Spoofing the Read only flag?

Hi all!

I’m trying to block or deny write access to some files in my mini-filter.
In my IRP_MJ_CREATE Post Routine, I check to see if someone is trying to
write to a file I want to protect and use FTLCancelFileOpen. Which in fact
does give the client a “access denied” or makes the file LOOK read-only.
BUT since the file open has already occurred, if the file was open with an
overwrite flag, all the contents is lost. :frowning:

According to the Filter Driver Developers Guide from Microsoft:

For failing IRP_MJ_CREATE operations, the Filter Manager provides some help
with the FltCancelFileOpen() routine to teardown the opened file object, but
the filter is still responsible to restore any file contents that were lost
by CREATE operation which overwrote the original file.

I would rather not have to deal with trying to restore a very large file and
would rather just somehow deny the file open. Is there some way to make the
file appear “Read-only”? Can I do it if I hook into the
IRP_MJ_DIRECTORY_CONTROL? Or IRP_MJ_QUERY_INFORMATION?

Thanks,

Gene

The obvious question is: Why not catch it in the pre-Create and fail it
with ERROR_FILE_READ_ONLY or ERROR_ACCESS_DENIED or whatever?

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
Sent: Sunday, June 12, 2005 10:51 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Spoofing the Read only flag?

Hi all!

I’m trying to block or deny write access to some files in my mini-filter.
In my IRP_MJ_CREATE Post Routine, I check to see if someone is trying to
write to a file I want to protect and use FTLCancelFileOpen. Which in fact
does give the client a “access denied” or makes the file LOOK read-only.
BUT since the file open has already occurred, if the file was open with an
overwrite flag, all the contents is lost. :frowning:

According to the Filter Driver Developers Guide from Microsoft:

For failing IRP_MJ_CREATE operations, the Filter Manager provides some help
with the FltCancelFileOpen() routine to teardown the opened file object, but

the filter is still responsible to restore any file contents that were lost
by CREATE operation which overwrote the original file.

I would rather not have to deal with trying to restore a very large file and

would rather just somehow deny the file open. Is there some way to make the

file appear “Read-only”? Can I do it if I hook into the
IRP_MJ_DIRECTORY_CONTROL? Or IRP_MJ_QUERY_INFORMATION?

Thanks,

Gene


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

I guess I could try that…
My understanding of the “access rule” was that you denied access in the
IRP_MJ_CREATE and I assumed that it was the completion routine not the
pre-create. I’ll give that a shot.

Thanks Ken,

“Ken Cross” wrote in message news:xxxxx@ntfsd…
> The obvious question is: Why not catch it in the pre-Create and fail it
> with ERROR_FILE_READ_ONLY or ERROR_ACCESS_DENIED or whatever?
>
> Ken
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Gene Allen
> Sent: Sunday, June 12, 2005 10:51 AM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] Spoofing the Read only flag?
>
> Hi all!
>
>
>
> I’m trying to block or deny write access to some files in my mini-filter.
> In my IRP_MJ_CREATE Post Routine, I check to see if someone is trying to
> write to a file I want to protect and use FTLCancelFileOpen. Which in fact
> does give the client a “access denied” or makes the file LOOK read-only.
> BUT since the file open has already occurred, if the file was open with an
> overwrite flag, all the contents is lost. :frowning:
>
>
>
> According to the Filter Driver Developers Guide from Microsoft:
>
>
>
> For failing IRP_MJ_CREATE operations, the Filter Manager provides some
> help
> with the FltCancelFileOpen() routine to teardown the opened file object,
> but
>
> the filter is still responsible to restore any file contents that were
> lost
> by CREATE operation which overwrote the original file.
>
>
>
> I would rather not have to deal with trying to restore a very large file
> and
>
> would rather just somehow deny the file open. Is there some way to make
> the
>
> file appear “Read-only”? Can I do it if I hook into the
> IRP_MJ_DIRECTORY_CONTROL? Or IRP_MJ_QUERY_INFORMATION?
>
>
>
> Thanks,
>
>
>
> Gene
>
>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>