Yay! I got it working. From my user-mode app, I do it the same as I do for
a basic disk, but after I get the volume name, I run the following code:
Header file:
typedef NTSTATUS (CALLBACK*
NTQUERYSYMBOLICLINKOBJECT)(HANDLE,PUNICODE_STRING,PULONG );
extern NTQUERYSYMBOLICLINKOBJECT NtQuerySymbolicLinkObject;
typedef NTSTATUS (CALLBACK* NTOPENSYMBOLICLINKOBJECT)(PHANDLE,
ACCESS_MASK,POBJECT_ATTRIBUTES);
extern NTOPENSYMBOLICLINKOBJECT NtOpenSymbolicLinkObject;
typedef NTSTATUS (CALLBACK* NTCLOSE)(HANDLE);
extern NTCLOSE NtClose;
Code file:
NTQUERYSYMBOLICLINKOBJECT NtQuerySymbolicLinkObject;
NTOPENSYMBOLICLINKOBJECT NtOpenSymbolicLinkObject;
NTCLOSE NtClose;
bool InitNTInternals()
{
HMODULE hNtdll = NULL;
hNtdll = LoadLibrary( _T(“ntdll.dll”) );
if ( !hNtdll )
{
return false;
}
NtOpenSymbolicLinkObject = (NTOPENSYMBOLICLINKOBJECT)
GetProcAddress( hNtdll, “NtOpenSymbolicLinkObject”);
NtQuerySymbolicLinkObject = (NTQUERYSYMBOLICLINKOBJECT)
GetProcAddress( hNtdll, “NtQuerySymbolicLinkObject”);
NtClose = (NTCLOSE)
GetProcAddress( hNtdll, “NtClose”);
return true;
}
and the code to translate the symlink:
if(NtClose == NULL)
InitNTInternals();
if(NtClose != NULL) {
OBJECT_ATTRIBUTES symLinkAttribs;
UNICODE_STRING objectName;
objectName.Buffer = (PWSTR)deviceName.c_str();
objectName.MaximumLength = (objectName.Length = (USHORT)deviceName.Length()
* sizeof(WCHAR)) + sizeof(WCHAR);
InitializeObjectAttributes(&symLinkAttribs, &objectName,
OBJ_CASE_INSENSITIVE, NULL, NULL);
HANDLE symLinkHandle;
NTSTATUS status = NtOpenSymbolicLinkObject(&symLinkHandle, GENERIC_READ,
&symLinkAttribs);
if(NT_SUCCESS(status)) {
UNICODE_STRING outputName;
outputName.Buffer = NULL;
outputName.Length = 0;
outputName.MaximumLength = 0;
ULONG bufferSize = 0;
status = NtQuerySymbolicLinkObject(symLinkHandle, &outputName, &bufferSize);
if(status == STATUS_BUFFER_TOO_SMALL) {
outputName.Buffer = (PWSTR)malloc(bufferSize);
outputName.MaximumLength = bufferSize;
status = NtQuerySymbolicLinkObject(symLinkHandle, &outputName, &bufferSize);
if(NT_SUCCESS(status))
deviceName = wxString(outputName.Buffer, outputName.Length / sizeof(WCHAR));
free(outputName.Buffer);
}
NtClose(symLinkHandle);
}
}
Note that InitializeObjectAttributes is just a macro defined as:
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
Some of the type definitions and macros you’ll have to pull from the DDK
headers (OBJECT_ATTRIBUTES, UNICODE_STRING, etc.).
Cody
“Ken Cross” wrote in message news:xxxxx@ntfsd…
> Neal:
>
> Some more details:
>
> For my dynamic disk (E:), \DosDevices\E: is in HKLM\System\MountedDevices,
> but there is no ??\Volume{GUID} entry that corresponds to this volume.
> Normal?
>
> The Filter Manager is, in fact, attaching my driver to
> “\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1” for E: (also
> seen
> in the “fltmc volumes” command).
>
> FltIsVolumeWritable() returns STATUS_INVALID_PARAMETER for this volume, so
> I
> just ignore it (for now).
>
> The problem I’m having is getting the user-mode program to make sense of
> this volume name. It calls QueryDosDevice() to find it, but that is
> returning “\Device\HarddiskDmVolumes\W2ksrvDg0\Volume1”, which is actually
> a
> symbolic link to the real one. (And I can’t seem to get
> NtOpenSymbolicLinkObject() to work. )
>
> It’s possible that it’s this disconnect between the kernel and user mode
> that Ken Galipeau detected. It fooled me for a while, making me think the
> Filter Manager wasn’t attaching to the volume.
>
> Ken
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Neal Christiansen
> Sent: Wednesday, June 29, 2005 10:57 PM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Dynamic Disks and Filter Manager
>
> Ken,
>
> It had been reported to me in the past by Ken Galipeau that filter
> manager was not properly attaching to dynamic volumes. I was never able
> to reproduce this issue and track it down. Thank you for the
> FltIsVolumeWritable issue. We will investigate this. It should work.
>
> One hint; if a volume shows up when the “fltmc volumes” command is run
> that means filter manager is attached to the volume (this is enumerating
> the volumes filter manager is attached to).
>
> We will get back to you.
>
> Neal Christiansen
> Microsoft File System Filter Group Lead
> This posting is provided “AS IS” with no warranties, and confers no
> Rights
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
> Sent: Monday, June 27, 2005 3:29 PM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Dynamic Disks and Filter Manager
>
> A bit more information: It could be that FltIsVolumeWritable() is the
> only
> thing not working properly with dynamic disks. It returns
> STATUS_INVALID_PARAMETER.
>
> I had rejected read-only volumes, which is why it never showed up. If I
> ignore the results of FltIsVolumeWritable() for this volume, it seems to
> work OK.
>
> A bug in FltIsVolumeWritable() or … umm … an undocumented feature?
>
> Ken
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
> Sent: Monday, June 27, 2005 6:15 PM
> To: Windows File Systems Devs Interest List
> Subject: RE: [ntfsd] Dynamic Disks and Filter Manager
>
> I want to filter normal file operations like Create, Rename, etc. It’s
> been
> working fine on basic disk volumes for months.
>
> Actually, I think you hit on the problem – for dynamic disks, the
> Filter
> Manager isn’t sending physical disk names, it’s sending storage device
> names.
>
> On the test system, drive E: is a normal, standard NTFS volume, but it
> was
> converted to a dynamic disk. I’m just trying to attach to it like any
> other
> disk (say, “C:”).
>
> The Filter Manager is sending
> “\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1” for E: (also
> seen
> in the “fltmc volumes” command).
>
> I suspect that the device sent cannot handle normal disk-type
> operations.
> For instance, FltIsVolumeWritable() returns STATUS_INVALID_PARAMETER.
> That
> makes it kinda hard to filter.
>
> Ken
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of David J. Craig
> Sent: Monday, June 27, 2005 6:01 PM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Dynamic Disks and Filter Manager
>
> You are hooking to the storage stack via a mini-filter. Didn’t even
> think
> it was possible much less desirable. I thought it was meant for hooking
>
> into the file system stack which can have many different storage devices
> as
> volumes and even several storage devices making up one volume.
>
> If you are doing this to correlate the file request with the storage
> action,
>
> I can see some benefit, desire and need to do so, but it sure isn’t easy
> to
> know what storage stack read or write matches up with a file system
> read,
> write, create, cleanup, or close. I guess one question is why do you
> need
> this. What is the desired out come? Good luck.
>
> “Ken Cross” wrote in message news:xxxxx@ntfsd…
>> NTFSD Folk:
>>
>> I have one of those I-thought-it-would-be-easy-but-it-ain’t problems.
>>
>> I have a minifilter that attaches to disks to handle file operations.
> The
>> Filter Manager happily connects it to things like
> \Device\HarddiskVolume1
>> and \Device\LanmanRedirector.
>>
>> The problem is dynamic disk volumes (as opposed to “basic” disk
> volumes).
>> They have names like
>>
>> \Device\HarddiskDmVolumes\W2ksrvDg0\Volume1
>>
>> which is a symbolic like to
>>
>> \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1
>>
>> (The symbolic link chain stops there.)
>>
>> The Filter Manager doesn’t seem to send these dynamic disk volumes to
> the
>> InstanceSetup callback routine. Anyone know anything more about it?
>>
>> Ken
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>