SMBMRX DLL problm.


I want to achieve encryption/decryption on network paths like we did on local disks. I am just confused as which is the perfect to achieve this; a NDIS intermediate drivers. network redirector or any other abt which I am not aware. We have to provide functionality like explorer(read, write, directory_control, rename etc). We already did it for local & removable disk.

Any clues like where to start with and with which approach?

We are all ears for any suggestions.


Oops, the title is wrong. Actually I was building SmbMrx with nmake and not getting the dll as output but later on get it done with build command.

Its title should be “way to handle encryption/decryption on network”.

You didn’t provided enough info, so it is not clear what you are asking for.
e.g Would you like to use SMB or your proprietary protocol? It doesn’t make sense to encrypt only at client side. How would you share keys with other clients in such case? etc…
Or do you expect that we design infrastructure for you?

how can I expect that without a contract. :slight_smile:

let me clear my point,

We have a mini filter driver which provides on the fly encryption/decryption for files at local mapped drives. This product is already in market.

We tried to handle encryption/decryption for files at network mapped drives but found that it is not same as local irp handling. like if we encrypt data on non cached path only than for many network operations non cached io will not be generated at the machine where filter is loaded. non cached write will be generated at network machine instead, which is obvious AFAIK.

We can not install our software on every machine at network. To handle this we need to encrypt data at local machine before it goes to network.

We tried the approach at and its not working(we need to handle this for vista too). I search and found that it can be done via mini redirector(SMB protocal). Later I found passthrough intermediate driver in winddk and its readme states that " it could encrypt/compress outgoing and decrypt/decompress incoming data.".

So the query is which approach actually solves this problem.


Still missing some point or it goes out of scope of my understanding. I cannot imagine what advantage it should provide.

We can not install our software on every machine at network. To handle this we
need to encrypt data at local machine before it goes to network.
Ok so do you plan to run filter also on server, so it decrypts data before it gets to SMB server?
In all cases you need counterpart server who understands encrypted data. In other case individual files on the server will be encrypted by different clients with ?different? keys.

We tried the approach at and
its not working(we need to handle this for vista too).
I am not sure if note under line for vista is valid. Unfortunately structures are missing in RDBSS.pdb so I cannot verify that. I thought that RDBSS headers + libs in WDK are kept in current state with OS.
What I know is that SMBMRX is very incomplete if you compare it to Lanman redirector. It is provided as a sample for different protocols. It is not supposed that you somehow “improve” SMB and reuse it. Other problem I can see is that you cannot easy differentiate between different kinds of mini-redirectors on vista. Their devices are not named. You can see only one MUP device. There can be also WebDAV redirector of some third party redirector. Are you sure that you do want to encrypt data also for these mini-redirs?

Good luck

Thanks for your answer bg,

Our software is a desktop application; it creates virtual drives (mapped to some local paths). All files which will be created in our virtual drives should have their data encrypted. Decryption will be done vice versa (i.e. when any app. read the file or file copied outside the drive). Now if our software is on machine A and user A has access to a path of Machine N, than user A will be able to create a virtual drive mapped to a path at Machine N. This drive should behave exactly same like a drive mapped to a local path. Any user of Machine N should not see the decrypted data. Only user A of Machine A can read decrypted data from the path. So it’s more like a storage folder at network where user keeps his data encrypted.

We can not install our software on Machine N as it could be running on any OS from an older version of windows to linux or any other. Currently our minifilter driver does encryption/decryption at paging/non cached path. We have observed that the write behavior is not consistent among various operations on network drives. We sometimes receives all data at non cached path at Machine A but in many cases non cached write generates at Machine N and at Machine A only cached write appears which leaves this data unencrypted.

We are currently looking for a feasible solution for this problem which woks on XP/Vista 32/64 bit OS.

I hope I make things clear now.