Remote and local files access using UNC

Mazgan_Mefutzal · December 20, 2017, 4:33am

Hi,

I am trying to distinguish between create operations on a local file system using UNC (\localhost\c$\a\b\c.txt) to operations on a real remote file system. Another thing is, that I need to know which process initiated the create operation.

I tried to base the decision on the VolumeFilesystemType parameter of InstanceSetupCallback (set a volume context and see if VolumeFilesystemType is one of the network types (i.e. FLT_FSTYPE_MUP, FLT_FSTYPE_LANMAN etc.).

The problem is that the operation is first handled by a network volume (in this case MUP),
and then the request is handled by the real local volume - but the request is made in the context of system process.

any ideas?

Thanks!!

Koby_Kahane · December 20, 2017, 10:13am

Network create operations come in with the NETWORK_OPEN_ECP_CONTEXT extra create parameter. You can detect this ECP (e.g., FltGetEcpListFromCallbackData and FltFindExtraCreateParameter with GUID_ECP_NETWORK_OPEN_CONTEXT) and examine if NETWORK_OPEN_ECP_CONTEXT::out.Location is NetworkOpenLocationLoopback on post-create. In such a case, the share being accessed is on a local volume.