Can anyone explain to me why I see an FsContext same FsContext refer to
two different files?
This is what I am seeing:
- A Create for file “\USERS\TEST\INFO2” (name in FO and from FltMgr)
With a FileObject of: BC00
NOTE: The create has not yet completed.
- A Create for file "" (name in FO and from
FltMgr)
With a FileObject of: 3D60
3. create completes and FileObject now has an FsContext of: 06F0
4. using the fltmgr I ‘attach’ my own context of: 7E20
5. an MJ cleanup for FileObject 3D60
6. an MJ close for FileObject 3D60
5. another MJ create for "" FltMgr)
FO: FFFFFADF95A93D60
FC: FFFFFA800CC306F0
FS: FFFFFADFA248F060
with a FileObject of: 3D60
7. MJ create completes and FileObject now has an FsContext of: 06F0
8. using the fltmgr I query for an existing context and get, as
expected, my own context of: 7E20
9.a cleanup for FileObject 3D60
NOTE: no MJ close for FO 3D60 occurs
<< now it gets interesting >>
10. the create in step 1 completes and FileObject now has an FsContext
of FC: 06F0 same above which was pointing to the drive root!
11. using the fltmgr I query for an existing context and get, as
expected, my own context of: 7E20 which indicates the file was the
driver root!
Am I correct in assuming that before an FsContext is reused that I
should get notified that the FsContext is going away and I should delete
my context?
What is also strange is that the file ID I query after the create
completion is also the same!
Thanks,
Ken
On further inspection I see that when the create completes for "" the
root, I query the file to get the attributes and it is saying it is not
a directory.
Is there a situation where a file is opened with no path name but only a
slash? It is not open by id because the length in the file name is 2
bytes and the string is a "".
I also see that just about every access flag is set Acc=0x1F01FF which
amounts to Acc=Del RdCtrl WrDac WrOwn Sync Rd Wr Apnd RdEa WrtEa Exc
DelChld RdAtr WrAtr
Also the EaLen and EaBuffer are set, something I typically don’t see, on
systems. I know the fltmgr uses this technique to avoid recursion. Is it
possible some other filter is trying to do something similar?
Ken
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@emc.com
Sent: Wednesday, July 29, 2009 5:40 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Reused FsContext?
Can anyone explain to me why I see an FsContext same FsContext refer to
two different files?
This is what I am seeing:
- A Create for file “\USERS\TEST\INFO2” (name in FO and from FltMgr)
With a FileObject of: BC00
NOTE: The create has not yet completed.
- A Create for file "" (name in FO and from
FltMgr)
With a FileObject of: 3D60
3. create completes and FileObject now has an FsContext of: 06F0
4. using the fltmgr I ‘attach’ my own context of: 7E20
5. an MJ cleanup for FileObject 3D60
6. an MJ close for FileObject 3D60
5. another MJ create for "" FltMgr)
FO: FFFFFADF95A93D60
FC: FFFFFA800CC306F0
FS: FFFFFADFA248F060
with a FileObject of: 3D60
7. MJ create completes and FileObject now has an FsContext of: 06F0
8. using the fltmgr I query for an existing context and get, as
expected, my own context of: 7E20
9.a cleanup for FileObject 3D60
NOTE: no MJ close for FO 3D60 occurs
<< now it gets interesting >>
10. the create in step 1 completes and FileObject now has an FsContext
of FC: 06F0 same above which was pointing to the drive root!
11. using the fltmgr I query for an existing context and get, as
expected, my own context of: 7E20 which indicates the file was the
driver root!
Am I correct in assuming that before an FsContext is reused that I
should get notified that the FsContext is going away and I should delete
my context?
What is also strange is that the file ID I query after the create
completion is also the same!
Thanks,
Ken
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>Is there a situation where a file is opened with no path name but only a slash?
And what is the related file object?
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Unfortunately I don’t show the related FileObject, the FO object path is
a single slash, typically the RFO is only used when the FO does not
start with a slash. I also query the name from the fltmgr using
FltGetFileNameInformation and it returns the single slash as the file
name.
I’ll see if I can get the RFO.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, July 30, 2009 4:24 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Reused FsContext?
Is there a situation where a file is opened with no path name but only
a slash?
And what is the related file object?
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
MCafee’s issues opens on "". Look for mfehidk.sys in the stack.
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of xxxxx@emc.com [xxxxx@emc.com]
Sent: Wednesday, July 29, 2009 18:56
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Reused FsContext?
On further inspection I see that when the create completes for ?? the root, I query the file to get the attributes and it is saying it is not a directory.
Is there a situation where a file is opened with no path name but only a slash? It is not open by id because the length in the file name is 2 bytes and the string is a ??.
I also see that just about every access flag is set Acc=0x1F01FF which amounts to Acc=Del RdCtrl WrDac WrOwn Sync Rd Wr Apnd RdEa WrtEa Exc DelChld RdAtr WrAtr
Also the EaLen and EaBuffer are set, something I typically don?t see, on systems. I know the fltmgr uses this technique to avoid recursion. Is it possible some other filter is trying to do something similar?
Ken
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@emc.com
Sent: Wednesday, July 29, 2009 5:40 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Reused FsContext?
Can anyone explain to me why I see an FsContext same FsContext refer to two different files?
This is what I am seeing:
-
A Create for file ?\USERS\TEST\INFO2? (name in FO and from FltMgr)
With a FileObject of: BC00
NOTE: The create has not yet completed.
-
A Create for file ?? (name in FO and from FltMgr)
With a FileObject of: 3D60
3. create completes and FileObject now has an FsContext of: 06F0
4. using the fltmgr I ?attach? my own context of: 7E20
5. an MJ cleanup for FileObject 3D60
6. an MJ close for FileObject 3D60
5. another MJ create for ?? FO: FFFFFADF95A93D60
FC: FFFFFA800CC306F0
FS: FFFFFADFA248F060
with a FileObject of: 3D60
7. MJ create completes and FileObject now has an FsContext of: 06F0
8. using the fltmgr I query for an existing context and get, as expected, my own context of: 7E20
9.a cleanup for FileObject 3D60
NOTE: no MJ close for FO 3D60 occurs
<< now it gets interesting >>
10. the create in step 1 completes and FileObject now has an FsContext of FC: 06F0 same above which was pointing to the drive root!
11. using the fltmgr I query for an existing context and get, as expected, my own context of: 7E20 which indicates the file was the driver root!
Am I correct in assuming that before an FsContext is reused that I should get notified that the FsContext is going away and I should delete my context?
What is also strange is that the file ID I query after the create completion is also the same!
Thanks,
Ken
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Yes, MCafee is loaded on this system. Do you know if this is behavior of
an older driver or is this a new thing?
Are we supposed to now code around 3rd party nuisances?
Anyone have a contact point for McAfee?
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@McAfee.com
Sent: Thursday, July 30, 2009 10:52 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Reused FsContext?
MCafee’s issues opens on "". Look for mfehidk.sys in the stack.
From: xxxxx@lists.osr.com
[xxxxx@lists.osr.com] On Behalf Of xxxxx@emc.com
[xxxxx@emc.com]
Sent: Wednesday, July 29, 2009 18:56
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Reused FsContext?
On further inspection I see that when the create completes for "" the
root, I query the file to get the attributes and it is saying it is not
a directory.
Is there a situation where a file is opened with no path name but only a
slash? It is not open by id because the length in the file name is 2
bytes and the string is a "".
I also see that just about every access flag is set Acc=0x1F01FF which
amounts to Acc=Del RdCtrl WrDac WrOwn Sync Rd Wr Apnd RdEa WrtEa Exc
DelChld RdAtr WrAtr
Also the EaLen and EaBuffer are set, something I typically don’t see, on
systems. I know the fltmgr uses this technique to avoid recursion. Is it
possible some other filter is trying to do something similar?
Ken
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@emc.com
Sent: Wednesday, July 29, 2009 5:40 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Reused FsContext?
Can anyone explain to me why I see an FsContext same FsContext refer to
two different files?
This is what I am seeing:
-
A Create for file “\USERS\TEST\INFO2” (name in FO and from FltMgr)
With a FileObject of: BC00
NOTE: The create has not yet completed.
-
A Create for file "" (name in FO and from
FltMgr)
With a FileObject of: 3D60
3. create completes and FileObject now has an FsContext of: 06F0
4. using the fltmgr I ‘attach’ my own context of: 7E20
5. an MJ cleanup for FileObject 3D60
6. an MJ close for FileObject 3D60
5. another MJ create for "" FltMgr)
FO: FFFFFADF95A93D60
FC: FFFFFA800CC306F0
FS: FFFFFADFA248F060
with a FileObject of: 3D60
7. MJ create completes and FileObject now has an FsContext of: 06F0
8. using the fltmgr I query for an existing context and get, as
expected, my own context of: 7E20
9.a cleanup for FileObject 3D60
NOTE: no MJ close for FO 3D60 occurs
<< now it gets interesting >>
10. the create in step 1 completes and FileObject now has an FsContext
of FC: 06F0 same above which was pointing to the drive root!
11. using the fltmgr I query for an existing context and get, as
expected, my own context of: 7E20 which indicates the file was the
driver root!
Am I correct in assuming that before an FsContext is reused that I
should get notified that the FsContext is going away and I should delete
my context?
What is also strange is that the file ID I query after the create
completion is also the same!
Thanks,
Ken
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
The RelatedFileObject is NULL in the case where it opens the root "".
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@emc.com
Sent: Thursday, July 30, 2009 10:29 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Reused FsContext?
Unfortunately I don’t show the related FileObject, the FO object path is
a single slash, typically the RFO is only used when the FO does not
start with a slash. I also query the name from the fltmgr using
FltGetFileNameInformation and it returns the single slash as the file
name.
I’ll see if I can get the RFO.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, July 30, 2009 4:24 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Reused FsContext?
Is there a situation where a file is opened with no path name but only
a slash?
And what is the related file object?
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Jonathan,
Can you elaborate on McAfee’s driver is doing here?
Is it sending opens on '' but passing the real name to open in the EA buffer?
Regards,
Sarosh.
File System Filter Lead
Microsoft Corp
This posting is provided “AS IS” with no warranties, and confers no Rights
xxxxx@emc.com wrote:
Yes, MCafee is loaded on this system. Do you know if this is behavior of
an older driver or is this a new thing?
Are we supposed to now code around 3rd party nuisances?
Anyone have a contact point for McAfee?
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@McAfee.com
Sent: Thursday, July 30, 2009 10:52 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Reused FsContext?
MCafee’s issues opens on "". Look for mfehidk.sys in the stack.
From: xxxxx@lists.osr.com
[xxxxx@lists.osr.com] On Behalf Of xxxxx@emc.com
[xxxxx@emc.com]
Sent: Wednesday, July 29, 2009 18:56
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Reused FsContext?
On further inspection I see that when the create completes for "" the
root, I query the file to get the attributes and it is saying it is not
a directory.
Is there a situation where a file is opened with no path name but only a
slash? It is not open by id because the length in the file name is 2
bytes and the string is a "".
I also see that just about every access flag is set Acc=0x1F01FF which
amounts to Acc=Del RdCtrl WrDac WrOwn Sync Rd Wr Apnd RdEa WrtEa Exc
DelChld RdAtr WrAtr
Also the EaLen and EaBuffer are set, something I typically don’t see, on
systems. I know the fltmgr uses this technique to avoid recursion. Is it
possible some other filter is trying to do something similar?
Ken
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@emc.com
Sent: Wednesday, July 29, 2009 5:40 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Reused FsContext?
Can anyone explain to me why I see an FsContext same FsContext refer to
two different files?
This is what I am seeing:
-
A Create for file “\USERS\TEST\INFO2” (name in FO and from FltMgr)
With a FileObject of: BC00
NOTE: The create has not yet completed.
-
A Create for file "" (name in FO and from
> FltMgr)
> With a FileObject of: 3D60
> 3. create completes and FileObject now has an FsContext of: 06F0
> 4. using the fltmgr I ‘attach’ my own context of: 7E20
> 5. an MJ cleanup for FileObject 3D60
> 6. an MJ close for FileObject 3D60
> 5. another MJ create for "" > FltMgr)
> FO: FFFFFADF95A93D60
> FC: FFFFFA800CC306F0
> FS: FFFFFADFA248F060
> with a FileObject of: 3D60
> 7. MJ create completes and FileObject now has an FsContext of: 06F0
>
> 8. using the fltmgr I query for an existing context and get, as
> expected, my own context of: 7E20
> 9.a cleanup for FileObject 3D60
> NOTE: no MJ close for FO 3D60 occurs
> << now it gets interesting >>
> 10. the create in step 1 completes and FileObject now has an FsContext
> of FC: 06F0 same above which was pointing to the drive root!
> 11. using the fltmgr I query for an existing context and get, as
> expected, my own context of: 7E20 which indicates the file was the
> driver root!
>
> Am I correct in assuming that before an FsContext is reused that I
> should get notified that the FsContext is going away and I should delete
> my context?
> What is also strange is that the file ID I query after the create
> completion is also the same!
>
> Thanks,
> Ken
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
Yes. Newer versions use IoCreateFileEx or IoCreateFileSpecifyDeviceObjectHint when available to bypass upper-filters.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Sarosh Havewala
Sent: Thursday, July 30, 2009 2:02 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Reused FsContext?
Jonathan,
Can you elaborate on McAfee’s driver is doing here?
Is it sending opens on '' but passing the real name to open in the EA buffer?
Regards,
Sarosh.
File System Filter Lead
Microsoft Corp
This posting is provided “AS IS” with no warranties, and confers no Rights
xxxxx@emc.com wrote:
Yes, MCafee is loaded on this system. Do you know if this is behavior of
an older driver or is this a new thing?
Are we supposed to now code around 3rd party nuisances?
Anyone have a contact point for McAfee?
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@McAfee.com
Sent: Thursday, July 30, 2009 10:52 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Reused FsContext?
MCafee’s issues opens on "". Look for mfehidk.sys in the stack.
From: xxxxx@lists.osr.com
[xxxxx@lists.osr.com] On Behalf Of xxxxx@emc.com
[xxxxx@emc.com]
Sent: Wednesday, July 29, 2009 18:56
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Reused FsContext?
On further inspection I see that when the create completes for "" the
root, I query the file to get the attributes and it is saying it is not
a directory.
Is there a situation where a file is opened with no path name but only a
slash? It is not open by id because the length in the file name is 2
bytes and the string is a "".
I also see that just about every access flag is set Acc=0x1F01FF which
amounts to Acc=Del RdCtrl WrDac WrOwn Sync Rd Wr Apnd RdEa WrtEa Exc
DelChld RdAtr WrAtr
Also the EaLen and EaBuffer are set, something I typically don’t see, on
systems. I know the fltmgr uses this technique to avoid recursion. Is it
possible some other filter is trying to do something similar?
Ken
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@emc.com
Sent: Wednesday, July 29, 2009 5:40 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Reused FsContext?
Can anyone explain to me why I see an FsContext same FsContext refer to
two different files?
This is what I am seeing:
-
A Create for file “\USERS\TEST\INFO2” (name in FO and from FltMgr)
With a FileObject of: BC00
NOTE: The create has not yet completed.
-
A Create for file "" (name in FO and from
> FltMgr)
> With a FileObject of: 3D60
> 3. create completes and FileObject now has an FsContext of: 06F0
> 4. using the fltmgr I ‘attach’ my own context of: 7E20
> 5. an MJ cleanup for FileObject 3D60
> 6. an MJ close for FileObject 3D60
> 5. another MJ create for "" > FltMgr)
> FO: FFFFFADF95A93D60
> FC: FFFFFA800CC306F0
> FS: FFFFFADFA248F060
> with a FileObject of: 3D60
> 7. MJ create completes and FileObject now has an FsContext of: 06F0
>
> 8. using the fltmgr I query for an existing context and get, as
> expected, my own context of: 7E20
> 9.a cleanup for FileObject 3D60
> NOTE: no MJ close for FO 3D60 occurs
> << now it gets interesting >>
> 10. the create in step 1 completes and FileObject now has an FsContext
> of FC: 06F0 same above which was pointing to the drive root!
> 11. using the fltmgr I query for an existing context and get, as
> expected, my own context of: 7E20 which indicates the file was the
> driver root!
>
> Am I correct in assuming that before an FsContext is reused that I
> should get notified that the FsContext is going away and I should delete
> my context?
> What is also strange is that the file ID I query after the create
> completion is also the same!
>
> Thanks,
> Ken
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer