Tracking mapped drives

NTFSD
1

Hi All,

I have had developed file system mini filter for tracking file operations on
local NTFS drive. Now I need to extend this to mapped drives (network).
Assuming that I would get an exclusive access to the mapped drive; can
someone please suggest what would be the additional effort for supporting
the mapped drive? Can I reuse the existing mini filter driver built for
tracking local drive? Will there be any specifics that I need to be aware
of?

Thanks in advance.

2

Phew,

Where to start?. I would say that most of use have wounds to show from where we have taken a local disk filter and tried to make it work over the network. In general this is going to be a slog if you didn’t design in the network restrictions from day 1. But if you haven’t done this before you won’t know what the restrictions are so – catch 22.

Will there be any specifics that I need to be aware of?

Off the top of my head here are some. How relevant they are to your filter, only you will know…

  • You should decide whether you just care about SMB/SMB2 or other network protocols (like webDAV)
  • Even if you stick with SMBx you need to worry about non-MS servers.
  • Do not expect any hard coded errors to be the same.
  • Operations will be policed for security remotely. This means that using a file object open for read only will not work for write. Also you cannot assume that creates from k-mode will not return ACCESS_DENIED.
  • Once you a file object has seen a MJ_SET_FILE_INFORMATION/FileRenameInformation it is effectively dead. Cleanup and closes only.
  • Naming is just completely different. The most obvious impact is that although if you get the same stream context it will be for the same file, the reverse is no longer true. Share names are an obvious one (how can you tell that \foo\ is the same as \192.123…12.1) but on the same share a file opened by short name will have a different stream context to the same file opened via long name
  • If you are name aware and need to support DFS – allow even longer to get it right. Especially if you have to support XP as well as >= Vista.

I’m sure other will chip in with other issues.

Can I reuse the existing mini filter driver built for tracking local drive?

In my experience, people normally try. Despite the differences, there is a lot of similarity – enough (IMO) to make one filter with network specific bits easier to maintain than two drivers.

Good luck.

“Priyank Tiwari” wrote in message news:xxxxx@ntfsd…
Hi All,

I have had developed file system mini filter for tracking file operations on local NTFS drive. Now I need to extend this to mapped drives (network). Assuming that I would get an exclusive access to the mapped drive; can someone please suggest what would be the additional effort for supporting the mapped drive? Can I reuse the existing mini filter driver built for tracking local drive? Will there be any specifics that I need to be aware of?

Thanks in advance.