Thanks for Nick and Alexei , your answers are greatly helpful for me.
But for the logon problem, I’d logged all creations into a file and there’s
no STATUS_REPARSE
returned and the IoCancelFileOpen is never called.
The scenario is:
if( create file successfully)
IoQueryFileInformation and InternalReadFile are alwasy successful
but there are STATUS_SHARING_VIOLATION or STATUS_NO_SUCH_LOGON_SESSION
logged for some creationa and the logon always fail.
Are there other reasons could cause this problem?
Best regards,
Xinwei
“Nick Ryan” wrote to message:xxxxx@ntfsd…
>
> Three things that jump out at me:
>
> #1. Biggest issue - you shouldn’t be using IoCancelFileOpen. It’s
> generally agreed that this API is dangerous to use and should be
> deprecated by Microsoft. You should open the file using a temporary file
> object (difficult but gives you more control) or with ZwCreateFile
(easier).
>
> #2. You do realize that the lower drive can return STATUS_REPARSE? The
> NT_SUCCESS macro returns TRUE for this status code, but the file is not
> actually opened, so filter drivers should treat this as an error
> condition. Explicitly test for STATUS_REPARSE.
>
> #3. You are completing the IRP if you decide to cancel the open, aren’t
you?
>
> SXW wrote:
>
> > Thank you so much, Ryan.
> >
> > The InternalReadFile routine is copied from my codes.
> >
> > My filter is loaded at system start up, and will hook all file creations
for
> > all volumes.
> >
> > And in the IRP_MJ_CREATE handle, my codes do as the following, after
> > IRP_CREATE is returned from lower driver, just check the
> > filestandardinformation and read the file content. If the read operation
is
> > skipped, I can logon to the system, otherwise the system will report
error.
> >
> > Codes in handler of IRP_MJ_CREATE:
> >
> > SaveFileObject = IrpStack->FileObject;
> >
> > // send IRP_MJ_CREATE to lower driver and get the result
> > status = IssueCreateIrp(DeviceObject, IRP);
> >
> > if( NT_SUCCESS(status) ){
> > //check the file’s content , and fill myfcb
> > status = CheckFilePostCreate(DeviceObject, SafeFileObject, &MyFcb);
> >
> > if( !NT_SUCCESS(status)){
> > IoCancelFileOpen(DeviceObject, SaveFileObject );
> > RC = Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
> > Irp->IoStatus.Information = 0;
> > }
> > }
> > return status;
> >
> > NTSTATUS
> > CheckFilePostCreate(
> > DEVICEOBJECT DeviceObject,
> > PFILE_OBJECT SafeFileObject,
> > PMYFCB pMyFcb)
> > {
> > // get file info
> > status = IoQueryFileInformation(FileObject,
> > FileStandardInformation,
> > sizeof( fileinfo ),
> > &fileinfo,
> > &ReturnedLength);
> >
> > if( !NT_SUCCESS(status))
> > return status;
> >
> > // copy some filestandardinfo into myFCB here
> > …
> > //Check: is file a directory?
> > …
> >
> > // try to read my filehead , only for files
> > if( fileinfo.EndOfFile.QuadPart > SIZE_FILE_HEAD){
> > readoffset.QuadPart = 0;
> >
> > status = InternalReadFile( DeviceObject,
> > FileObject,
> > &FileHead,
> > SIZE_FILE_HEAD,
> > &readoffset);
> >
> > if(NT_SUCCESS( status ) ){
> > //copy data from FileHead into myFCB
> > …
> > }
> > }
> >
> > return status;
> > }
> >
> >
> > “Nick Ryan” wrote :xxxxx@ntfsd…
> >
> >>No, a read won’t increase the reference on a file object. There’s
> >>nothing wrong with what you are trying to do that I can see. Can you
> >>post your code?
> >>
> >>SXW wrote:
> >>
> >>
> >>>More info about this error:
> >>>
> >>>Some creations will return STATUS_SHARING_VIOLATION, and there are also
> >
> > some
> >
> >>>creations failed with STATUS_NO_SUCH_LOGON_SESSION error.
> >>>
> >>>Does the internal read operation hold reference of the file object?
> >>>
> >>>Thanks in advanced.
> >>>
> >>>
> >>>
> >>>>Hi,
> >>>>
> >>>>My filter will read file content during the the MJ_CREATE, only when
> >
> > this
> >
> >>>>creation return successfully from lower driver. After the iocalldriver
> >>>>returned,sending a new IRP built with IoBuildSynchronousFsdRequest
will
> >>>>cause the winlogon report the domain(actually the local machine) can’t
> >
> > be
> >
> >>>>accessed. If the internal routine InternalReadFile is simply skipped ,
> >>>>everything is ok.
> >>>>
> >>>>What’s wrong with the winlogon? At this time, my filter hooks all
files’
> >>>>creations.
> >>>>
> >>>>Appreciate for any advise,
> >>>>
> >>>>Xinwei
> >>>>
> >>>>
> >>>>
> >>>>NTSTATUS
> >>>>InternalReadFile(
> >>>>IN PDEVICE_OBJECT DeviceObject,
> >>>>IN PFILE_OBJECT FileObject,
> >>>>OUT PVOID Buffer,
> >>>>IN ULONG Length,
> >>>>IN PLARGE_INTEGER StartingOffset
> >>>>)
> >>>>{
> >>>>PIRP irpRead;
> >>>>KEVENT syncevent;
> >>>>NTSTATUS status;
> >>>>IO_STATUS_BLOCK iostatus;
> >>>>PIO_STACK_LOCATION pIrpStackNext ;
> >>>>PDEVICE_OBJECT pLowerDriver;
> >>>>
> >>>>pLowerDriver =
>
>>>>((PDeviceExtension)(DeviceObject->DeviceExtension))->TargetDeviceObject;
> >>>>
> >>>>RtlZeroMemory( &iostatus, sizeof( iostatus ) );
> >>>>
> >>>>KeInitializeEvent( &syncevent, SynchronizationEvent, FALSE );
> >>>>
> >>>>irpRead = IoBuildSynchronousFsdRequest(
> >>>> IRP_MJ_READ,
> >>>> pLowerDriver,
> >>>> Buffer ,
> >>>> Length ,
> >>>> StartingOffset ,
> >>>> &syncevent,
> >>>> &iostatus);
> >>>>
> >>>>if( irpRead ){
> >>>>
> >>>> pIrpStackNext = IoGetNextIrpStackLocation( irpRead );
> >>>>
> >>>> pIrpStackNext->FileObject = FileObject;
> >>>>
> >>>> status = IoCallDriver( pLowerDriver, irpRead );
> >>>>
> >>>> if( STATUS_PENDING == status ){
> >>>>
> >>>>KeWaitForSingleObject(&syncevent,Executive,KernelMode,FALSE,NULL);
> >>>> status = iostatus.Status;
> >>>> }
> >>>>}else{
> >>>> status = STATUS_INSUFFICIENT_RESOURCES;
> >>>>}
> >>>>
> >>>>return status ;
> >>>>}
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>>—
> >>>You are currently subscribed to ntfsd as: xxxxx@nryan.com
> >>>To unsubscribe send a blank email to xxxxx@lists.osr.com
> >>>
> >>
> >>–
> >>- Nick Ryan (MVP for DDK)
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> –
> - Nick Ryan (MVP for DDK)
>
>
>
>