to stop opening a file

NTFSD
1

Hi,

I am using the IFS kit in Win XP SP2. I am trying to modify the
Filespy sample code to stop opening a file. Any suggestions as to how to
proceed would be appreciated.

I tried modifying the SpyPassthrough function and check for
IRP_MJ_CREATE and return to the IO Manager from there itself (I do not
want the IRP to be sent further down to the base file system driver). I
am pretty sure I am messing up somewhere as my PC reboots as soon as I
execute the filespy.exe!!

I place the following piece of code into the SpyPassThrough function
(hope I am right in placing it there).

if (irpStack->MajorFunction == IRP_MJ_CREATE) {

//Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; //
-1 ??

Irp->IoStatus.Status = _MORE_PROCESSING_REQUIRED;

Irp->IoStatus.Information = 0;

SpyLogIrpCompletion( Irp, recordList );

//

// Continue processing the operation

//

status = Irp->IoStatus.Status;

IoCompleteRequest( Irp, IO_NO_INCREMENT );

//IoFreeIrp(Irp);

return status;

}

I want to know at which place (in a file system filter driver code) does
the user-mode messages gets intercepted? Where does an IRP first gets
seen by the filter driver? I am unable to understand the correct flow of
the sample code.

Thanks,

Sri.

DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated.

2

For cancel create operation filter driver must call IoCancelFileOpen. After calling IoCancelFileOpen, the filter driver should complete the create request with an appropriate error code such as STATUS_UNSUCCESSFUL or STATUS_ACCESS_DENIED. In addition, it should set the Irp->IoStatus.Information field to zero.

Best regards,
Fisyuk Victor
EMail/MSN: xxxxx@rambler.ru
Web: http://rockdbg.siteburg.com
“Srivathsan_Srinivasagopalan” wrote in message news:xxxxx@ntfsd…
Hi,

I am using the IFS kit in Win XP SP2. I am trying to modify the Filespy sample code to stop opening a file. Any suggestions as to how to proceed would be appreciated.

I tried modifying the SpyPassthrough function and check for IRP_MJ_CREATE and return to the IO Manager from there itself (I do not want the IRP to be sent further down to the base file system driver). I am pretty sure I am messing up somewhere as my PC reboots as soon as I execute the filespy.exe!!

I place the following piece of code into the SpyPassThrough function (hope I am right in placing it there).

if (irpStack->MajorFunction == IRP_MJ_CREATE) {

//Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; // -1 ??

Irp->IoStatus.Status = _MORE_PROCESSING_REQUIRED;

Irp->IoStatus.Information = 0;

SpyLogIrpCompletion( Irp, recordList );

//

// Continue processing the operation

//

status = Irp->IoStatus.Status;

IoCompleteRequest( Irp, IO_NO_INCREMENT );

//IoFreeIrp(Irp);

return status;

}

I want to know at which place (in a file system filter driver code) does the user-mode messages gets intercepted? Where does an IRP first gets seen by the filter driver? I am unable to understand the correct flow of the sample code.

Thanks,

Sri.

DISCLAIMER:
This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intended recipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated…

3

Actually the IoCancelFileOpen is only if the filter lets the open proceed
down the stack. If the filter catches the open on the way down, this is not
needed.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Fisyuk Victor” wrote in message news:xxxxx@ntfsd…
For cancel create operation filter driver must call IoCancelFileOpen. After
calling IoCancelFileOpen, the filter driver should complete the create
request with an appropriate error code such as STATUS_UNSUCCESSFUL or
STATUS_ACCESS_DENIED. In addition, it should set the
Irp->IoStatus.Information field to zero.

Best regards,
Fisyuk Victor
EMail/MSN: xxxxx@rambler.ru
Web: http://rockdbg.siteburg.com
“Srivathsan_Srinivasagopalan”
wrote in message news:xxxxx@ntfsd…
Hi,

I am using the IFS kit in Win XP SP2. I am trying to modify the
Filespy sample code to stop opening a file. Any suggestions as to how to
proceed would be appreciated.

I tried modifying the SpyPassthrough function and check for IRP_MJ_CREATE
and return to the IO Manager from there itself (I do not want the IRP to be
sent further down to the base file system driver). I am pretty sure I am
messing up somewhere as my PC reboots as soon as I execute the filespy.exe!!

I place the following piece of code into the SpyPassThrough function (hope
I am right in placing it there).

if (irpStack->MajorFunction == IRP_MJ_CREATE) {

//Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
// -1 ??

Irp->IoStatus.Status = _MORE_PROCESSING_REQUIRED;

Irp->IoStatus.Information = 0;

SpyLogIrpCompletion( Irp, recordList );

//

// Continue processing the operation

//

status = Irp->IoStatus.Status;

IoCompleteRequest( Irp, IO_NO_INCREMENT );

//IoFreeIrp(Irp);

return status;

}

I want to know at which place (in a file system filter driver code) does
the user-mode messages gets intercepted? Where does an IRP first gets seen
by the filter driver? I am unable to understand the correct flow of the
sample code.

Thanks,

Sri.

DISCLAIMER:
This email (including any attachments) is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or
distribution or forwarding of any or all of the contents in this message is
STRICTLY PROHIBITED. If you are not the intended recipient, please contact
the sender by email and delete all copies; your cooperation in this regard
is appreciated…