Reading a file opened with exclusive lock

NTDEV
1

All,

I have a need to read the contents of a file that is already opened with
an exclusive lock. With the help of a driver, this should be possible.
Does anyone have experience doing this? What APIs would be useful?

I have already found the process id of the application that has the file
locked. I am thinking that I can enumerate the open handles for this
process and perhaps use ZwDuplicateObject to copy that file object into
my process. Can someone comment on this approach?

I am still struggling through various technical issues, so any thoughts
and help will be appreciated.

Thanks,
Dan

2

I would recommend a filter driver. In this filter, you implement your
own locking and do not pass lock requests down to the file system.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Morales
Sent: Friday, November 01, 2002 10:13 AM
To: NT Developers Interest List
Subject: [ntdev] Reading a file opened with exclusive lock

All,

I have a need to read the contents of a file that is already opened with
an exclusive lock. With the help of a driver, this should be possible.
Does anyone have experience doing this? What APIs would be useful?

I have already found the process id of the application that has the file
locked. I am thinking that I can enumerate the open handles for this
process and perhaps use ZwDuplicateObject to copy that file object into
my process. Can someone comment on this approach?

I am still struggling through various technical issues, so any thoughts
and help will be appreciated.

Thanks,

Dan

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

3

Of course, this approach causes interop problems with other filters
doing the same thing.

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Friday, November 01, 2002 1:37 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Reading a file opened with exclusive lock

I would recommend a filter driver. In this filter, you implement your
own locking and do not pass lock requests down to the file system.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Morales
Sent: Friday, November 01, 2002 10:13 AM
To: NT Developers Interest List
Subject: [ntdev] Reading a file opened with exclusive lock

All,

I have a need to read the contents of a file that is already opened with
an exclusive lock. With the help of a driver, this should be possible.
Does anyone have experience doing this? What APIs would be useful?

I have already found the process id of the application that has the file
locked. I am thinking that I can enumerate the open handles for this
process and perhaps use ZwDuplicateObject to copy that file object into
my process. Can someone comment on this approach?

I am still struggling through various technical issues, so any thoughts
and help will be appreciated.

Thanks,

Dan

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntdev as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%

4

I entertained the thought of a filter driver. However, I have some
aggressive time constraints and I am very new to driver development in
general. So, I am looking for the least intrusive and least complex way
to do this. This stuff is hard no matter how I look at it. “Hats off”
to all of you who do this type of dev on a regular basis.

What thoughts, however, on my approach?

Dan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gilson, Mike
Sent: Friday, November 01, 2002 12:42 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Reading a file opened with exclusive lock

Of course, this approach causes interop problems with other filters
doing the same thing.
-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Friday, November 01, 2002 1:37 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Reading a file opened with exclusive lock
I would recommend a filter driver. In this filter, you implement your
own locking and do not pass lock requests down to the file system.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Morales
Sent: Friday, November 01, 2002 10:13 AM
To: NT Developers Interest List
Subject: [ntdev] Reading a file opened with exclusive lock

All,

I have a need to read the contents of a file that is already opened with
an exclusive lock. With the help of a driver, this should be possible.
Does anyone have experience doing this? What APIs would be useful?

I have already found the process id of the application that has the file
locked. I am thinking that I can enumerate the open handles for this
process and perhaps use ZwDuplicateObject to copy that file object into
my process. Can someone comment on this approach?

I am still struggling through various technical issues, so any thoughts
and help will be appreciated.

Thanks,
Dan

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntdev as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntdev as: xxxxx@moralesdirect.com
To unsubscribe send a blank email to %%email.unsub%%

5

>I entertained the thought of a filter driver. However, I have some

aggressive time constraints and I am very new to driver development in
general. So, I am looking for the least intrusive and least complex way
to do this. This stuff is hard no matter how I look at it. “Hats off”
to all of you who do this type of dev on a regular basis.

Dan,

What are you really trying to do. It sounded like you had a usermode
program that needs to read a file regardless of whether it was locked
or not. If that is true, then why not read the file non-file-structured
by assigning a channel to the volume instead and reading the file pointers
and then reading the disk blocks for the file? At least this is usermode.
Also, you may be able to open the file anyway and at least get the
File pointers with the FSCTL IOCTL for that even with a block range
locked.

Rick…

6

Hi Rick,

Yes, you summarized what I need to do. However, your suggestion might
as well have been in German since I don’t speak German. :slight_smile: What I
mean is that your advice was in an area I know nothing about.

“assigning a channel to the volume” ?
“reading the disk blocks” ?
“FSCTL IOCTL” ?

I have read quite a bit in various books and in the DDK, but I do not
know what APIs allow me to do the things you are suggesting.

Have you heard of KeAttachProcess and ZwDuplicateObject? Wouldn’t these
help achieve my goal?

Dan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@rdperf.com
Sent: Friday, November 01, 2002 1:09 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Reading a file opened with exclusive lock

I entertained the thought of a filter driver. However, I have some
aggressive time constraints and I am very new to driver development in
general. So, I am looking for the least intrusive and least complex
way
to do this. This stuff is hard no matter how I look at it. “Hats off”
to all of you who do this type of dev on a regular basis.

Dan,

What are you really trying to do. It sounded like you had a usermode
program that needs to read a file regardless of whether it was locked
or not. If that is true, then why not read the file non-file-structured
by assigning a channel to the volume instead and reading the file
pointers
and then reading the disk blocks for the file? At least this is
usermode.
Also, you may be able to open the file anyway and at least get the
File pointers with the FSCTL IOCTL for that even with a block range
locked.

Rick…

You are currently subscribed to ntdev as: xxxxx@moralesdirect.com
To unsubscribe send a blank email to %%email.unsub%%

7

>Yes, you summarized what I need to do. However, your suggestion might

as well have been in German since I don’t speak German. :slight_smile: What I
mean is that your advice was in an area I know nothing about.

“assigning a channel to the volume” ?
“reading the disk blocks” ?
“FSCTL IOCTL” ?

I have read quite a bit in various books and in the DDK, but I do not
know what APIs allow me to do the things you are suggesting.

Have you heard of KeAttachProcess and ZwDuplicateObject? Wouldn’t these
help achieve my goal?

Dan,

These are all WIN32 interface stuff. Assigning a channel to the
volume means calling CreateFile withthe filespec being the Partition
Name which I believe has a format like: “\.\C:” or something like
that.

You can Use FSCTL_GET_RETRIEVAL_POINTERS from DeviceIoControl to get
file pointers from a file that you have a handle to.

Then you can use the handle from the Volume CreateFile to do a ReadFile
from the Volume.

If you can’t get a handle to the file to use for FSCTL_GET_RETRIEVAL_POINTERS
due to the exclusive nature, you would have to get that info by sncanning the
appropriate file system data structures.

I would expect that KeAttachProcess and ZwDuplicateObject might get you
access to that processes handle for the file in which case you could certainly
use ZwCreateFile to open the volume and then ZwDeviceIoControl to get the
file pointers and then ZwReadFile to read the data.

I was just trying to suggest a mechanism that did NOT involve a Device
Driver.

This is easier if you are trying to bypass the file having a data region
locked as opposed to the file was opened for exclusive access because then
you can just get the retrieval pointers and read from the volume, NOT the
file.

Rick…

8

What type of lock are you referring to? Are you referring to a file
opened by another process with no share access granted, or are you
referring to a file locked by another process with a byte-range lock?

In the case of a byte-range lock, the solution is easy. Memory-map the
file from your user-mode application (this is from the OSR IFS faq, item
Q44).

In the case of a share conflict, you need to write a driver. In your
driver, ZwCreateFile the file with just FILE_READ_ATTRIBUTES access,
then issue paging I/O reads/writes to the file object by rolling your
own IRPs. Paging I/O will bypass the share protection.

There is a caveat to this advice, however. Although both of the
preceding techniques will work for local files, they may not work for
network files (since for network files the ‘enforcement’ is done on the
server, otherwise, where is the security?).

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Morales
Sent: Friday, November 01, 2002 10:13 AM
To: NT Developers Interest List
Subject: [ntdev] Reading a file opened with exclusive lock

All,

I have a need to read the contents of a file that is already opened with
an exclusive lock. With the help of a driver, this should be possible.
Does anyone have experience doing this? What APIs would be useful?

I have already found the process id of the application that has the file
locked. I am thinking that I can enumerate the open handles for this
process and perhaps use ZwDuplicateObject to copy that file object into
my process. Can someone comment on this approach?

I am still struggling through various technical issues, so any thoughts
and help will be appreciated.

Thanks,
Dan

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%

9

FYI: The type of locking I was referring to is an open with no share
access granted.

Thanks Nicholas and Rick (previous reply) for your info. I will
investigate both of these paths. I’m currently finishing up my IRPs
that will return the object name and type (looking for a specific
filename).

If anyone else has a caveat or recommendation along these lines
(Nicholas’ reply and Rick’s reply), please comment.

Thanks again,

Dan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
Sent: Friday, November 01, 2002 10:49 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Reading a file opened with exclusive lock

What type of lock are you referring to? Are you referring to a file
opened by another process with no share access granted, or are you
referring to a file locked by another process with a byte-range lock?

In the case of a byte-range lock, the solution is easy. Memory-map the
file from your user-mode application (this is from the OSR IFS faq, item
Q44).

In the case of a share conflict, you need to write a driver. In your
driver, ZwCreateFile the file with just FILE_READ_ATTRIBUTES access,
then issue paging I/O reads/writes to the file object by rolling your
own IRPs. Paging I/O will bypass the share protection.

There is a caveat to this advice, however. Although both of the
preceding techniques will work for local files, they may not work for
network files (since for network files the ‘enforcement’ is done on the
server, otherwise, where is the security?).

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Morales
Sent: Friday, November 01, 2002 10:13 AM
To: NT Developers Interest List
Subject: [ntdev] Reading a file opened with exclusive lock

All,

I have a need to read the contents of a file that is already opened with
an exclusive lock. With the help of a driver, this should be possible.
Does anyone have experience doing this? What APIs would be useful?

I have already found the process id of the application that has the file
locked. I am thinking that I can enumerate the open handles for this
process and perhaps use ZwDuplicateObject to copy that file object into
my process. Can someone comment on this approach?

I am still struggling through various technical issues, so any thoughts
and help will be appreciated.

Thanks,
Dan

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntdev as: xxxxx@moralesdirect.com
To unsubscribe send a blank email to %%email.unsub%%

10

Nicholas,

Can you explain what you mean by Paging I/O reads?

I have the API doc on ZwCreateFile and ZwReadFile. I guess I would
simply issue an IRP to my driver that, in turn, calls ZwReadFile and
requests a page (4096 bytes) at a time?

Dan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
Sent: Friday, November 01, 2002 10:49 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Reading a file opened with exclusive lock

What type of lock are you referring to? Are you referring to a file
opened by another process with no share access granted, or are you
referring to a file locked by another process with a byte-range lock?

In the case of a byte-range lock, the solution is easy. Memory-map the
file from your user-mode application (this is from the OSR IFS faq, item
Q44).

In the case of a share conflict, you need to write a driver. In your
driver, ZwCreateFile the file with just FILE_READ_ATTRIBUTES access,
then issue paging I/O reads/writes to the file object by rolling your
own IRPs. Paging I/O will bypass the share protection.

There is a caveat to this advice, however. Although both of the
preceding techniques will work for local files, they may not work for
network files (since for network files the ‘enforcement’ is done on the
server, otherwise, where is the security?).

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Morales
Sent: Friday, November 01, 2002 10:13 AM
To: NT Developers Interest List
Subject: [ntdev] Reading a file opened with exclusive lock

All,

I have a need to read the contents of a file that is already opened with
an exclusive lock. With the help of a driver, this should be possible.
Does anyone have experience doing this? What APIs would be useful?

I have already found the process id of the application that has the file
locked. I am thinking that I can enumerate the open handles for this
process and perhaps use ZwDuplicateObject to copy that file object into
my process. Can someone comment on this approach?

I am still struggling through various technical issues, so any thoughts
and help will be appreciated.

Thanks,
Dan

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntdev as: xxxxx@moralesdirect.com
To unsubscribe send a blank email to %%email.unsub%%

11

Unfortunately you can’t use ZwRead/WriteFile to issue paging I/O reads.
Paging I/O refers to a flag in the IRP that indicates that the request
should be treated in a special way - most importantly that the cache
should be bypassed and so should sharing/permission checks (for local
filesystems). (This is NOT the same as opening the file with
FILE_NO_INTERMEDIATE_BUFFERING). You need to generate the IRP by hand
and send it down directly (OSR IFS FAQ item Q45).

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Morales
Sent: Wednesday, November 06, 2002 8:39 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Reading a file opened with exclusive lock

Nicholas,

Can you explain what you mean by Paging I/O reads?

I have the API doc on ZwCreateFile and ZwReadFile. I guess I
would simply issue an IRP to my driver that, in turn, calls
ZwReadFile and requests a page (4096 bytes) at a time?

Dan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nicholas Ryan
Sent: Friday, November 01, 2002 10:49 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Reading a file opened with exclusive lock

What type of lock are you referring to? Are you referring to
a file opened by another process with no share access
granted, or are you referring to a file locked by another
process with a byte-range lock?

In the case of a byte-range lock, the solution is easy.
Memory-map the file from your user-mode application (this is
from the OSR IFS faq, item Q44).

In the case of a share conflict, you need to write a driver.
In your driver, ZwCreateFile the file with just
FILE_READ_ATTRIBUTES access, then issue paging I/O
reads/writes to the file object by rolling your own IRPs.
Paging I/O will bypass the share protection.

There is a caveat to this advice, however. Although both of
the preceding techniques will work for local files, they may
not work for network files (since for network files the
‘enforcement’ is done on the server, otherwise, where is the
security?).

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On > Behalf Of Dan
Morales
Sent: Friday, November 01, 2002 10:13 AM
To: NT Developers Interest List
Subject: [ntdev] Reading a file opened with exclusive lock

All,

I have a need to read the contents of a file that is already
opened with an exclusive lock. With the help of a driver,
this should be possible. Does anyone have experience doing
this? What APIs would be useful?

I have already found the process id of the application that
has the file locked. I am thinking that I can enumerate the
open handles for this process and perhaps use
ZwDuplicateObject to copy that file object into my process.
Can someone comment on this approach?

I am still struggling through various technical issues, so
any thoughts and help will be appreciated.

Thanks,
Dan

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntdev as:
xxxxx@moralesdirect.com To unsubscribe send a blank email to
%%email.unsub%%

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%