Re: Help Rolling out IRP_MJ_WRITE?

Redirecting to ntfsd…

Thanks Pete for ur comments. I shall look into that… by attaching filemon
to that particular folder.
Actually what i meant was i create a file called new microsoft word
document. and then i just do a single click on the file and it generates
IRP_write cached, irp_read cached and irp_read noncached paged.
So file is in plain text in the cache as well as in the disk.
Now when i double click the file to open i get a irp_read noncached paged.
whcih reads from the disk and decrypts the plain text and shows the output
as garbled.

actually the irp_write noncached for the plaintext did not come through at
all…That worries me as it happens only with Office files such as
doc,xls,ppt etc.,

Meanwhile i have solved that problem by introducing a Noncached write
whenever i get a Cachedwrite.

Say for example when i get a cached write from offset 0 to offset 12000 i
include a function in it as

writefile(Deviceobject,fileobject,writeoffset,writelength,buffer) this
function calls my NonCached write and encrypts that to the disk…This seems
to work fine. till now

Do u think any problem with this approach???

Once again Thank you Very much for ur help…

Regards
Shal.

“Peter Scott” wrote in message
news:xxxxx@ntdev…
>
> Shal,
>
> First, this would be better posted on the NTFSD list but we’ll address
> your
> points here.
>
> Your comments are a little contradictory. You indicate that you are “still
> in file create stage” so the rename is irrelevant but then you go on to
> say
> that you are seeing the IO requests. Which is it?
>
> Here is the typical scenario that one could expect, note that a lot of
> requests have been left out and ordering may be slightly off but the
> overall
> picture is here:
>
> - IRP_MJ_CREATE to open foo.doc
> - IRP_MJ_READ cached/noncached reads to foo.doc to retrieve data
> - IRP_MJ_CREATE to create temp file ~wrd0001.doc
> - IRP_MJ_WRITE to ~wrd0001.doc (of data read into foo.doc)
> - IRP_MJ_WRITE to ~wrd0001.doc for any modifications made to foo.doc
> - IRP_MJ_SET_INFORMATION (Rename) of ~wrd0001.doc to foo.doc
>
> This is the basic gist of how it works, not accurate but basically there.
> I
> would bet you are missing the paging requests which are destined for the
> temporary file, and not encrypting these buffers. Hence you are getting
> clear test in the foo.doc file.
>
> Run filemon and have all your tests in some known sub-directory say \foo.
> Then have filemon filter on this directory only and you will see
> everything.
> You are simply missing some requests.
>
> Your first question below, ‘which buffer do I use to write out the entire
> file?’ is missing the point. If you want to write something to a file YOU
> need to allocate the buffer and populate it with the correct contents. I
> think, again, you are missing some functionality and some requests.
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
> Sent: Tuesday, May 10, 2005 2:53 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Help Rolling out IRP_MJ_WRITE?
>
> Pete,
> Thank you very much for the reply…
> Yeah i am trying to generate my own IRP Write but is it possible to
> generate
>
> a IRP_MJ_WRITE for a fileobject for the entire file size.?
> The only thing that worries me is how do i know the buffer to write. I
> just
>
> want to generate a IRP_MJ_WRITE for the entire file as depicted by
> fileobject .
>
> Yes also i know the rename operations but actually i am still in the file
> creation stage.
> For example i am creating a file by right clicking in the explorer say
> “New
> Microsoft word document”
> At that time i dont see any temporary files at all. I can see my file in
> IRP_MJ_CREATE …followed by Write cache …
> followed by ReadNon Cached and Read Cached…
> The thing is that there is no IRP_MJ_WRITE nonCached and hence the file
> new
> microsoft word document is not at all encrypted.
>
> SO now when i double click the file to open it i get a Read Non Cached and
> hence its decrypted and i get garbled data.
> This is not true for any other files…All the other files except the
> DOC,XLS,PPT works by generating a Write NonCached/Paging once the file is
> created.
>
> I shall also try what u had specified…
>
> Once again thanks…much…
>
> Regards
> Shal.
>
>
>
>
> “Peter Scott” wrote in message
> news:xxxxx@ntdev…
>> Shal,
>>
>> You do realize that Word uses rename operations to save off the data,
>> right?
>> In other words, you will see the open of say foo.doc and the paging read
>> for
>> this but then the contents are stored in a temporary file, say
>> ~wrd0001.doc.
>> When everything is done, it then renames the temporary file to the
>> original
>> file. It does some of this in several iterations, reading, checking …
>>
>> If you look at filemon filtering on a particular directory name where the
>> Word document is stored, you will see all this craziness.
>>
>> But to answer the original question, yes you can roll up your own paging
>> IRP_MJ_WRITE before passing the IRP_MJ_CLOSE down the fsd. This is
>> actually
>> one of the few things you can do on a given fileobject between
>> IRP_MJ_CLEANUP and IRP_MJ_CLOSE - paging IO and some
>> IRP_MJ_SET_INFORMATION
>> classes.
>>
>> Pete
>>
>> Kernel Drivers
>> Windows Filesystem and Device Driver Consulting
>> www.KernelDrivers.com
>> (303)546-0300
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
>> Sent: Tuesday, May 10, 2005 12:12 PM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] Help Rolling out IRP_MJ_WRITE?
>>
>> Can we roll out an IRP_MJ_WRITE for the fileobject( so that it initiates
>> a
>> PagingIO,NocacheIO write ) in IRP_MJ_CLOSE in a file system filter
>> driver.?
>> How can it be done? For instance right now i can write a known buffer in
>> a
>> particular offset but how to write the entire file buffer to the disk…
>>
>> The reason why i am doing this is i dont get a IRP_MJ_WRITE when i right
>> click and select create a new word document in a Special folder(where my
>> File System Filter Driver is active) . It initiates a IRP_MJ_CREATE and
>> initiates cached read,cached write and then Noncached Read but never
>> NONCACHED IRP_MJ_WRITE.
>>
>> So when i open the file it always considers it as encrypted and so
>> displays
>> junk data…
>>
>> I am not having any headers and my encrypted file size is equal to plain
>> text file size.
>>
>> This also happens when i move a file from another folder to the special
>> folder.
>>
>> Is my approach right???
>>
>>
>> Any hint is appreciated very much…
>>
>> Thanks and Regards
>> Shal.
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

Shal,

There is definitely a problem here. Just because you don’t see it doesn’t
mean it is going to happen. It will happen, you just need to wait. The data
is in cache and there are no ‘rules’ as to when this data will be flushed,
at least nothing deterministic.

You can try to force a flush of the cache when you think all user mode
references are gone but there are scenarios that this will not work, for
instance memory mapped files.

The idea here is that when data is dirtied in a cache map, the cache manager
and memory manager don’t have to flush that data out immediately. They don’t
even have to flush it out after you close the application, though with word
I have not seen the paging write be delayed very long since they are trying
to ensure data is out to disk, etc.

I would guess you are either not waiting long enough, missing the paging
write request or have an issue with your tracking mechanism and thus, back
to the first, you are missing the request.

How are you tracking files that you are encrypting? Is it via fileobject,
fscontext, name?

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
Sent: Wednesday, May 11, 2005 10:46 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Help Rolling out IRP_MJ_WRITE?

Redirecting to ntfsd…

Thanks Pete for ur comments. I shall look into that… by attaching filemon
to that particular folder.
Actually what i meant was i create a file called new microsoft word
document. and then i just do a single click on the file and it generates
IRP_write cached, irp_read cached and irp_read noncached paged.
So file is in plain text in the cache as well as in the disk.
Now when i double click the file to open i get a irp_read noncached paged.
whcih reads from the disk and decrypts the plain text and shows the output
as garbled.

actually the irp_write noncached for the plaintext did not come through at
all…That worries me as it happens only with Office files such as
doc,xls,ppt etc.,

Meanwhile i have solved that problem by introducing a Noncached write
whenever i get a Cachedwrite.

Say for example when i get a cached write from offset 0 to offset 12000 i
include a function in it as

writefile(Deviceobject,fileobject,writeoffset,writelength,buffer) this
function calls my NonCached write and encrypts that to the disk…This seems

to work fine. till now

Do u think any problem with this approach???

Once again Thank you Very much for ur help…

Regards
Shal.

“Peter Scott” wrote in message
news:xxxxx@ntdev…
>
> Shal,
>
> First, this would be better posted on the NTFSD list but we’ll address
> your
> points here.
>
> Your comments are a little contradictory. You indicate that you are “still
> in file create stage” so the rename is irrelevant but then you go on to
> say
> that you are seeing the IO requests. Which is it?
>
> Here is the typical scenario that one could expect, note that a lot of
> requests have been left out and ordering may be slightly off but the
> overall
> picture is here:
>
> - IRP_MJ_CREATE to open foo.doc
> - IRP_MJ_READ cached/noncached reads to foo.doc to retrieve data
> - IRP_MJ_CREATE to create temp file ~wrd0001.doc
> - IRP_MJ_WRITE to ~wrd0001.doc (of data read into foo.doc)
> - IRP_MJ_WRITE to ~wrd0001.doc for any modifications made to foo.doc
> - IRP_MJ_SET_INFORMATION (Rename) of ~wrd0001.doc to foo.doc
>
> This is the basic gist of how it works, not accurate but basically there.
> I
> would bet you are missing the paging requests which are destined for the
> temporary file, and not encrypting these buffers. Hence you are getting
> clear test in the foo.doc file.
>
> Run filemon and have all your tests in some known sub-directory say \foo.
> Then have filemon filter on this directory only and you will see
> everything.
> You are simply missing some requests.
>
> Your first question below, ‘which buffer do I use to write out the entire
> file?’ is missing the point. If you want to write something to a file YOU
> need to allocate the buffer and populate it with the correct contents. I
> think, again, you are missing some functionality and some requests.
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
> Sent: Tuesday, May 10, 2005 2:53 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Help Rolling out IRP_MJ_WRITE?
>
> Pete,
> Thank you very much for the reply…
> Yeah i am trying to generate my own IRP Write but is it possible to
> generate
>
> a IRP_MJ_WRITE for a fileobject for the entire file size.?
> The only thing that worries me is how do i know the buffer to write. I
> just
>
> want to generate a IRP_MJ_WRITE for the entire file as depicted by
> fileobject .
>
> Yes also i know the rename operations but actually i am still in the file
> creation stage.
> For example i am creating a file by right clicking in the explorer say
> “New
> Microsoft word document”
> At that time i dont see any temporary files at all. I can see my file in
> IRP_MJ_CREATE …followed by Write cache …
> followed by ReadNon Cached and Read Cached…
> The thing is that there is no IRP_MJ_WRITE nonCached and hence the file
> new
> microsoft word document is not at all encrypted.
>
> SO now when i double click the file to open it i get a Read Non Cached and
> hence its decrypted and i get garbled data.
> This is not true for any other files…All the other files except the
> DOC,XLS,PPT works by generating a Write NonCached/Paging once the file is
> created.
>
> I shall also try what u had specified…
>
> Once again thanks…much…
>
> Regards
> Shal.
>
>
>
>
> “Peter Scott” wrote in message
> news:xxxxx@ntdev…
>> Shal,
>>
>> You do realize that Word uses rename operations to save off the data,
>> right?
>> In other words, you will see the open of say foo.doc and the paging read
>> for
>> this but then the contents are stored in a temporary file, say
>> ~wrd0001.doc.
>> When everything is done, it then renames the temporary file to the
>> original
>> file. It does some of this in several iterations, reading, checking …
>>
>> If you look at filemon filtering on a particular directory name where the
>> Word document is stored, you will see all this craziness.
>>
>> But to answer the original question, yes you can roll up your own paging
>> IRP_MJ_WRITE before passing the IRP_MJ_CLOSE down the fsd. This is
>> actually
>> one of the few things you can do on a given fileobject between
>> IRP_MJ_CLEANUP and IRP_MJ_CLOSE - paging IO and some
>> IRP_MJ_SET_INFORMATION
>> classes.
>>
>> Pete
>>
>> Kernel Drivers
>> Windows Filesystem and Device Driver Consulting
>> www.KernelDrivers.com
>> (303)546-0300
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
>> Sent: Tuesday, May 10, 2005 12:12 PM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] Help Rolling out IRP_MJ_WRITE?
>>
>> Can we roll out an IRP_MJ_WRITE for the fileobject( so that it initiates
>> a
>> PagingIO,NocacheIO write ) in IRP_MJ_CLOSE in a file system filter
>> driver.?
>> How can it be done? For instance right now i can write a known buffer in
>> a
>> particular offset but how to write the entire file buffer to the disk…
>>
>> The reason why i am doing this is i dont get a IRP_MJ_WRITE when i right
>> click and select create a new word document in a Special folder(where my
>> File System Filter Driver is active) . It initiates a IRP_MJ_CREATE and
>> initiates cached read,cached write and then Noncached Read but never
>> NONCACHED IRP_MJ_WRITE.
>>
>> So when i open the file it always considers it as encrypted and so
>> displays
>> junk data…
>>
>> I am not having any headers and my encrypted file size is equal to plain
>> text file size.
>>
>> This also happens when i move a file from another folder to the special
>> folder.
>>
>> Is my approach right???
>>
>>
>> Any hint is appreciated very much…
>>
>> Thanks and Regards
>> Shal.
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I am using fileobject and fscontext …
Say in Readwrite

fileObject = CurrentIrpStack->FileObject.

I use a function called …

GetMyFCB(fileObject);

In that i traverse my link list
and check for the condition

if(mylinklistnode->fileobject==recvdfileobject &&
mylinklistnode->fscontexttracker==recvdfileobject->fscontext)
return mylinklistnode;
else
continue traversing the list

else return NULL if its not found at all…

So if its not in my special folder i wud recv NULL and i would just call the
underlying driver…
if i obtain a Non NULL then that means its in my specialfolder and i check
for IRP_Read Write cached noncached etc.,

Setting up my tracking is done in IRp_Create and createcompletion.
in Create i allocate new memory for fileobject->FScontext and
fileobject->Sectionobjectpointers.
in createcompletion i get the same fileobject but different fscontext…so i
keep track of it my keeping a new pointer fscontexttracker.
and then use GetMyFCB to deal with all the stuffs…

in IRP_MJ_CLOSE i decrement the reference or delete the entire
mylinklistnode when the reference is zero…
in IRP_MJ_CLEANUP i do a ccflushcache

Do you witness any problems in this tracking ???

Thank you very much for the help…
Regards
Shal.

“Peter Scott” wrote in message
news:xxxxx@ntfsd…
>
> Shal,
>
> There is definitely a problem here. Just because you don’t see it doesn’t
> mean it is going to happen. It will happen, you just need to wait. The
> data
> is in cache and there are no ‘rules’ as to when this data will be flushed,
> at least nothing deterministic.
>
> You can try to force a flush of the cache when you think all user mode
> references are gone but there are scenarios that this will not work, for
> instance memory mapped files.
>
> The idea here is that when data is dirtied in a cache map, the cache
> manager
> and memory manager don’t have to flush that data out immediately. They
> don’t
> even have to flush it out after you close the application, though with
> word
> I have not seen the paging write be delayed very long since they are
> trying
> to ensure data is out to disk, etc.
>
> I would guess you are either not waiting long enough, missing the paging
> write request or have an issue with your tracking mechanism and thus, back
> to the first, you are missing the request.
>
> How are you tracking files that you are encrypting? Is it via fileobject,
> fscontext, name?
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
> Sent: Wednesday, May 11, 2005 10:46 AM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Help Rolling out IRP_MJ_WRITE?
>
> Redirecting to ntfsd…
>
> Thanks Pete for ur comments. I shall look into that… by attaching
> filemon
> to that particular folder.
> Actually what i meant was i create a file called new microsoft word
> document. and then i just do a single click on the file and it generates
> IRP_write cached, irp_read cached and irp_read noncached paged.
> So file is in plain text in the cache as well as in the disk.
> Now when i double click the file to open i get a irp_read noncached paged.
> whcih reads from the disk and decrypts the plain text and shows the output
> as garbled.
>
> actually the irp_write noncached for the plaintext did not come through at
> all…That worries me as it happens only with Office files such as
> doc,xls,ppt etc.,
>
> Meanwhile i have solved that problem by introducing a Noncached write
> whenever i get a Cachedwrite.
>
> Say for example when i get a cached write from offset 0 to offset 12000 i
> include a function in it as
>
> writefile(Deviceobject,fileobject,writeoffset,writelength,buffer) this
> function calls my NonCached write and encrypts that to the disk…This
> seems
>
> to work fine. till now
>
> Do u think any problem with this approach???
>
> Once again Thank you Very much for ur help…
>
> Regards
> Shal.
>
>
>
>
> “Peter Scott” wrote in message
> news:xxxxx@ntdev…
>>
>> Shal,
>>
>> First, this would be better posted on the NTFSD list but we’ll address
>> your
>> points here.
>>
>> Your comments are a little contradictory. You indicate that you are
>> “still
>> in file create stage” so the rename is irrelevant but then you go on to
>> say
>> that you are seeing the IO requests. Which is it?
>>
>> Here is the typical scenario that one could expect, note that a lot of
>> requests have been left out and ordering may be slightly off but the
>> overall
>> picture is here:
>>
>> - IRP_MJ_CREATE to open foo.doc
>> - IRP_MJ_READ cached/noncached reads to foo.doc to retrieve data
>> - IRP_MJ_CREATE to create temp file ~wrd0001.doc
>> - IRP_MJ_WRITE to ~wrd0001.doc (of data read into foo.doc)
>> - IRP_MJ_WRITE to ~wrd0001.doc for any modifications made to foo.doc
>> - IRP_MJ_SET_INFORMATION (Rename) of ~wrd0001.doc to foo.doc
>>
>> This is the basic gist of how it works, not accurate but basically there.
>> I
>> would bet you are missing the paging requests which are destined for the
>> temporary file, and not encrypting these buffers. Hence you are getting
>> clear test in the foo.doc file.
>>
>> Run filemon and have all your tests in some known sub-directory say \foo.
>> Then have filemon filter on this directory only and you will see
>> everything.
>> You are simply missing some requests.
>>
>> Your first question below, ‘which buffer do I use to write out the entire
>> file?’ is missing the point. If you want to write something to a file YOU
>> need to allocate the buffer and populate it with the correct contents. I
>> think, again, you are missing some functionality and some requests.
>>
>> Pete
>>
>> Kernel Drivers
>> Windows Filesystem and Device Driver Consulting
>> www.KernelDrivers.com
>> (303)546-0300
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
>> Sent: Tuesday, May 10, 2005 2:53 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] Help Rolling out IRP_MJ_WRITE?
>>
>> Pete,
>> Thank you very much for the reply…
>> Yeah i am trying to generate my own IRP Write but is it possible to
>> generate
>>
>> a IRP_MJ_WRITE for a fileobject for the entire file size.?
>> The only thing that worries me is how do i know the buffer to write. I
>> just
>>
>> want to generate a IRP_MJ_WRITE for the entire file as depicted by
>> fileobject .
>>
>> Yes also i know the rename operations but actually i am still in the file
>> creation stage.
>> For example i am creating a file by right clicking in the explorer say
>> “New
>> Microsoft word document”
>> At that time i dont see any temporary files at all. I can see my file in
>> IRP_MJ_CREATE …followed by Write cache …
>> followed by ReadNon Cached and Read Cached…
>> The thing is that there is no IRP_MJ_WRITE nonCached and hence the file
>> new
>> microsoft word document is not at all encrypted.
>>
>> SO now when i double click the file to open it i get a Read Non Cached
>> and
>> hence its decrypted and i get garbled data.
>> This is not true for any other files…All the other files except the
>> DOC,XLS,PPT works by generating a Write NonCached/Paging once the file is
>> created.
>>
>> I shall also try what u had specified…
>>
>> Once again thanks…much…
>>
>> Regards
>> Shal.
>>
>>
>>
>>
>> “Peter Scott” wrote in message
>> news:xxxxx@ntdev…
>>> Shal,
>>>
>>> You do realize that Word uses rename operations to save off the data,
>>> right?
>>> In other words, you will see the open of say foo.doc and the paging read
>>> for
>>> this but then the contents are stored in a temporary file, say
>>> ~wrd0001.doc.
>>> When everything is done, it then renames the temporary file to the
>>> original
>>> file. It does some of this in several iterations, reading, checking …
>>>
>>> If you look at filemon filtering on a particular directory name where
>>> the
>>> Word document is stored, you will see all this craziness.
>>>
>>> But to answer the original question, yes you can roll up your own paging
>>> IRP_MJ_WRITE before passing the IRP_MJ_CLOSE down the fsd. This is
>>> actually
>>> one of the few things you can do on a given fileobject between
>>> IRP_MJ_CLEANUP and IRP_MJ_CLOSE - paging IO and some
>>> IRP_MJ_SET_INFORMATION
>>> classes.
>>>
>>> Pete
>>>
>>> Kernel Drivers
>>> Windows Filesystem and Device Driver Consulting
>>> www.KernelDrivers.com
>>> (303)546-0300
>>>
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
>>> Sent: Tuesday, May 10, 2005 12:12 PM
>>> To: Windows System Software Devs Interest List
>>> Subject: [ntdev] Help Rolling out IRP_MJ_WRITE?
>>>
>>> Can we roll out an IRP_MJ_WRITE for the fileobject( so that it initiates
>>> a
>>> PagingIO,NocacheIO write ) in IRP_MJ_CLOSE in a file system filter
>>> driver.?
>>> How can it be done? For instance right now i can write a known buffer
>>> in
>>> a
>>> particular offset but how to write the entire file buffer to the disk…
>>>
>>> The reason why i am doing this is i dont get a IRP_MJ_WRITE when i
>>> right
>>> click and select create a new word document in a Special folder(where my
>>> File System Filter Driver is active) . It initiates a IRP_MJ_CREATE and
>>> initiates cached read,cached write and then Noncached Read but never
>>> NONCACHED IRP_MJ_WRITE.
>>>
>>> So when i open the file it always considers it as encrypted and so
>>> displays
>>> junk data…
>>>
>>> I am not having any headers and my encrypted file size is equal to plain
>>> text file size.
>>>
>>> This also happens when i move a file from another folder to the special
>>> folder.
>>>
>>> Is my approach right???
>>>
>>>
>>> Any hint is appreciated very much…
>>>
>>> Thanks and Regards
>>> Shal.
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

Shal,

Yes there is a problem. Have you read the reference counting article at
OSRONLINE? The case you are missing is when the fileobject is created by the
underlying FSD to initialize caching. In this case, you will receive a
fileobject that you have not previously seen via the IRP_MJ_CREATE pathway
in an IRP_MJ_READ/WRITE request. These are termed stream fileobjects and
generally have the FO_STREAM_FILE bit set in the flags. I say generally
because there are known products out there which remove this bit until the
fileobject is closed and thus it is hard to determine that it is actually a
stream fileobejct except for the fact that you have not seen this fileobject
processed via the IRP_MJ_CREATE pathway.

You should remove the fileobject comparison in your lookup and only base it
on the fscontext value.

Next, you should not be touching either the SOP or the FsContext during
IRP_MJ_CREATE. These belong to the underlying FSD, they are not yours to
use. The FsContext will be setup by the underlying FSD and you can use it on
the completion side of IRP_MJ_CREATE to insert it into your lookup tree, if
it does not already exist.

Again, go read the article on referencing counting for filters at
www.osronline.com

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
Sent: Wednesday, May 11, 2005 11:29 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Help Rolling out IRP_MJ_WRITE?

I am using fileobject and fscontext …
Say in Readwrite

fileObject = CurrentIrpStack->FileObject.

I use a function called …

GetMyFCB(fileObject);

In that i traverse my link list
and check for the condition

if(mylinklistnode->fileobject==recvdfileobject &&
mylinklistnode->fscontexttracker==recvdfileobject->fscontext)
return mylinklistnode;
else
continue traversing the list

else return NULL if its not found at all…

So if its not in my special folder i wud recv NULL and i would just call the

underlying driver…
if i obtain a Non NULL then that means its in my specialfolder and i check
for IRP_Read Write cached noncached etc.,

Setting up my tracking is done in IRp_Create and createcompletion.
in Create i allocate new memory for fileobject->FScontext and
fileobject->Sectionobjectpointers.
in createcompletion i get the same fileobject but different fscontext…so i

keep track of it my keeping a new pointer fscontexttracker.
and then use GetMyFCB to deal with all the stuffs…

in IRP_MJ_CLOSE i decrement the reference or delete the entire
mylinklistnode when the reference is zero…
in IRP_MJ_CLEANUP i do a ccflushcache

Do you witness any problems in this tracking ???

Thank you very much for the help…
Regards
Shal.

“Peter Scott” wrote in message
news:xxxxx@ntfsd…
>
> Shal,
>
> There is definitely a problem here. Just because you don’t see it doesn’t
> mean it is going to happen. It will happen, you just need to wait. The
> data
> is in cache and there are no ‘rules’ as to when this data will be flushed,
> at least nothing deterministic.
>
> You can try to force a flush of the cache when you think all user mode
> references are gone but there are scenarios that this will not work, for
> instance memory mapped files.
>
> The idea here is that when data is dirtied in a cache map, the cache
> manager
> and memory manager don’t have to flush that data out immediately. They
> don’t
> even have to flush it out after you close the application, though with
> word
> I have not seen the paging write be delayed very long since they are
> trying
> to ensure data is out to disk, etc.
>
> I would guess you are either not waiting long enough, missing the paging
> write request or have an issue with your tracking mechanism and thus, back
> to the first, you are missing the request.
>
> How are you tracking files that you are encrypting? Is it via fileobject,
> fscontext, name?
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
> Sent: Wednesday, May 11, 2005 10:46 AM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Help Rolling out IRP_MJ_WRITE?
>
> Redirecting to ntfsd…
>
> Thanks Pete for ur comments. I shall look into that… by attaching
> filemon
> to that particular folder.
> Actually what i meant was i create a file called new microsoft word
> document. and then i just do a single click on the file and it generates
> IRP_write cached, irp_read cached and irp_read noncached paged.
> So file is in plain text in the cache as well as in the disk.
> Now when i double click the file to open i get a irp_read noncached paged.
> whcih reads from the disk and decrypts the plain text and shows the output
> as garbled.
>
> actually the irp_write noncached for the plaintext did not come through at
> all…That worries me as it happens only with Office files such as
> doc,xls,ppt etc.,
>
> Meanwhile i have solved that problem by introducing a Noncached write
> whenever i get a Cachedwrite.
>
> Say for example when i get a cached write from offset 0 to offset 12000 i
> include a function in it as
>
> writefile(Deviceobject,fileobject,writeoffset,writelength,buffer) this
> function calls my NonCached write and encrypts that to the disk…This
> seems
>
> to work fine. till now
>
> Do u think any problem with this approach???
>
> Once again Thank you Very much for ur help…
>
> Regards
> Shal.
>
>
>
>
> “Peter Scott” wrote in message
> news:xxxxx@ntdev…
>>
>> Shal,
>>
>> First, this would be better posted on the NTFSD list but we’ll address
>> your
>> points here.
>>
>> Your comments are a little contradictory. You indicate that you are
>> “still
>> in file create stage” so the rename is irrelevant but then you go on to
>> say
>> that you are seeing the IO requests. Which is it?
>>
>> Here is the typical scenario that one could expect, note that a lot of
>> requests have been left out and ordering may be slightly off but the
>> overall
>> picture is here:
>>
>> - IRP_MJ_CREATE to open foo.doc
>> - IRP_MJ_READ cached/noncached reads to foo.doc to retrieve data
>> - IRP_MJ_CREATE to create temp file ~wrd0001.doc
>> - IRP_MJ_WRITE to ~wrd0001.doc (of data read into foo.doc)
>> - IRP_MJ_WRITE to ~wrd0001.doc for any modifications made to foo.doc
>> - IRP_MJ_SET_INFORMATION (Rename) of ~wrd0001.doc to foo.doc
>>
>> This is the basic gist of how it works, not accurate but basically there.
>> I
>> would bet you are missing the paging requests which are destined for the
>> temporary file, and not encrypting these buffers. Hence you are getting
>> clear test in the foo.doc file.
>>
>> Run filemon and have all your tests in some known sub-directory say \foo.
>> Then have filemon filter on this directory only and you will see
>> everything.
>> You are simply missing some requests.
>>
>> Your first question below, ‘which buffer do I use to write out the entire
>> file?’ is missing the point. If you want to write something to a file YOU
>> need to allocate the buffer and populate it with the correct contents. I
>> think, again, you are missing some functionality and some requests.
>>
>> Pete
>>
>> Kernel Drivers
>> Windows Filesystem and Device Driver Consulting
>> www.KernelDrivers.com
>> (303)546-0300
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
>> Sent: Tuesday, May 10, 2005 2:53 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] Help Rolling out IRP_MJ_WRITE?
>>
>> Pete,
>> Thank you very much for the reply…
>> Yeah i am trying to generate my own IRP Write but is it possible to
>> generate
>>
>> a IRP_MJ_WRITE for a fileobject for the entire file size.?
>> The only thing that worries me is how do i know the buffer to write. I
>> just
>>
>> want to generate a IRP_MJ_WRITE for the entire file as depicted by
>> fileobject .
>>
>> Yes also i know the rename operations but actually i am still in the file
>> creation stage.
>> For example i am creating a file by right clicking in the explorer say
>> “New
>> Microsoft word document”
>> At that time i dont see any temporary files at all. I can see my file in
>> IRP_MJ_CREATE …followed by Write cache …
>> followed by ReadNon Cached and Read Cached…
>> The thing is that there is no IRP_MJ_WRITE nonCached and hence the file
>> new
>> microsoft word document is not at all encrypted.
>>
>> SO now when i double click the file to open it i get a Read Non Cached
>> and
>> hence its decrypted and i get garbled data.
>> This is not true for any other files…All the other files except the
>> DOC,XLS,PPT works by generating a Write NonCached/Paging once the file is
>> created.
>>
>> I shall also try what u had specified…
>>
>> Once again thanks…much…
>>
>> Regards
>> Shal.
>>
>>
>>
>>
>> “Peter Scott” wrote in message
>> news:xxxxx@ntdev…
>>> Shal,
>>>
>>> You do realize that Word uses rename operations to save off the data,
>>> right?
>>> In other words, you will see the open of say foo.doc and the paging read
>>> for
>>> this but then the contents are stored in a temporary file, say
>>> ~wrd0001.doc.
>>> When everything is done, it then renames the temporary file to the
>>> original
>>> file. It does some of this in several iterations, reading, checking …
>>>
>>> If you look at filemon filtering on a particular directory name where
>>> the
>>> Word document is stored, you will see all this craziness.
>>>
>>> But to answer the original question, yes you can roll up your own paging
>>> IRP_MJ_WRITE before passing the IRP_MJ_CLOSE down the fsd. This is
>>> actually
>>> one of the few things you can do on a given fileobject between
>>> IRP_MJ_CLEANUP and IRP_MJ_CLOSE - paging IO and some
>>> IRP_MJ_SET_INFORMATION
>>> classes.
>>>
>>> Pete
>>>
>>> Kernel Drivers
>>> Windows Filesystem and Device Driver Consulting
>>> www.KernelDrivers.com
>>> (303)546-0300
>>>
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
>>> Sent: Tuesday, May 10, 2005 12:12 PM
>>> To: Windows System Software Devs Interest List
>>> Subject: [ntdev] Help Rolling out IRP_MJ_WRITE?
>>>
>>> Can we roll out an IRP_MJ_WRITE for the fileobject( so that it initiates
>>> a
>>> PagingIO,NocacheIO write ) in IRP_MJ_CLOSE in a file system filter
>>> driver.?
>>> How can it be done? For instance right now i can write a known buffer
>>> in
>>> a
>>> particular offset but how to write the entire file buffer to the disk…
>>>
>>> The reason why i am doing this is i dont get a IRP_MJ_WRITE when i
>>> right
>>> click and select create a new word document in a Special folder(where my
>>> File System Filter Driver is active) . It initiates a IRP_MJ_CREATE and
>>> initiates cached read,cached write and then Noncached Read but never
>>> NONCACHED IRP_MJ_WRITE.
>>>
>>> So when i open the file it always considers it as encrypted and so
>>> displays
>>> junk data…
>>>
>>> I am not having any headers and my encrypted file size is equal to plain
>>> text file size.
>>>
>>> This also happens when i move a file from another folder to the special
>>> folder.
>>>
>>> Is my approach right???
>>>
>>>
>>> Any hint is appreciated very much…
>>>
>>> Thanks and Regards
>>> Shal.
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Pete,

Thank you very much…Yes that was the mistake…Now i am getting Writes for
the doc files as well…
Thank you once again for ur help.

Regards
Shal.

“Peter Scott” wrote in message
news:xxxxx@ntfsd…
>
> Shal,
>
> Yes there is a problem. Have you read the reference counting article at
> OSRONLINE? The case you are missing is when the fileobject is created by
> the
> underlying FSD to initialize caching. In this case, you will receive a
> fileobject that you have not previously seen via the IRP_MJ_CREATE pathway
> in an IRP_MJ_READ/WRITE request. These are termed stream fileobjects and
> generally have the FO_STREAM_FILE bit set in the flags. I say generally
> because there are known products out there which remove this bit until the
> fileobject is closed and thus it is hard to determine that it is actually
> a
> stream fileobejct except for the fact that you have not seen this
> fileobject
> processed via the IRP_MJ_CREATE pathway.
>
> You should remove the fileobject comparison in your lookup and only base
> it
> on the fscontext value.
>
> Next, you should not be touching either the SOP or the FsContext during
> IRP_MJ_CREATE. These belong to the underlying FSD, they are not yours to
> use. The FsContext will be setup by the underlying FSD and you can use it
> on
> the completion side of IRP_MJ_CREATE to insert it into your lookup tree,
> if
> it does not already exist.
>
> Again, go read the article on referencing counting for filters at
> www.osronline.com
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting
> www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
> Sent: Wednesday, May 11, 2005 11:29 AM
> To: Windows File Systems Devs Interest List
> Subject: Re:[ntfsd] Help Rolling out IRP_MJ_WRITE?
>
> I am using fileobject and fscontext …
> Say in Readwrite
>
> fileObject = CurrentIrpStack->FileObject.
>
> I use a function called …
>
> GetMyFCB(fileObject);
>
> In that i traverse my link list
> and check for the condition
>
> if(mylinklistnode->fileobject==recvdfileobject &&
> mylinklistnode->fscontexttracker==recvdfileobject->fscontext)
> return mylinklistnode;
> else
> continue traversing the list
>
> else return NULL if its not found at all…
>
>
> So if its not in my special folder i wud recv NULL and i would just call
> the
>
> underlying driver…
> if i obtain a Non NULL then that means its in my specialfolder and i check
> for IRP_Read Write cached noncached etc.,
>
> Setting up my tracking is done in IRp_Create and createcompletion.
> in Create i allocate new memory for fileobject->FScontext and
> fileobject->Sectionobjectpointers.
> in createcompletion i get the same fileobject but different fscontext…so
> i
>
> keep track of it my keeping a new pointer fscontexttracker.
> and then use GetMyFCB to deal with all the stuffs…
>
> in IRP_MJ_CLOSE i decrement the reference or delete the entire
> mylinklistnode when the reference is zero…
> in IRP_MJ_CLEANUP i do a ccflushcache
>
> Do you witness any problems in this tracking ???
>
> Thank you very much for the help…
> Regards
> Shal.
>
>
>
> “Peter Scott” wrote in message
> news:xxxxx@ntfsd…
>>
>> Shal,
>>
>> There is definitely a problem here. Just because you don’t see it doesn’t
>> mean it is going to happen. It will happen, you just need to wait. The
>> data
>> is in cache and there are no ‘rules’ as to when this data will be
>> flushed,
>> at least nothing deterministic.
>>
>> You can try to force a flush of the cache when you think all user mode
>> references are gone but there are scenarios that this will not work, for
>> instance memory mapped files.
>>
>> The idea here is that when data is dirtied in a cache map, the cache
>> manager
>> and memory manager don’t have to flush that data out immediately. They
>> don’t
>> even have to flush it out after you close the application, though with
>> word
>> I have not seen the paging write be delayed very long since they are
>> trying
>> to ensure data is out to disk, etc.
>>
>> I would guess you are either not waiting long enough, missing the paging
>> write request or have an issue with your tracking mechanism and thus,
>> back
>> to the first, you are missing the request.
>>
>> How are you tracking files that you are encrypting? Is it via fileobject,
>> fscontext, name?
>>
>> Pete
>>
>> Kernel Drivers
>> Windows Filesystem and Device Driver Consulting
>> www.KernelDrivers.com
>> (303)546-0300
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
>> Sent: Wednesday, May 11, 2005 10:46 AM
>> To: Windows File Systems Devs Interest List
>> Subject: Re:[ntfsd] Help Rolling out IRP_MJ_WRITE?
>>
>> Redirecting to ntfsd…
>>
>> Thanks Pete for ur comments. I shall look into that… by attaching
>> filemon
>> to that particular folder.
>> Actually what i meant was i create a file called new microsoft word
>> document. and then i just do a single click on the file and it generates
>> IRP_write cached, irp_read cached and irp_read noncached paged.
>> So file is in plain text in the cache as well as in the disk.
>> Now when i double click the file to open i get a irp_read noncached
>> paged.
>> whcih reads from the disk and decrypts the plain text and shows the
>> output
>> as garbled.
>>
>> actually the irp_write noncached for the plaintext did not come through
>> at
>> all…That worries me as it happens only with Office files such as
>> doc,xls,ppt etc.,
>>
>> Meanwhile i have solved that problem by introducing a Noncached write
>> whenever i get a Cachedwrite.
>>
>> Say for example when i get a cached write from offset 0 to offset 12000 i
>> include a function in it as
>>
>> writefile(Deviceobject,fileobject,writeoffset,writelength,buffer) this
>> function calls my NonCached write and encrypts that to the disk…This
>> seems
>>
>> to work fine. till now
>>
>> Do u think any problem with this approach???
>>
>> Once again Thank you Very much for ur help…
>>
>> Regards
>> Shal.
>>
>>
>>
>>
>> “Peter Scott” wrote in message
>> news:xxxxx@ntdev…
>>>
>>> Shal,
>>>
>>> First, this would be better posted on the NTFSD list but we’ll address
>>> your
>>> points here.
>>>
>>> Your comments are a little contradictory. You indicate that you are
>>> “still
>>> in file create stage” so the rename is irrelevant but then you go on to
>>> say
>>> that you are seeing the IO requests. Which is it?
>>>
>>> Here is the typical scenario that one could expect, note that a lot of
>>> requests have been left out and ordering may be slightly off but the
>>> overall
>>> picture is here:
>>>
>>> - IRP_MJ_CREATE to open foo.doc
>>> - IRP_MJ_READ cached/noncached reads to foo.doc to retrieve data
>>> - IRP_MJ_CREATE to create temp file ~wrd0001.doc
>>> - IRP_MJ_WRITE to ~wrd0001.doc (of data read into foo.doc)
>>> - IRP_MJ_WRITE to ~wrd0001.doc for any modifications made to foo.doc
>>> - IRP_MJ_SET_INFORMATION (Rename) of ~wrd0001.doc to foo.doc
>>>
>>> This is the basic gist of how it works, not accurate but basically
>>> there.
>>> I
>>> would bet you are missing the paging requests which are destined for the
>>> temporary file, and not encrypting these buffers. Hence you are getting
>>> clear test in the foo.doc file.
>>>
>>> Run filemon and have all your tests in some known sub-directory say
>>> \foo.
>>> Then have filemon filter on this directory only and you will see
>>> everything.
>>> You are simply missing some requests.
>>>
>>> Your first question below, ‘which buffer do I use to write out the
>>> entire
>>> file?’ is missing the point. If you want to write something to a file
>>> YOU
>>> need to allocate the buffer and populate it with the correct contents. I
>>> think, again, you are missing some functionality and some requests.
>>>
>>> Pete
>>>
>>> Kernel Drivers
>>> Windows Filesystem and Device Driver Consulting
>>> www.KernelDrivers.com
>>> (303)546-0300
>>>
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
>>> Sent: Tuesday, May 10, 2005 2:53 PM
>>> To: Windows System Software Devs Interest List
>>> Subject: Re:[ntdev] Help Rolling out IRP_MJ_WRITE?
>>>
>>> Pete,
>>> Thank you very much for the reply…
>>> Yeah i am trying to generate my own IRP Write but is it possible to
>>> generate
>>>
>>> a IRP_MJ_WRITE for a fileobject for the entire file size.?
>>> The only thing that worries me is how do i know the buffer to write. I
>>> just
>>>
>>> want to generate a IRP_MJ_WRITE for the entire file as depicted by
>>> fileobject .
>>>
>>> Yes also i know the rename operations but actually i am still in the
>>> file
>>> creation stage.
>>> For example i am creating a file by right clicking in the explorer say
>>> “New
>>> Microsoft word document”
>>> At that time i dont see any temporary files at all. I can see my file in
>>> IRP_MJ_CREATE …followed by Write cache …
>>> followed by ReadNon Cached and Read Cached…
>>> The thing is that there is no IRP_MJ_WRITE nonCached and hence the file
>>> new
>>> microsoft word document is not at all encrypted.
>>>
>>> SO now when i double click the file to open it i get a Read Non Cached
>>> and
>>> hence its decrypted and i get garbled data.
>>> This is not true for any other files…All the other files except the
>>> DOC,XLS,PPT works by generating a Write NonCached/Paging once the file
>>> is
>>> created.
>>>
>>> I shall also try what u had specified…
>>>
>>> Once again thanks…much…
>>>
>>> Regards
>>> Shal.
>>>
>>>
>>>
>>>
>>> “Peter Scott” wrote in message
>>> news:xxxxx@ntdev…
>>>> Shal,
>>>>
>>>> You do realize that Word uses rename operations to save off the data,
>>>> right?
>>>> In other words, you will see the open of say foo.doc and the paging
>>>> read
>>>> for
>>>> this but then the contents are stored in a temporary file, say
>>>> ~wrd0001.doc.
>>>> When everything is done, it then renames the temporary file to the
>>>> original
>>>> file. It does some of this in several iterations, reading, checking …
>>>>
>>>> If you look at filemon filtering on a particular directory name where
>>>> the
>>>> Word document is stored, you will see all this craziness.
>>>>
>>>> But to answer the original question, yes you can roll up your own
>>>> paging
>>>> IRP_MJ_WRITE before passing the IRP_MJ_CLOSE down the fsd. This is
>>>> actually
>>>> one of the few things you can do on a given fileobject between
>>>> IRP_MJ_CLEANUP and IRP_MJ_CLOSE - paging IO and some
>>>> IRP_MJ_SET_INFORMATION
>>>> classes.
>>>>
>>>> Pete
>>>>
>>>> Kernel Drivers
>>>> Windows Filesystem and Device Driver Consulting
>>>> www.KernelDrivers.com
>>>> (303)546-0300
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com
>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Shalini
>>>> Sent: Tuesday, May 10, 2005 12:12 PM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: [ntdev] Help Rolling out IRP_MJ_WRITE?
>>>>
>>>> Can we roll out an IRP_MJ_WRITE for the fileobject( so that it
>>>> initiates
>>>> a
>>>> PagingIO,NocacheIO write ) in IRP_MJ_CLOSE in a file system filter
>>>> driver.?
>>>> How can it be done? For instance right now i can write a known buffer
>>>> in
>>>> a
>>>> particular offset but how to write the entire file buffer to the
>>>> disk…
>>>>
>>>> The reason why i am doing this is i dont get a IRP_MJ_WRITE when i
>>>> right
>>>> click and select create a new word document in a Special folder(where
>>>> my
>>>> File System Filter Driver is active) . It initiates a IRP_MJ_CREATE and
>>>> initiates cached read,cached write and then Noncached Read but never
>>>> NONCACHED IRP_MJ_WRITE.
>>>>
>>>> So when i open the file it always considers it as encrypted and so
>>>> displays
>>>> junk data…
>>>>
>>>> I am not having any headers and my encrypted file size is equal to
>>>> plain
>>>> text file size.
>>>>
>>>> This also happens when i move a file from another folder to the
>>>> special
>>>> folder.
>>>>
>>>> Is my approach right???
>>>>
>>>>
>>>> Any hint is appreciated very much…
>>>>
>>>> Thanks and Regards
>>>> Shal.
>>>>
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@kerneldrivers.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>