If you want to actually intercept the reading/execution of the file, you
might want to build some logic in your driver that “remembers” the
IRP_MJ_CREATE’s, but only reads the file (eg for virus scan) upon the first
IRP_MJ_READ it sees.
However, this approach is not a 100% solution, since Windows (or Explorer
in that case) tends to read files for reading the resources (icons, version
info etc)
Bartjan.
At 10:50 12-1-2002 +0200, you wrote:
As for me, it is not explorer. I have a .bat file on remote machine which
trnferes a single file over network with copy command. I see at least 6
IRP_MJ_CREATE on target. Source OS is WinXP, target NT4 SP6.Alexey Logachyov
xxxxx@vba.com.by
VirusBlokAda Ltd.
http://www.vba.com.by----- Original Message -----
From: “Maxim S. Shatskih”
>To: “File Systems Developers”
>Sent: Thursday, January 10, 2002 6:57 PM
>Subject: [ntfsd] Re: multiple IRP_MJ_CREATE calls for one CreateFile() ??
>
>
> > Not Windows, but Explorer. It also opens a directory with “*” wildcard.
> > Use command-line tools for a clear case, but note that TYPE opens a
>directory, not only the file to type.
> >
> > Max
> >
> > ----- Original Message -----
> > From: “Alexey Logachyov”
> > To: “File Systems Developers”
> > Sent: Wednesday, January 09, 2002 8:20 PM
> > Subject: [ntfsd] Re: multiple IRP_MJ_CREATE calls for one CreateFile() ??
> >
> >
> > > It is pretty common for me. For example when copying a file from a
>remote
> > > computer I see IRP_MJ_CREATE 6 to 8 times. Seems like windows looks if
>the
> > > folder exists, if volume is mounted, asks for file flags, etc.
> > >
> > > Many strange things are happening in Windows
> > >
> > > Alexey Logachyov
> > > xxxxx@vba.com.by
> > > VirusBlokAda Ltd.
> > > http://www.vba.com.by
> > >
> > >
> > > ----- Original Message -----
> > > From: “vishnu”
> > > To: “File Systems Developers”
> > > Sent: Tuesday, January 08, 2002 9:40 AM
> > > Subject: [ntfsd] multiple IRP_MJ_CREATE calls for one CreateFile() ??
> > >
> > >
> > > > Hi,
> > > >
> > > > We r developing a filter driver for NT 4.0. I am encountering the
> > > > following
> > > > problem.
> > > >
> > > > when I issue a CreateFile on a file , say, D:\trail\notes.txt,( with
> > > access
> > > > mode as GenericWrite) the Create dispatch routine of the driver is
>called
> > > 4
> > > > times.(My driver is the topmost one…it is layered over NTFS )First
>time
> > > > it is called for directory D:\trial , second time the open is for
>neither
> > > > directory nor file and in 3rd and 4th time its for file
> > > > D:\trail\notes.txt . Also the access modes in the first 3 calls to the
> > > > create routine seems to be GenericRead ( eventhogh I specified
> > > > GenericWrite in the CreateFile API.) In the fourth call to create
>dispatch
> > > > routine it is the one specified in CreateFile( ie, Genericwrite in
>this
> > > > case).
> > > >
> > > > By seeing the books ( like Rajeev Nagar’s) I got an impression that
>there
> > > > would be only one call to create dispatch routine for one CreateFile()
> > > > call. Can any one tell me what might be the reason for the above
> > > > situation.
> > > > ?? ( there is no call to Zwxxx() fns. inside the create routine, which
> > > > might cause a recursive call.)
> > > >
> > > > Thanks in advance,
> > > > vishnu.
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> > > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@zeelandnet.nl
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
