Re: Can't logon workstation after enabling file read during IRP_MJ_CREATE

Can you post your InternalReadFile function?

You’re not messing with the desired access or sharing flags on the
create are you?

SXW wrote:

Thanks for Nick and Alexei , your answers are greatly helpful for me.

But for the logon problem, I’d logged all creations into a file and there’s
no STATUS_REPARSE
returned and the IoCancelFileOpen is never called.

The scenario is:

if( create file successfully)
IoQueryFileInformation and InternalReadFile are alwasy successful

but there are STATUS_SHARING_VIOLATION or STATUS_NO_SUCH_LOGON_SESSION
logged for some creationa and the logon always fail.

Are there other reasons could cause this problem?

Best regards,

Xinwei

“Nick Ryan” wrote to message:xxxxx@ntfsd…
>
>>Three things that jump out at me:
>>
>>#1. Biggest issue - you shouldn’t be using IoCancelFileOpen. It’s
>>generally agreed that this API is dangerous to use and should be
>>deprecated by Microsoft. You should open the file using a temporary file
>>object (difficult but gives you more control) or with ZwCreateFile
>
> (easier).
>
>>#2. You do realize that the lower drive can return STATUS_REPARSE? The
>>NT_SUCCESS macro returns TRUE for this status code, but the file is not
>>actually opened, so filter drivers should treat this as an error
>>condition. Explicitly test for STATUS_REPARSE.
>>
>>#3. You are completing the IRP if you decide to cancel the open, aren’t
>
> you?
>
>>SXW wrote:
>>
>>
>>>Thank you so much, Ryan.
>>>
>>>The InternalReadFile routine is copied from my codes.
>>>
>>>My filter is loaded at system start up, and will hook all file creations
>
> for
>
>>>all volumes.
>>>
>>>And in the IRP_MJ_CREATE handle, my codes do as the following, after
>>>IRP_CREATE is returned from lower driver, just check the
>>>filestandardinformation and read the file content. If the read operation
>
> is
>
>>>skipped, I can logon to the system, otherwise the system will report
>
> error.
>
>>>Codes in handler of IRP_MJ_CREATE:
>>>
>>>SaveFileObject = IrpStack->FileObject;
>>>
>>>// send IRP_MJ_CREATE to lower driver and get the result
>>>status = IssueCreateIrp(DeviceObject, IRP);
>>>
>>>if( NT_SUCCESS(status) ){
>>> //check the file’s content , and fill myfcb
>>> status = CheckFilePostCreate(DeviceObject, SafeFileObject, &MyFcb);
>>>
>>> if( !NT_SUCCESS(status)){
>>> IoCancelFileOpen(DeviceObject, SaveFileObject );
>>> RC = Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
>>> Irp->IoStatus.Information = 0;
>>> }
>>>}
>>>return status;
>>>
>>>NTSTATUS
>>>CheckFilePostCreate(
>>> DEVICEOBJECT DeviceObject,
>>> PFILE_OBJECT SafeFileObject,
>>> PMYFCB pMyFcb)
>>>{
>>> // get file info
>>> status = IoQueryFileInformation(FileObject,
>>> FileStandardInformation,
>>> sizeof( fileinfo ),
>>> &fileinfo,
>>> &ReturnedLength);
>>>
>>> if( !NT_SUCCESS(status))
>>> return status;
>>>
>>> // copy some filestandardinfo into myFCB here
>>> …
>>> //Check: is file a directory?
>>> …
>>>
>>> // try to read my filehead , only for files
>>> if( fileinfo.EndOfFile.QuadPart > SIZE_FILE_HEAD){
>>> readoffset.QuadPart = 0;
>>>
>>> status = InternalReadFile( DeviceObject,
>>> FileObject,
>>> &FileHead,
>>> SIZE_FILE_HEAD,
>>> &readoffset);
>>>
>>> if(NT_SUCCESS( status ) ){
>>> //copy data from FileHead into myFCB
>>> …
>>> }
>>> }
>>>
>>> return status;
>>>}
>>>
>>>
>>>“Nick Ryan” wrote :xxxxx@ntfsd…
>>>
>>>
>>>>No, a read won’t increase the reference on a file object. There’s
>>>>nothing wrong with what you are trying to do that I can see. Can you
>>>>post your code?
>>>>
>>>>SXW wrote:
>>>>
>>>>
>>>>
>>>>>More info about this error:
>>>>>
>>>>>Some creations will return STATUS_SHARING_VIOLATION, and there are also
>>>
>>>some
>>>
>>>
>>>>>creations failed with STATUS_NO_SUCH_LOGON_SESSION error.
>>>>>
>>>>>Does the internal read operation hold reference of the file object?
>>>>>
>>>>>Thanks in advanced.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>My filter will read file content during the the MJ_CREATE, only when
>>>
>>>this
>>>
>>>
>>>>>>creation return successfully from lower driver. After the iocalldriver
>>>>>>returned,sending a new IRP built with IoBuildSynchronousFsdRequest
>
> will
>
>>>>>>cause the winlogon report the domain(actually the local machine) can’t
>>>
>>>be
>>>
>>>
>>>>>>accessed. If the internal routine InternalReadFile is simply skipped ,
>>>>>>everything is ok.
>>>>>>
>>>>>>What’s wrong with the winlogon? At this time, my filter hooks all
>
> files’
>
>>>>>>creations.
>>>>>>
>>>>>>Appreciate for any advise,
>>>>>>
>>>>>>Xinwei
>>>>>>
>>>>>>
>>>>>>
>>>>>>NTSTATUS
>>>>>>InternalReadFile(
>>>>>>IN PDEVICE_OBJECT DeviceObject,
>>>>>>IN PFILE_OBJECT FileObject,
>>>>>>OUT PVOID Buffer,
>>>>>>IN ULONG Length,
>>>>>>IN PLARGE_INTEGER StartingOffset
>>>>>>)
>>>>>>{
>>>>>>PIRP irpRead;
>>>>>>KEVENT syncevent;
>>>>>>NTSTATUS status;
>>>>>>IO_STATUS_BLOCK iostatus;
>>>>>>PIO_STACK_LOCATION pIrpStackNext ;
>>>>>>PDEVICE_OBJECT pLowerDriver;
>>>>>>
>>>>>>pLowerDriver =
>>
>>>>>((PDeviceExtension)(DeviceObject->DeviceExtension))->TargetDeviceObject;
>>>>>
>>>>>>RtlZeroMemory( &iostatus, sizeof( iostatus ) );
>>>>>>
>>>>>>KeInitializeEvent( &syncevent, SynchronizationEvent, FALSE );
>>>>>>
>>>>>>irpRead = IoBuildSynchronousFsdRequest(
>>>>>> IRP_MJ_READ,
>>>>>> pLowerDriver,
>>>>>> Buffer ,
>>>>>> Length ,
>>>>>> StartingOffset ,
>>>>>> &syncevent,
>>>>>> &iostatus);
>>>>>>
>>>>>>if( irpRead ){
>>>>>>
>>>>>> pIrpStackNext = IoGetNextIrpStackLocation( irpRead );
>>>>>>
>>>>>> pIrpStackNext->FileObject = FileObject;
>>>>>>
>>>>>> status = IoCallDriver( pLowerDriver, irpRead );
>>>>>>
>>>>>> if( STATUS_PENDING == status ){
>>>>>>
>>>>>>KeWaitForSingleObject(&syncevent,Executive,KernelMode,FALSE,NULL);
>>>>>> status = iostatus.Status;
>>>>>> }
>>>>>>}else{
>>>>>> status = STATUS_INSUFFICIENT_RESOURCES;
>>>>>>}
>>>>>>
>>>>>>return status ;
>>>>>>}
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>—
>>>>>You are currently subscribed to ntfsd as: xxxxx@nryan.com
>>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>>
>>>>
>>>>–
>>>>- Nick Ryan (MVP for DDK)
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>—
>>>You are currently subscribed to ntfsd as: xxxxx@nryan.com
>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>
>>–
>>- Nick Ryan (MVP for DDK)
>>
>>
>>
>>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


- Nick Ryan (MVP for DDK)