I have a simple fs mini-filter that handles PreWrite in the following manner:
if (this_is_special_data())
{
FltWrite(to_some_other_file);
return FLT_PREOP_COMPLETE;
}
else
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
I am basically trying to prevent these writes from going down to the NTFS volume and instead write them to some other location on disk. But for some reason the writes are still going to the file I am trying to prevent them from going to.
Does this have anything to do with memory mapping or caching? I attempted to disable intermediate buffering during my PostCreate(). The file itself has a reparse point so in PostCreate() when I FltReissueSynchronousIo() I set this flag and call FltCallbackSetDataDirty().
Is there a special formula I need to accomplish what I am trying to do?
Thanks in advance.
Rob
I forgot to mention that my PreWrite() actually does this:
PreWrite()
{
if (this_is_special_data())
{
schedule_worker();
return FLT_PREOP_PENDING;
}
else
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
}
worker()
{
FltWrite(to_some_other_file);
FltComplete…(FLT_PREOP_COMPLETE);
}
Are you doing this only for cached I/O? If yes, then you will certainly miss
writes from memory mapped files.
And you don’t seem to be completing the callback data properly. Have you
done something like CallbackData->IoStatus.Status = xxx;
CallbackData->IoStatus.Information = yyyy; ? If not then you need to do that
too. But that is not what is causing this.
Regards,
Ayush Gupta
AI Consulting
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-409606-
xxxxx@lists.osr.com] On Behalf Of xxxxx@ocarinanetworks.com
Sent: Wednesday, April 28, 2010 4:22 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] returning FLT_PREOP_COMPLETE from PreWrite() still
allows data to goto disk
I have a simple fs mini-filter that handles PreWrite in the following
manner:
if (this_is_special_data())
{
FltWrite(to_some_other_file);
return FLT_PREOP_COMPLETE;
}
else
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
I am basically trying to prevent these writes from going down to the
NTFS volume and instead write them to some other location on disk. But
for some reason the writes are still going to the file I am trying to
prevent them from going to.
Does this have anything to do with memory mapping or caching? I
attempted to disable intermediate buffering during my PostCreate(). The
file itself has a reparse point so in PostCreate() when I
FltReissueSynchronousIo() I set this flag and call
FltCallbackSetDataDirty().
Is there a special formula I need to accomplish what I am trying to do?
Thanks in advance.
Rob
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Hmm… This is something entirely different from what you mentioned in
previous post. But the question still remains if you are handling both
cached I/O and noncached I/O? Infact in my opinion, just handling the
non-cached I/O is sufficient in your case.
Regards,
Ayush Gupta
AI Consulting
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-409607-
xxxxx@lists.osr.com] On Behalf Of xxxxx@ocarinanetworks.com
Sent: Wednesday, April 28, 2010 4:31 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] returning FLT_PREOP_COMPLETE from PreWrite() still
allows data to goto disk
I forgot to mention that my PreWrite() actually does this:
PreWrite()
{
if (this_is_special_data())
{
schedule_worker();
return FLT_PREOP_PENDING;
}
else
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
}
worker()
{
FltWrite(to_some_other_file);
FltComplete…(FLT_PREOP_COMPLETE);
}
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Yes I certainly am setting the Data->IoStatus block to STATUS_SUCCESS and the expected number of bytes written.
I was under the assumption that ALL i/o requests, cached and non-cached, would enter my PreWrite() callback. I am not doing anything based on anything other than rejecting fast io. In fact I only see one write request for example when I open a file in wordpad and save. Somehow this data is getting to the disk, I just can’t figure out how.
How do you check that it actually went to the disk?
Regards,
Ayush Gupta
AI Consulting
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-409620-
xxxxx@lists.osr.com] On Behalf Of xxxxx@ocarinanetworks.com
Sent: Wednesday, April 28, 2010 8:33 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] returning FLT_PREOP_COMPLETE from PreWrite() still
allows data to goto disk
Yes I certainly am setting the Data->IoStatus block to STATUS_SUCCESS
and the expected number of bytes written.
I was under the assumption that ALL i/o requests, cached and non-
cached, would enter my PreWrite() callback. I am not doing anything
based on anything other than rejecting fast io. In fact I only see one
write request for example when I open a file in wordpad and save.
Somehow this data is getting to the disk, I just can’t figure out how.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I use fsutil to delete the reparse header and open the file, I expect it to be empty but it has the same data as the other file I intended to write to.
> I was under the assumption that ALL i/o requests, cached and non-cached,
would enter my PreWrite() callback.
Absolutely. I believe that Wordpad uses cached I/O, so you should see two
I/Os to your filter:
-
Cached I/O from the Wordpad process
-
Not too long after, non-cached paging I/O from the System process
Your comment:
In fact I only see one write request for example when I open a file in
wordpad and save.
Makes it sound like you might not be handling this properly.
You can always use FileSpy to watch the operations and match that up with
what you’re seeing in your filter.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@ntfsd…
> Yes I certainly am setting the Data->IoStatus block to STATUS_SUCCESS and
> the expected number of bytes written.
>
> I was under the assumption that ALL i/o requests, cached and non-cached,
> would enter my PreWrite() callback. I am not doing anything based on
> anything other than rejecting fast io. In fact I only see one write
> request for example when I open a file in wordpad and save. Somehow this
> data is getting to the disk, I just can’t figure out how.
>
Have you given any of the following flags during registration. If yes,
then that would explain why you are not seeing all the IOs
FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO
xxxxx@ocarinanetworks.com wrote:
I use fsutil to delete the reparse header and open the file, I expect it to be empty but it has the same data as the other file I intended to write to.
You cannot return FLT_PREOP_PENDING for paging I/O.
You might be having a check for this in your “this_is_special_data()”. So,
you will end up skipping all the paging I/Os.
On Tue, Apr 27, 2010 at 11:32 PM, wrote:
> I use fsutil to delete the reparse header and open the file, I expect it to
> be empty but it has the same data as the other file I intended to write to.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Just to add, the non-cached paging I/O could come in context of system and not in the context of wordpad that you might be expecting.
regards
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Wednesday, April 28, 2010 5:57 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] returning FLT_PREOP_COMPLETE from PreWrite() still allows data to goto disk
I was under the assumption that ALL i/o requests, cached and non-cached,
would enter my PreWrite() callback.
Absolutely. I believe that Wordpad uses cached I/O, so you should see two
I/Os to your filter:
-
Cached I/O from the Wordpad process
-
Not too long after, non-cached paging I/O from the System process
Your comment:
In fact I only see one write request for example when I open a file in
wordpad and save.
Makes it sound like you might not be handling this properly.
You can always use FileSpy to watch the operations and match that up with
what you’re seeing in your filter.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@ntfsd…
> Yes I certainly am setting the Data->IoStatus block to STATUS_SUCCESS and
> the expected number of bytes written.
>
> I was under the assumption that ALL i/o requests, cached and non-cached,
> would enter my PreWrite() callback. I am not doing anything based on
> anything other than rejecting fast io. In fact I only see one write
> request for example when I open a file in wordpad and save. Somehow this
> data is getting to the disk, I just can’t figure out how.
>
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
So I used MiniSpy from the latest DDK and for some reason I see an IRP_MJ_WRTE with the flags 0x40000043 so this is obviously a paging write. My callback is defined as such:
{ IRP_MJ_WRITE,
0,
XxxFilterPreWrite,
NULL },
As you can see I am not specifying any flags to filter paging IO, yet my driver never sees the paging write, just the non paging write. How could this possible happen?
First off I really apreciate everyones input thus far. I ran some more tests using minispy, I sure some can help cause this is totally stumping me.
With my driver disabled I see paging write logged by minispy to my test doc opened in wordpad. With my driver enabled, I never see these paging writes. What could be going on?
Thanks again
Rob
Apparently I am seeing cached but not non-cached IO in my PreWrite(), i.e. the IrpFlags have IRP_DEFER_IO_COMPLETION set.
Why would I not be seeing non-cached i/o?