Hi Marion,
The problem is quite very specialized and I’m sorry for not going too much
into detail as I don’t know exactly how IP laws works. Therefore I try to
ask questions with a smaller independent segment of the problem (which is
sad as exact knowledge about the larger problem may lead to much cleaner
well-defined solutions). In the current case the UM copies from a VSS
snapshot which is immune to this issue (part of existing design).
Sincere thanks for the help an advice on this.
Thanks
On Sun, Nov 2, 2014 at 5:42 PM, Marion Bond wrote:
> You should give up now. No UM component can touch files opened
> exclusively before it loads. Sand KM components that do this are almost
> unequivocally designated as malware
>
> If you tell us a larger problem you are trying to solve, then we may be
> able to help you better
>
> Sent from Surface Pro
>
> From: Arun M. Krishnakumar
> Sent: Sunday, November 02, 2014 1:13 AM
> To: Windows File Systems Devs Interest List
>
> Hi Don, could you please explain more about your method ? I have a method
> using a FS minifilter and a UM mode together. But if there can be a simpler
> option I’ll move to that method.
>
> Marion, I do have a KM component. However I want to have a UM component
> that can handle files opened exclusively before the driver is installed and
> loaded (mainly some core OS files). There are some applications that I want
> to keep simple and hence I have a mixed mode approach.
>
> Thanks,
> Arun
>
> On Wed, Oct 29, 2014 at 6:11 PM, Don Burn wrote:
>
>> Depending on what he wants to do, this does not even require a file
>> system filter. I years ago prototyped for a client a driver, that allow
>> you to do this by appending the path to device name of the driver. You can
>> completely stay out of the stack and get access to the file.
>>
>>
>> Don Burn
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>>
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:
>> xxxxx@lists.osr.com] On Behalf Of Marion Bond
>> Sent: Wednesday, October 29, 2014 8:49 PM
>> To: Windows File Systems Devs Interest List
>> Subject: [ntfsd] Re: [ntfsd] Re: [ntfsd] get sharemode of file handle
>> opened in another process
>>
>> Your project is impossible from UM. In KM, you don’t need to care about
>> the sharing - your file system filter will simply allow you a backdoor to
>> read data. Your biggest problems will be memory mapped files and cache
>> coherency given that you have no obvious way of synchronizing an arbitrary
>> write pattern with your read access. Assuming you are replicating, backing
>> up or virus scanning, you are okay - as you can coalesce operations or your
>> need is probabilistic
>>
>>
>> Sent from Surface Pro
>>
>> From: Arun M. Krishnakumar mailto:xxxxx
>> Sent: Tuesday, October 28, 2014 10:37 PM
>> To: Windows File Systems Devs Interest List mailto:xxxxx
>>
>> I am working on a project where I need to have read access to all files
>> on the system to which I have privileges as per ACL.
>>
>> There are some files that are opened in exclusive mode by services that
>> start early at boot. I don’t have control over the processes and I have not
>> opened the handle.
>>
>> I know that one way to get this access is to do a CreateFile. I wanted to
>> know if there was another way.
>>
>> In any case I have been able to work using CreateFile and it doesn’t seem
>> to be too time-intensive.
>>
>> Thanks,
>>
>> On Mon, Oct 27, 2014 at 3:29 PM, Marion Bond
>> wrote:
>>
>>
>> What do you want this for? If you opened the handle, you should
>> know what sharing you specified. If this handle was passed to you, then
>> sharing will have been dealt with by them
>>
>>
>> Sent from Surface Pro
>>
>> From: Arun M. Krishnakumar mailto:xxxxx
>> Sent: Sunday, October 26, 2014 10:38 PM
>> To: Windows File Systems Devs Interest List mailto:>> xxxxx@lists.osr.com>
>>
>> I know that it is possible to get the ShareMode from the
>> FILE_OBJECT in a mini-filter. But I am unable to know this from user-mode.
>> There is an object address that I get as part of each entry returned by
>> NtQuerySystemInformation but I cannot access that memory area.
>>
>> Is there any other way ?
>>
>> Thanks,
>> Arun
>>
>> On Sun, Oct 26, 2014 at 1:51 AM, Arun M. Krishnakumar <
>> xxxxx@gmail.com> wrote:
>>
>>
>> Hi,
>>
>> (This is a user-land API question. I hope it’s okay to
>> ask here as it’s windows and FS related. Kindly help me redirect this in
>> case this is the wrong forum.)
>>
>> I have an case where I need to determine in user-mode the
>> share-mode of a file handle opened by another process, mainly to determine
>> if the file is opened exclusively (sharemode = 0). I do the following:
>>
>> 1. Set Debug Privilege
>> 2. NtQuerySystemInformation
>>
>> 3. OpenProcess
>> 4. NtDuplicateObject (process, handle)
>> 5. NtQueryObject(duplicate-handle, ObjectBasicInformation)
>>
>>
>> The issue is that the Object Attributes returned by the
>> NtQueryObject is always zero. I was hoping that there would be an
>> OBJ_EXCLUSIVE indicating that the open is exclusive. Is this a valid
>> assumption for this problem ?
>>
>> Is there some other way I can get the shared-mode, other
>> than (attempting to open the file as that would be slower)?
>>
>> P.S.: The calls above have worked with no errors. I can
>> also get the file path etc from other similar calls. I’m stuck only at the
>> share-mode.
>>
>> Thanks,
>>
>>
>>
>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>> http://www.osr.com/careers For our schedule of debugging and file system
>> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
>> List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> — NTFSD is sponsored by OSR OSR is hiring!! Info at
>> http://www.osr.com/careers For our schedule of debugging and file system
>> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
>> List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTFSD is sponsored by OSR OSR is hiring!! Info at
> http://www.osr.com/careers For our schedule of debugging and file system
> seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></mailto:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>