volume name for FSCTL_UNLOCK_VOLUME

Hello,

I’m working on a file system filter and I intercept FSCTL_UNLOCK_VOLUME in IRP_MJ_FILE_SYSTEM_CONTROL. Is there any way to extract the name of the volume on which the unlocking operation takes place? I’ve tried ObQueryNameString for the DEVICE_OBJECT and FILE_OBJECT in the IO_STACK_LOCATION structure and it wouldn’t work.

Thanks.

Anyone? Help will be very appreciated.

Can you elaborate on "I’ve tried ObQueryNameString for the DEVICE_OBJECT and FILE_OBJECT in the IO_STACK_LOCATION structure and it wouldn’t work. " ? How does it not work? Does it fail ? Which status do you get ? Can you perhaps post a bit of code ?

Is this a legacy filter ? If so, why not use a minifilter ? :slight_smile:

Thanks,
Alex.

I finally figured it out. If anyone is interested it works by calling ObQueryNameString on the IO_STACK_LOCATION->FileObject->DeviceObject->Vpb->RealDevice.

Why not use IoGetRelatedDeviceObject() to get the device object ? I’m just
curious…

Thanks,
Alex.