I don’t remember exactly but I think FsRtlIsNameInExpression doesn’t
deal well with path delimiters. I suspect you might be better off just
looking at the last FileName.Length bytes of nameInfo (RtlEqualString)
instead… that way you also won’t be fooled by
“Device\Harddisk0\volume1\windows\system32\notepad.exe\foo.bar”
cheers,
johnm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of MM
Sent: Monday, April 02, 2007 6:35 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FsRtlIsNameInExpression always false
Why am I not getting a match, I know I’m doing something stupid…
In windbg I’m seeing:
FileName == “\SYSTEM32\NOTEPAD.EXE” and
nameInfo == “Device\Harddisk0\volume1\windows\system32\notepad.exe”
WCHAR NoteFile[3][200] = {
L"\EXPLORER.EXE",
L"\SYSTEM32\NOTEPAD.EXE", <-what I’m searching for
…
};
NTSTATUS
CouldItBeNotePad (
__in PFLT_FILE_NAME_INFORMATION nameInfo,
__out PBOOLEAN MayBe
)
{
UNICODE_STRING FileName;
NTSTATUS status;
int i;
for(i = 0; i < 3; i++)
{
FileName.Length = 0x0;
FileName.MaximumLength = sizeof(NoteFile[i]);
FileName.Buffer = NoteFile[i];
if (FsRtlIsNameInExpression( &FileName, &nameInfo->Name, TRUE, NULL
) == TRUE)
{
//never get here
DbgPrint(“A match was found %S\n”, NoteFile[i]);
*MayBe = TRUE;
}else{
//FsRtlIsNameInExpression always returns no match. Expression is
UCase
*MayBe = FALSE;
DbgPrint(“%wZ \n”, FileName);
DbgPrint(“%wZ \n”, &nameInfo->Name);
}
}
return STATUS_SUCCESS;
}
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@novatix.com
To unsubscribe send a blank email to xxxxx@lists.osr.com