I understand that when a file is opened, the obj manager created a
corresponding FO for the same. One of hte fields in this is the reference
count of the file, which maps to the number of open handles to it.
when the user mode app issues a CloseHandle(), the reference count decreases
by one.
So my question is, is it correct to say, n-IRP_MJ_CLOSEs and
1-IRP_MJ_CLEANUP or is it hte other way round, n-IRP_MJ_CLEANUPs and
1-IRP_MJ_CLOSE, if there are multiple apps/services opening a single file?
So my question is, is it correct to say, n-IRP_MJ_CLOSEs and
1-IRP_MJ_CLEANUP or is it hte other way round, n-IRP_MJ_CLEANUPs and
1-IRP_MJ_CLOSE, if there are multiple apps/services opening a single file?
None of the above. There is 1 cleanup and 1 close for a file object.
IRP_MJ_CLEANUP is called when the last handle is closed. And IRP_MJ_CLOSE is
called when the last reference goes off on the file object.
On Wed, Jan 13, 2010 at 1:41 PM, Ayush Gupta wrote:
> So my question is, is it correct to say, n-IRP_MJ_CLOSEs and > 1-IRP_MJ_CLEANUP or is it hte other way round, n-IRP_MJ_CLEANUPs and > 1-IRP_MJ_CLOSE, if there are multiple apps/services opening a single file? > > * * > > None of the above. There is 1 cleanup and 1 close for a file object. > IRP_MJ_CLEANUP is called when the last handle is closed. And IRP_MJ_CLOSE is > called when the last reference goes off on the file object. > > * * > > Regards, > > Ayush Gupta > > AI Consulting > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of A P
Sent: Wednesday, January 13, 2010 2:31 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] relation between handles and FOs
so handle count != ref count?
On Wed, Jan 13, 2010 at 1:41 PM, Ayush Gupta wrote:
So my question is, is it correct to say, n-IRP_MJ_CLOSEs and 1-IRP_MJ_CLEANUP or is it hte other way round, n-IRP_MJ_CLEANUPs and 1-IRP_MJ_CLOSE, if there are multiple apps/services opening a single file?
None of the above. There is 1 cleanup and 1 close for a file object. IRP_MJ_CLEANUP is called when the last handle is closed. And IRP_MJ_CLOSE is called when the last reference goes off on the file object.
Regards,
Ayush Gupta
AI Consulting
— NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars (including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
What you MIGHT be missing is the concept that a File Object represents an OPEN INSTANCE of a file (that’s why the API is called CreateFile, even when you open an existing file… it really means “create file OBJECT”).
So, each time a file is opened and a new handle is created a new File Object is also created. Thus, if there are 3 open instances of C:\foo\bar.txt (regardless of whether those 3 opens are from the same thread, the same process, or different processes), there will be 3 File Objects (one for each open instance).
Maybe you already knew this… but it’s a common point of confusion for learners of Windows.
Then if for each of the three handles there are three calls of
DuplicateHandle … nine handles … three FO … one FCB …
wrote in message news:xxxxx@ntfsd… >
> > As Ayush correctly said: > >
> > What you MIGHT be missing is the concept that a File Object represents an > OPEN INSTANCE of a file (that’s why the API is called CreateFile, even > when you open an existing file… it really means “create file OBJECT”). > > So, each time a file is opened and a new handle is created a new File > Object is also created. Thus, if there are 3 open instances of > C:\foo\bar.txt (regardless of whether those 3 opens are from the same > thread, the same process, or different processes), there will be 3 File > Objects (one for each open instance). > > Maybe you already knew this… but it’s a common point of confusion for > learners of Windows. > > Peter > OSR > >
> Then if for each of the three handles there are three calls of
DuplicateHandle … nine handles … three FO … one FCB …
And the closure of these handles better define IRP_MJ_CLEANUP. When the last
of the 3 handles of each FO are closed, IRP_MJ_CLEANUP comes on the
associated FO.
>Maybe you already knew this… but it’s a common point of confusion for
learners of Windows.
No Peter, i didn’t know this, thanks for the tip.
When a CreateFile call comes in from an App to a file system Filter Driver,
is it correct to tamper with the access permissions in the Driver?
In create when the request comes in we change the access permission for the
file in the original Create request to allow it to access the file. Later in
create completion we check the share access is is not valid
(IoCheckShareAccess) it knows that the fileobject needs to be destroyed and
sends two IRPS down (cleanup and close).
however, we have seen the if we have an AV below us in the stack (minifilter
based), it tries to initiate a real time scan on this and crashes.
any clues…
thanks
ap
On Wed, Jan 13, 2010 at 8:12 PM, wrote:
>
> > As Ayush correctly said: > >
> > What you MIGHT be missing is the concept that a File Object represents an > OPEN INSTANCE of a file (that’s why the API is called CreateFile, even when > you open an existing file… it really means “create file OBJECT”). > > So, each time a file is opened and a new handle is created a new File > Object is also created. Thus, if there are 3 open instances of > C:\foo\bar.txt (regardless of whether those 3 opens are from the same > thread, the same process, or different processes), there will be 3 File > Objects (one for each open instance). > > Maybe you already knew this… but it’s a common point of confusion for > learners of Windows. > > Peter > OSR > > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
you already have changed the access in precreate/dispatch so in postcreate/completion you can simply check the status code returned by the lower driver, what is the need of IoCheckShareAccess?