Well I’m not a newbie as a programmer, but surely new to file system stuff, so any help would be appreciated.
I am now trying to write a filter driver to do two things. One is replacing a file access to another place, and the other thing is logging records of IRP_MJ_CLOSE.
The first task is easy because simrep sample is provided in DDK. For the second one, I’ve learned the only timing which is assured to get a correct file name is pre call back of IRP_MJ_CREATE. After some trial of using context mechanism, I wrote a code to take a memo of filename at pre create call back, and pass it to post create call back using Context pointer between pre/post, then register it as STREAM_HANDLE context. It can be retrieved at call back of IRP_MJ_CLOSE so it looks working.
However when those two features become together, it does not work as expected - I found post create callback was not called if STATUS_REPARSE/IO_REPARSE were set and FLT_PREOP_COMPLETE returned in pre Create callback.
I considered to use FsContext member in FILE_OBJECT but it seems to have the same issue. This field seems not ready until post create callback, and it might be same mechanism of the filter context.
I am wondering:
Why isn’t the post create callback called when REPARSE happens? Is it as designed? Or Do I misunderstand something??
Is there any suggestion to do those things at the same time? I guess many other software need to do similar tasks…
The postcreate is not called if you return FLT_PREOP_COMPLETE in the precreate code. You need to return FLT_PREOP_SUCCESS_WITH_CALLBACK to see the post create callback.
When a minifilter completes an operation its postOp callback is not called.
The assumption is that if the minifilter knows it is completing the
operation then it also knows that it can do whatever processing it needs.
This is similar to the IRP model, where when driver that completes an IRP
doesn’t get a completion routine. Another way of saying this is that there
is no “pre” and “post” when you are the one completing an operation. Does
this make sense ?
Now, about setting contexts… You cannot set contexts in postCreate when the
operation failed or was completed with STATUS_REPARSE (either by you or the
underlying filesystem) because the file was not opened by the file system.
What are you trying to track ? Do you absolutely need to set the context
when you return STATUS_REPARSE or is there any other you could achieve your
goal ? Could you please describe at a high level what you are trying to do ?
You need to return FLT_PREOP_SUCCESS_WITH_CALLBACK to see the post create callback.
Yes if I return FLT_PREOP_SUCCESS_WITH_CALLBACK, post create callback is called, but FLT_PREOP_COMPLETE is required to do filename fake, as you guys answered here: https://www.osronline.com/ShowThread.cfm?link=158951
Could you please describe at a high level what you are trying to do ?
What I am going to do is:
To trap any access to a specified folder, or any file/folder under the directory, by modifying it to another folder/file name. e.g. Filename fake.
When the file is closed, to signal it to a user service with information of both of original and mapped file/folder names.
So I think I need to record those information in Pre Create callback, and attach it to some context aware place, so as to use the info on timing of IRP_MJ_CLOSE. Of course I can just collect them in my own long list of data, and look for an appropriate entry from there when any mapped file is closed. However it would cause efficiency issue, especially in case a number of files need to be mapped in such way, simultaneously… But it seems only way to achieve my goal??
I am getting the following high level design from your posts, especially
this one:
You have a double list of folders and the real target folders. Can we
assume a one to one correspondence? Any chance that duplicates can exist on
either the first folder name or the second folder name?
When any access to a file within the first folder list is done you
substitute the second folder and issue a reparse. I am assuming that the
folder list contains a complete pathname from drive letter through one or
more levels of subdirectories. This applies to both the ‘source’ and
‘target’ lists.
You wish to notify the application or service of the full ‘source’ and
‘target’ names you used when reparsing.
Will the application or service send any information back to your
driver after it receives the notification?
I would recommend using a service and having a user application to talk to
the service as it will solve issues with permissions when accessing a device
driver.
David
Previously stationed at Tachikawa, Iruma, Tokorozawa, and Kadena in the
60’s, 70’s and 80.
wrote in message news:xxxxx@ntfsd…
Hi Rick and Alex,
Thanks for your prompt comments,
You need to return FLT_PREOP_SUCCESS_WITH_CALLBACK to see the post create
callback.
Yes if I return FLT_PREOP_SUCCESS_WITH_CALLBACK, post create callback is
called, but FLT_PREOP_COMPLETE is required to do filename fake, as you guys
answered here: https://www.osronline.com/ShowThread.cfm?link=158951
Could you please describe at a high level what you are trying to do ?
What I am going to do is:
To trap any access to a specified folder, or any file/folder under the
directory, by modifying it to another folder/file name. e.g. Filename fake.
When the file is closed, to signal it to a user service with information
of both of original and mapped file/folder names.
So I think I need to record those information in Pre Create callback, and
attach it to some context aware place, so as to use the info on timing of
IRP_MJ_CLOSE. Of course I can just collect them in my own long list of
data, and look for an appropriate entry from there when any mapped file is
closed. However it would cause efficiency issue, especially in case a
number of files need to be mapped in such way, simultaneously… But it
seems only way to achieve my goal??
Thanks for your adding details - (1) and (2) are exact what I am going to do. Sorry for my curt explanation!
Regarding (3) and (4)
You wish to notify the application or service of the full ‘source’ and ‘target’ names you used
when reparsing.
Yes I want to inform the names collected when reparsing, but I want to do that in timing of IRP_MJ_CLOSE. Is it any way for my service to detect it, without a help from the driver?
Of course each component that requested to open the source file, knows when it issues CloseFile API, but my goal is a kind of peeping system activities, and it should be done without changing any other applications.
Will the application or service send any information back to your driver after it receives the notification?
I’m not sure if I understand your question’s intention correctly, but the service might send another direction, based on the notification.
I would recommend using a service and having a user application to talk to the service as it will solve issues with permissions when accessing a device driver.
Is your suggestion that a user application which wants to access a file should inform it to the server when it closes the file?? If you can kindly elaborate it, I would appreciate.
Previously stationed at Tachikawa, Iruma, Tokorozawa, and Kadena in the 60’s, 70’s and 80.
Wow, my current place is Machida, close to Tachikawa…