showcase some particular feature or behavior of
the system, but do not handle all the possible cases ?
I’d say write samples that are easy (as it is now), but if there’s a
place which can be problematic, put a few comments there.
L.
Wouldn’t that also fail since the thread doesn’t have traverse privileges still?
Would it be possible to query the name in postCreate for files opened by ID ? Not sure what the architecture of the application is but from a performance perspective this would be slightly better.
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
This particular case would be good in sample for all I think. By this, I mean handling different errors that can arise during name query. It is not any technical secret and I am sure a lot of us have spent more time on figuring all the FltGetFileNameInformation problems than rest of the code. (I seriously did - and I’m not even done with it yet)
It is clear to me that either choice will upset someone. We receive mails that complain either that fastfat is too complicated and it isn’t clear from it which things are important or that the samples are too simple and they never show any of the really hard stuff.
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
Speaking of sample code I think one thing that would be useful is some code showing how to open a file by ID using WIN32 calls.
I have one more question regarding open by ID. Is it possible to supersede or overwrite a file when opening by ID? If this is not allowed then I should be able to handle most of what I need in post-create.
The new WIN32 api OpenFileById does not give you the option to overwrite or supersede the file so I am hoping that it is not allowed via NT functions either.
Well, it’s complicated :). Normally traverse privileges might be needed for both preCreate and postCreate path generation so yeah, if that privilege is not held then name generation in perCreate or postCreate is pretty much the same (i.e. if it fails because of it in preCreate, it would fail in postCreate as well).
However, as far as I know the traverse privilege needs to be held for an open-by-ID to succeed, so moving the name query in postCreate will ensure that the privilege is always held 
(in a successful postCreate, that is).
One more thing I’d like to point out is that the quote from my previous answer was all about performance, it didn’t say anything about the privilege not held issue (though as I said above, it might make a difference for open-by-ID).
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.
Yup, it is possible. FileTest is what I use to quickly check for this sort of things…
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Wednesday, September 30, 2009 08:22
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Cannot get the filename in pre-create on Win7 if the file is opened by ID
I have one more question regarding open by ID. Is it possible to supersede or overwrite a file when opening by ID? If this is not allowed then I should be able to handle most of what I need in post-create.
The new WIN32 api OpenFileById does not give you the option to overwrite or supersede the file so I am hoping that it is not allowed via NT functions either.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I will pass this information along. You can always send sample requests (or comments, issues and so on) to FSFComm at the usual Microsoft.com.
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Wednesday, September 30, 2009 02:26
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Cannot get the filename in pre-create on Win7 if the file is opened by ID
This particular case would be good in sample for all I think. By this, I mean handling different errors that can arise during name query. It is not any technical secret and I am sure a lot of us have spent more time on figuring all the FltGetFileNameInformation problems than rest of the code. (I seriously did - and I’m not even done with it yet)
It is clear to me that either choice will upset someone. We receive mails that complain either that fastfat is too complicated and it isn’t clear from it which things are important or that the samples are too simple and they never show any of the really hard stuff.
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com) http://www.alfasp.com File system audit, security and encryption kits.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Oh, OK then, I missed that.
One more thing I’d like to point out is that the quote from my previous answer was all about performance, it didn’t say anything about the privilege not held issue (though as I said above, it might make a difference for open-by-ID).
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
So I tried to get the name in the post create callback and that was not working either. I investigated more and it turns out that the open by ID create failed also (STATUS_INVALID_PARAMETER).
Could this simply be a case where the file it is looking for has changed or was deleted and cannot be opened? It looks like the only time I fail to get the name in precreate is when the create is destined to fail, either because of the traverse privilege or some other error (like the ID is no longer valid)
fffff88001161242 : fffffa80023ca0c0 fffff88004b81558 fffffa8002197670 0000000000000000 : ssfmonm!FmonPostCreateCallback+0x248 [c:\development\webroot\products\spysweeper\core\core++main\sys\fmonmini\fmfilter.c @ 665] fffff8800116038b : fffffa80014c5030 fffffa80023ca160 fffffa8001df8010 fffffa8001df8230 : fltmgr!FltpPerformPostCallbacks+0x392
fffff8800117f2b9 : fffffa8002327010 fffffa8000fab450 fffffa8002327000 fffffa8000f9dde0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b fffff8000298b477 : 0000000000000004 fffff800029af080 fffffa8001c06b10 0000000000000000 : fltmgr!FltpCreate+0x2a9
fffff8000298150f : fffffa8000f9dde0 0000000000000000 fffffa80020d9230 0000000002000001 : nt!IopParseDevice+0x5a7 fffff80002986876 : fffffa80020d9230 fffff88004b81a30 fffffa8000000040 fffffa8000d0bf30 : nt!ObpLookupObjectName+0x32f
fffff8000298d587 : fffffa8002327010 0000000000000001 fffffa80024ca901 fffffa80024b4440 : nt!ObOpenObjectByName+0x306 fffff80002997198 : 0000000002cfe168 0000000000100080 fffffa8000000000 0000000002cfe110 : nt!IopCreateFile+0x2b7
fffff8000268a153 : 0000000000000000 fffff800029a4dfc fffff88004b81ca0 0000000000000000 : nt!NtCreateFile+0x78 000000007784040a : 00000000777208f8 00000000014d18d0 000007fef6de1fce 000007fe00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000777208f8 : 00000000014d18d0 000007fef6de1fce 000007fe00000000 000007fef6de6f36 : ntdll!ZwCreateFile+0xa 000007fef6e2aa3c : 0000000002cfe830 0000000000000002 0000000002cff6b8 000007fef6de7e8f : kernel32!OpenFileById+0x158
000007fef6e2ab7b : 0000000002cfe5c0 0000000000000001 0000000000000001 0000000002620800 : MSSRCH!CFRNCache::_FRNToPath+0xa6 000007fef6e2b5af : 0000000000bea670 0000000000000000 002f003a0043003a 0000000000bea670 : MSSRCH!CFRNCache::_CacheFromRecord+0x47
000007fef6de9649 : 0000000000be9d90 0000000077844e44 0000000002cff6b8 0000000001486fb0 : MSSRCH!CFRNCache::Lookup+0x294 000007fef6de9467 : 0000000002ec6c30 0000000000000000 0000000001486ef0 0000000002cff6b8 : MSSRCH!CUsnMonitorNotifier::lokProcessUsnRecord+0x26f
000007fef6e0b0ec : 0000000000000000 0000000000bea490 0000000000000000 0000000000000000 : MSSRCH!CUsnMonitorNotifier::Thread+0xa60 00000000776ef56d : 0000000000bea490 0000000000000000 0000000000000000 0000000000000000 : MSSRCH!CUsnMonitorNotifier::MonitorThreadStatic+0x30
0000000077823281 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d
That is good news.
For open-by-IDs filter manager needs to open the file itself so if the original create will fail then filter manager’s create might fail as well, which is what we’re seeing here. When I said query the name in postCreate, I meant in a successful postCreate. If an IRP_MJ_CREATE failed in the file system there isn’t usually any reason to try to get the name of the file… So you can simply ignore this case.
There are some cases where creates fail with STATUS_INVALID_PARAMETER. Take a look at this blog post : http://www.alex-ionescu.com/?p=15
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.
> Wouldn’t that also fail since the thread doesn’t have traverse privileges still?
All Win32 threads have traverse privileges, without this, the new process will not be able to connect to ApiPort of csrss.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> There are some cases where I need to have the name in post-create when the create failed.
This is not always possible. What if create failed due to bad ID, i.e. there is no such file?
Then the name query will also fail.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com