Re: ntfsd digest: September 07, 2016

Is there any simple way to debug the driver? So that I could check it where
it get failed in it’s functionality. Although I’ve used DbgView but no
output was shown, as well I’ve used DbgPrint() in code.

Thank you.

On Thu, Sep 8, 2016 at 10:00 AM, Windows File Systems Devs Interest List
digest wrote:

> NTFSD Digest for Wednesday, September 07, 2016.
>
> 1. RE: ZwQueryDirectoryFile fails with STATUS_NO_MORE_FILES when listing
> all reparse points
> 2. MiniFilter Driver Windows 10
> 3. RE: MiniFilter Driver Windows 10
> 4. Re: MiniFilter Driver Windows 10
> 5. RE: MiniFilter Driver Windows 10
> 6. Re: MiniFilter Driver Windows 10
> 7. Re: MiniFilter Driver Windows 10
> 8. Disconnect SATA disk while windows is working
>
> ----------------------------------------------------------------------
>
> Subject: RE: ZwQueryDirectoryFile fails with STATUS_NO_MORE_FILES when
> listing all reparse points
> From: xxxxx@yahoo.fr
> Date: Wed, 7 Sep 2016 01:31:58 -0400 (EDT)
> X-Message-Number: 1
>
> Never mind guys. I was doing a mistake here “if (repPtr->FileReference ==
> VIR_IO_SPARSE_TAG)” where it should be “if (repPtr->Tag==
> VIR_IO_SPARSE_TAG)” so I was never getting the custom Tag.
>
>
> ----------------------------------------------------------------------
>
> Subject: MiniFilter Driver Windows 10
> From: Arsalan Hussain
> Date: Wed, 7 Sep 2016 12:11:30 +0500
> X-Message-Number: 2
>
> How I would block devices through minifilter driver in Windows 10?
> Description: I’ve a minifilter driver which blocks devices, it works fine
> in Windows up till ver8.1 but I’m having problem in Windows 10.
> Driver is able to block devices once when system is reboot and then it
> automatically unblocks all the devices in Windows 10 when I start my
> application.
>
> Example: Windows 10 -> Application get installed system need to reboot,
> the system reboot and all Non-System Partitions and USB get blocks (i.e:
> Access is Denied), by default application blocks USB when it’s checkbox is
> checked but Non-System Partitions is unchecked, but still after getting
> reboot Non-System Partitions is Access is Denied.
>
> Then when I run my application all the blocked things get unblock and the
> things should be blocked get unblocks as well.
>
> I’ve coded PreOperationCallBack, PostOperationCallBack,
> Operation_Registration_Callbacks (IRPs) and every driver routine that
> needed to perform blocking and unblocking the devices.
>
> ----------------------------------------------------------------------
>
> Subject: RE: MiniFilter Driver Windows 10
> From: xxxxx@hotmail.com
> Date: Wed, 7 Sep 2016 09:36:37 -0400 (EDT)
> X-Message-Number: 3
>
>


>
> By completing create requests with STATUS_ACCESS_DENIED error in
> PreOperation callback.
>
>


>
> Fix this application so it provided a correct information to the driver.
> Seriously, what is your question?
>
> ----------------------------------------------------------------------
>
> Subject: Re: MiniFilter Driver Windows 10
> From: Gabriel Bercea
> Date: Wed, 7 Sep 2016 16:55:16 +0200
> X-Message-Number: 4
>
> You cannot block devices with the minifilter model. You can only process
> file system related events.
> Filesystems, if you think about it abstractly reside on the disk/device as
> random pieces of data on their surface as far as the device ( whatever that
> might be) is concerned. The file system driver is called to recognize that
> a certain disk has a filesystem it can “work with”.
> At this point, the point where the filesystem is called to recognize the
> filesystem your driver is not even loaded for filtering even though the
> device is up and running and doing its’ thing. The fact that is a valid
> filesystem there (on the disk) is a “coincidence” as far as the OS is
> concerned. You can store on a disk whatever raw data you want and at that
> point as far as the OS is concerned the device is running, but as far as
> the filesystem is concerned there is no valid FS there. You can get a
> handle to the device and use ReadFile and WriteFile on it and use it
> essentially like a big file to read and write data to it. If you really
> want to block devices, the assumption you can block them with a minifilter
> is not correct.
> You would need to implement a PNP filter to check out what device classes
> you are interested in, filter the correctly according to their stacks and
> block them from there. See if you need a lower or upper filter in that
> stack, propagate flags correctly. Allow devices that you are not interested
> in to run correctly and only block the ones you should depending on your
> policy. Also blocking a device can occur, depending on the device in
> different stages of the filtering.
> Good luck.
>
> Regards,
> Gabriel
> www.kasardia.com
> Windows Kernel Driver Consulting
>
>
> On Wed, Sep 7, 2016 at 3:36 PM, wrote:
>
> >


> >
> > By completing create requests with STATUS_ACCESS_DENIED error in
> > PreOperation callback.
> >
> >


> >
> > Fix this application so it provided a correct information to the driver.
> > Seriously, what is your question?
> >
> > —
> > NTFSD is sponsored by OSR
> >
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at <
> > http://www.osronline.com/page.cfm?name=ListServer&gt;
> >
>
>
>
> –
> Bercea. G.
>
> ----------------------------------------------------------------------
>
> Subject: RE: MiniFilter Driver Windows 10
> From: xxxxx@hotmail.com
> Date: Wed, 7 Sep 2016 12:14:26 -0400 (EDT)
> X-Message-Number: 5
>
>


>
> Block devices access are checked at FSD level. This is how NTFS works.
>
>


>
> In case of block devices this requires administrator or SYSTEM privilege
> if nobody changed object security descriptors which in turn requires
> elevated privileges. Trying to block a device for administrator or system
> usually doesn’t make sense as this requires hypervisor to implement such
> protection.
>
> ----------------------------------------------------------------------
>
> Subject: Re: MiniFilter Driver Windows 10
> From: “Scott Noone”
> Date: Wed, 7 Sep 2016 14:03:14 -0400
> X-Message-Number: 6
>
>


>
> MTP devices don’t use a host file system, so you can’t block those with a
> minifilter.
>
>


>
> In newer versions of Windows (at least Win7) the interactive user is given
> write access to the device. For example, you can format a USB device from
> an
> unelevated command prompt.
>
> -scott
> OSR
> @OSRDrivers
>
> wrote in message news:xxxxx@ntfsd…
>
>


>
> Block devices access are checked at FSD level. This is how NTFS works.
>
>


>
> In case of block devices this requires administrator or SYSTEM privilege if
> nobody changed object security descriptors which in turn requires elevated
> privileges. Trying to block a device for administrator or system usually
> doesn’t make sense as this requires hypervisor to implement such
> protection.
>
>
> ----------------------------------------------------------------------
>
> Subject: Re: MiniFilter Driver Windows 10
> From: Gabriel Bercea
> Date: Wed, 7 Sep 2016 23:22:12 +0200
> X-Message-Number: 7
>
> I would advise to do some more digging around what you claim for the sake
> of your requirements and what you hope to achieve.
> Again do not confuse NTFS.sys or any other FS ( which are not PNP drivers,
> they are not specific to a device) with what the drivers “below”: disk.sys,
> acpi, raidport or any device specific driver ( PNP level driver ).
> A FS is something that is “attached” to a medium or to a volume. A volume
> is a region on a disk that you can format it with a filesystem. You can
> also filter at volume level, or at FS level ( different things ). Volume
> devices are PNP devices and have a class and stack of their own as far PNP
> goes.
>
> When you are at FS level you cannot hope to deny anything that is device
> specific. You can only deny access to what a certain FS considers to be a
> file. I thought this was common sense for a FSF driver developer. By saying
> “Block devices access are checked at FSD level. This is how NTFS works.” it
> means you think that USB devices (for example ) cannot be filtered only at
> FS level which is completely wrong.
>
> Please take your time and view your requirements and see if you need device
> filtering or FS level filtering is enough. It might be but I have no idea
> what you really want to achieve.
>
> Regards,
> Gabriel
> www.kasardia.com
>
>
> On Wed, Sep 7, 2016 at 6:14 PM, wrote:
>
> >


> >
> > Block devices access are checked at FSD level. This is how NTFS works.
> >
> >


> >
> > In case of block devices this requires administrator or SYSTEM privilege
> > if nobody changed object security descriptors which in turn requires
> > elevated privileges. Trying to block a device for administrator or system
> > usually doesn’t make sense as this requires hypervisor to implement such
> > protection.
> >
> > —
> > NTFSD is sponsored by OSR
> >
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at <
> > http://www.osronline.com/page.cfm?name=ListServer&gt;
> >
>
>
>
> –
> Bercea. G.
>
> ----------------------------------------------------------------------
>
> Subject: Disconnect SATA disk while windows is working
> From: “Zvi Vered”
> Date: Thu, 8 Sep 2016 06:20:44 +0300
> X-Message-Number: 8
>
> Hello,
>
> My PC runs windows 7-64 and connected to a SATA disk.
>
> While working, I have to disconnect that SATA disk from the PC and connect
> it to another device in order to copy parts of the data.
>
> Upon completion I will reconnect the disk to the windows PC.
>
> Is it possible to do it without causing a blue screen or any other damage
> to the windows ?
>
> Thank you,
> Z.V
>
>
> —
>
> END OF DIGEST
>
> —
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
></http:></http:>

Read this article “Getting DbgPrint Output To Appear In Vista and Later”

http://www.osronline.com/article.cfm?article=295