RE: FileDispositionInformation (Deletes) before FileRenam eInformation (renames)

OSR_Community_User · August 11, 2005, 1:34pm

This observation and subsequent question get asked here frequently.

Here’s the essentials of what is happening when you delete a file via the
Windows Explorer with the recycle bin enabled.

File is opened (DELETE access)
It is marked for deletion via
IRP_MJ_SET_INFORMATION/FileDispositionInformation.
It is then renamed via IRP_MJ_SET_INFORMATION/FileRenameInformation into
the recyle bin.
It is then unmarked for deletion via
IRP_MJ_SET_INFORMATION/FileDispositionInformation.
It is now closed

By marking it for deletion first, you guarantee it indeed can be deleted and
no further access to the file (new handles) is possible until it is
“undeleted”.

/ted

-----Original Message-----
From: Gene Allen [mailto:xxxxx@bystormsoftware.com]
Sent: Thursday, August 11, 2005 12:22 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FileDispositionInformation (Deletes) before
FileRenameInformation (renames)

Sorry that the title is sort of cryptic, but the news server rejected my
non-cryptic title which was much clearer.

Hi all, I’ve built a little minifilter to watch what is happening when you
delete a file with the explorer.

Basically, I’m picking up, in a preoperation callout, the
IRP_MJ_SET_INFORMATION looking for FileRenameInformation for Renames and
FileDispositionInformation (delete flag) for Deletes and IRP_MJ_CREATE with
the File_DELETEP_ON_CLOSE options flag set.

When I delete the file, I get a Delete coming thru on the file I deleted and

then a get a Rename on it to the recycler. Which makes some sense, but it
seems to be backwards.I would have expected a “Rename” and no delete (a
move) or since this is low level, a rename then a delete (a copy and then a
delete) but a delete then a rename?

I thought that maybe the Delete is a “high level” routine that copies the
file to the recycler, but the same results seems to be happening when catch
them in a postoperation callout.

Does anyone know what I’m missing?

Thanks,

Gene

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

Lyndon_J_Clarke-2 · August 18, 2005, 1:11pm

Ted

I am retty darned sure (as in, it is for sure what i have seen, age ago, and
just now) its

IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile TRUE
IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile FALSE
IRP_MJ_SET_INFORMATION/FileRenameInformation

in that order. So for fun there is a small race condition which can be used
to “defeat” this function of explorer

Cheers
Lyndon

“Ted Hess” wrote in message news:xxxxx@ntfsd…
> This observation and subsequent question get asked here frequently.
>
> Here’s the essentials of what is happening when you delete a file via the
> Windows Explorer with the recycle bin enabled.
>
> - File is opened (DELETE access)
> - It is marked for deletion via
> IRP_MJ_SET_INFORMATION/FileDispositionInformation.
> - It is then renamed via IRP_MJ_SET_INFORMATION/FileRenameInformation into
> the recyle bin.
> - It is then unmarked for deletion via
> IRP_MJ_SET_INFORMATION/FileDispositionInformation.
> - It is now closed
>
> By marking it for deletion first, you guarantee it indeed can be deleted
> and
> no further access to the file (new handles) is possible until it is
> “undeleted”.
>
> /ted
>
> -----Original Message-----
> From: Gene Allen [mailto:xxxxx@bystormsoftware.com]
> Sent: Thursday, August 11, 2005 12:22 PM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] FileDispositionInformation (Deletes) before
> FileRenameInformation (renames)
>
>
> Sorry that the title is sort of cryptic, but the news server rejected my
> non-cryptic title which was much clearer.
>
> Hi all, I’ve built a little minifilter to watch what is happening when you
> delete a file with the explorer.
>
> Basically, I’m picking up, in a preoperation callout, the
> IRP_MJ_SET_INFORMATION looking for FileRenameInformation for Renames and
> FileDispositionInformation (delete flag) for Deletes and IRP_MJ_CREATE
> with
> the File_DELETEP_ON_CLOSE options flag set.
>
> When I delete the file, I get a Delete coming thru on the file I deleted
> and
>
> then a get a Rename on it to the recycler. Which makes some sense, but it
> seems to be backwards.I would have expected a “Rename” and no delete (a
> move) or since this is low level, a rename then a delete (a copy and then
> a
> delete) but a delete then a rename?
>
> I thought that maybe the Delete is a “high level” routine that copies the
> file to the recycler, but the same results seems to be happening when
> catch
> them in a postoperation callout.
>
> Does anyone know what I’m missing?
>
> Thanks,
>
> Gene
>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@livevault.com To
> unsubscribe
> send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · August 18, 2005, 1:45pm

Hmmmm, you are probably correct. My observations (and memory) were from NT
3.51/4.0 days.

/ted

-----Original Message-----
From: Lyndon J Clarke [mailto:xxxxx@neverfailgroup.com]
Sent: Thursday, August 18, 2005 1:08 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] FileDispositionInformation (Deletes) before FileRenam
eInformation (renames)

Ted

I am retty darned sure (as in, it is for sure what i have seen, age ago, and

just now) its

IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile TRUE
IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile FALSE
IRP_MJ_SET_INFORMATION/FileRenameInformation

in that order. So for fun there is a small race condition which can be used
to “defeat” this function of explorer

Cheers
Lyndon

“Ted Hess” wrote in message news:xxxxx@ntfsd…
> This observation and subsequent question get asked here frequently.
>
> Here’s the essentials of what is happening when you delete a file via
> the Windows Explorer with the recycle bin enabled.
>
> - File is opened (DELETE access)
> - It is marked for deletion via
> IRP_MJ_SET_INFORMATION/FileDispositionInformation.
> - It is then renamed via IRP_MJ_SET_INFORMATION/FileRenameInformation
> into the recyle bin.
> - It is then unmarked for deletion via
> IRP_MJ_SET_INFORMATION/FileDispositionInformation.
> - It is now closed
>
> By marking it for deletion first, you guarantee it indeed can be
> deleted
> and
> no further access to the file (new handles) is possible until it is
> “undeleted”.
>
> /ted
>
> -----Original Message-----
> From: Gene Allen [mailto:xxxxx@bystormsoftware.com]
> Sent: Thursday, August 11, 2005 12:22 PM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] FileDispositionInformation (Deletes) before
> FileRenameInformation (renames)
>
>
> Sorry that the title is sort of cryptic, but the news server rejected
> my non-cryptic title which was much clearer.
>
> Hi all, I’ve built a little minifilter to watch what is happening when
> you delete a file with the explorer.
>
> Basically, I’m picking up, in a preoperation callout, the
> IRP_MJ_SET_INFORMATION looking for FileRenameInformation for Renames
> and FileDispositionInformation (delete flag) for Deletes and
> IRP_MJ_CREATE with the File_DELETEP_ON_CLOSE options flag set.
>
> When I delete the file, I get a Delete coming thru on the file I
> deleted
> and
>
> then a get a Rename on it to the recycler. Which makes some sense,
> but it seems to be backwards.I would have expected a “Rename” and no
> delete (a
> move) or since this is low level, a rename then a delete (a copy and then
> a
> delete) but a delete then a rename?
>
> I thought that maybe the Delete is a “high level” routine that copies
> the file to the recycler, but the same results seems to be happening
> when catch them in a postoperation callout.
>
> Does anyone know what I’m missing?
>
> Thanks,
>
> Gene
>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@livevault.com To
> unsubscribe
> send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Lyndon_J_Clarke-2 · August 18, 2005, 1:57pm

Hmmmmmmmm, you are probably correct. I have been filtering W2K[+].

“Ted Hess” wrote in message news:xxxxx@ntfsd…
> Hmmmm, you are probably correct. My observations (and memory) were from NT
> 3.51/4.0 days.
>
> /ted
>
> -----Original Message-----
> From: Lyndon J Clarke [mailto:xxxxx@neverfailgroup.com]
> Sent: Thursday, August 18, 2005 1:08 PM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] FileDispositionInformation (Deletes) before FileRenam
> eInformation (renames)
>
>
> Ted
>
> I am retty darned sure (as in, it is for sure what i have seen, age ago,
> and
>
> just now) its
>
> IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile TRUE
> IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile FALSE
> IRP_MJ_SET_INFORMATION/FileRenameInformation
>
> in that order. So for fun there is a small race condition which can be
> used
> to “defeat” this function of explorer
>
> Cheers
> Lyndon
>
> “Ted Hess” wrote in message news:xxxxx@ntfsd…
>> This observation and subsequent question get asked here frequently.
>>
>> Here’s the essentials of what is happening when you delete a file via
>> the Windows Explorer with the recycle bin enabled.
>>
>> - File is opened (DELETE access)
>> - It is marked for deletion via
>> IRP_MJ_SET_INFORMATION/FileDispositionInformation.
>> - It is then renamed via IRP_MJ_SET_INFORMATION/FileRenameInformation
>> into the recyle bin.
>> - It is then unmarked for deletion via
>> IRP_MJ_SET_INFORMATION/FileDispositionInformation.
>> - It is now closed
>>
>> By marking it for deletion first, you guarantee it indeed can be
>> deleted
>> and
>> no further access to the file (new handles) is possible until it is
>> “undeleted”.
>>
>> /ted
>>
>> -----Original Message-----
>> From: Gene Allen [mailto:xxxxx@bystormsoftware.com]
>> Sent: Thursday, August 11, 2005 12:22 PM
>> To: Windows File Systems Devs Interest List
>> Subject: [ntfsd] FileDispositionInformation (Deletes) before
>> FileRenameInformation (renames)
>>
>>
>> Sorry that the title is sort of cryptic, but the news server rejected
>> my non-cryptic title which was much clearer.
>>
>> Hi all, I’ve built a little minifilter to watch what is happening when
>> you delete a file with the explorer.
>>
>> Basically, I’m picking up, in a preoperation callout, the
>> IRP_MJ_SET_INFORMATION looking for FileRenameInformation for Renames
>> and FileDispositionInformation (delete flag) for Deletes and
>> IRP_MJ_CREATE with the File_DELETEP_ON_CLOSE options flag set.
>>
>> When I delete the file, I get a Delete coming thru on the file I
>> deleted
>> and
>>
>> then a get a Rename on it to the recycler. Which makes some sense,
>> but it seems to be backwards.I would have expected a “Rename” and no
>> delete (a
>> move) or since this is low level, a rename then a delete (a copy and then
>> a
>> delete) but a delete then a rename?
>>
>> I thought that maybe the Delete is a “high level” routine that copies
>> the file to the recycler, but the same results seems to be happening
>> when catch them in a postoperation callout.
>>
>> Does anyone know what I’m missing?
>>
>> Thanks,
>>
>> Gene
>>
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@livevault.com To
>> unsubscribe
>> send a blank email to xxxxx@lists.osr.com
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@livevault.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>