Which event are received in my callback method for IRP_MJ_CREATE?

OSR_Community_User · February 6, 2009, 3:11am

Hi,

I have a preoperational callback routines that take care of the IRP_MJ_READ event, but I doesn?t get any events.
When I switch to IRP_MJ_CREATE callback I get several events for a single file copy.

Is it possible to know which event it is, example open, read or write event in a IRP_MJ_CREATE callback?
I have tried to find out which event it is by checking the Data->Iopb->IrpFlags in my callback method.
But when I do a file copy I get only IRP_SYNCHRONOUS_API not the events I won?t like IRP_READ_OPERATION and IRP_WRITE_OPERATION.

Is it possible to find out which event it is in the callback method?

I have search for the answer everywhere but no answers was found.

Thanks
Mattias Bergkvist

Ayush_Gupta-2 · February 6, 2009, 5:31am

Hi Mattias!

The easier way out would have been to register separate callbacks for each IRP if you wanted to do different kind of handling for each. Anyways, you could find out the IRP_MJ_XXX from Data->Iopb->MajorFunction. It contains the event that you are looking for. They are actually called Major Functions.

Regards,
Ayush

Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/

OSR_Community_User · February 18, 2009, 7:59am

Thanks Ayush

Sorry my late response to your answer but here it comes one more question:

The easier way out would have been to register separate callbacks for each IRP if you wanted to > do different kind of handling for each.

Yes I have tried that but the same problem occur for both the IRP_MJ_READ and IRP_MJ_CREATE, I try to detect if it is the mouse that triggered the event when it stands over a file or if it is a file open event. I try to filter out the open event from other events, example when a mouse over a file I get the same events that happens when I open a file. Are this two events exactly the same or could I know which of hem I get?

Thanks
Mattias

Ayush_Gupta-2 · February 18, 2009, 9:23am

Hi Mattias,

Even when you place your mouse over the file icon, the explorer gets into action and tries to query the file attributes etc. And hence opens the file too. Detecting that a mouse is placed on a file icon would be impossible (if i am right) in the file system stack.

Regards,
Ayush

— On Wed, 18/2/09, xxxxx@netcleantech.com wrote:

> From: xxxxx@netcleantech.com
> Subject: RE:[ntfsd] Which event are received in my callback method for IRP_MJ_CREATE?
> To: “Windows File Systems Devs Interest List”
> Date: Wednesday, 18 February, 2009, 6:29 PM
> Thanks Ayush
>
> Sorry my late response to your answer but here it comes one
> more question:
>
> > The easier way out would have been to register
> separate callbacks for each IRP if you wanted to > do
> different kind of handling for each.
>
> Yes I have tried that but the same problem occur for both
> the IRP_MJ_READ and IRP_MJ_CREATE, I try to detect if it is
> the mouse that triggered the event when it stands over a
> file or if it is a file open event. I try to filter out the
> open event from other events, example when a mouse over a
> file I get the same events that happens when I open a file.
> Are this two events exactly the same or could I know which
> of hem I get?
>
> Thanks
> Mattias
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer

Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/

OSR_Community_User · February 18, 2009, 10:02am

Thanks again Ayush

Precisely what I thought, I have hoped that it could be some way to know what type of event it was.

Thanks again.
Mattias

Aditya_Shrivastava · February 19, 2009, 3:20am

>>Yes I have tried that but the same problem occur for both the IRP_MJ_READ and IRP_MJ_CREATE, I try to detect if it is the mouse that triggered the event when it stands over a file or if it is a file open event.

First you can not detect that at this level(yes it is same what Ayush said). Second you are supposed to satisfy these request too or else you’ll change the desired functionality, like the tool tip which occurs when you move your mouse over an object.

I am still not able to think of any scenario where such functionality is required. if possible can you explain.

Thanks
Aditya

Aditya_Shrivastava · February 19, 2009, 3:27am

I have one application (dictionary) which keep track of every ctrl + left mouse click. So whenever I press left mouse button with ctrl it tries to display the meaning of that word(if any). This app is actually using mesage hooks to implement that.

In case you want something similar you need to do somthing like this.

OSR_Community_User · February 19, 2009, 6:08am

I shall try to explain why:
I have a specific file that the user not is allowed to move, copy, delete or read. If a user is trying to do one of this a warning is coming up and says that you not allowed doing so. But I do not wont warnings when a user only is there with the mouse.

I have hoped that it was a way round to do so.

Now I trying to combine Data->Iopb->Parameters.Create.ShareAccess and Data->Iopb->Parameters.Create.Options.
When a mouse is over a file ShareAccess is always 7 and Options is always 16777312, I have not seen this combination on the other events. Could this be a way round to detect the mouse over a file?

Thanks
Mattias

Aditya_Shrivastava · February 19, 2009, 8:43am

>>the user not is allowed to move, copy, delete or read

Then what is allowed; write?

>When a mouse is over a file ShareAccess is always 7 and Options is always 16777312, I have not seen this combination on the other events. Could this be a way round to detect the mouse over a file?

I do not think this is a proper solution even if it work for you this time. Later on you may encounter some Apps/scenario which fires same IRPs with similar access, than you’ll fail them too.

To stop a move or delete; handle irp_mj_set_info.

OSR_Community_User · February 19, 2009, 10:38am

>>Then what is allowed; write?
Nothing except mouse over shall be granted, it is only one user app that shall not have granted to the file.

>I do not think this is a proper solution even if it work for you this time.
>Later on you may encounter some Apps/scenario which fires same IRPs with similar
>access, than you’ll fail them too.

Yes I know that is not the best solution but it works, when it is only one app that it is applied to I think it could work.

/Mattias

Andreas_Nilsson · February 20, 2009, 8:44am

Comments inline:

Nothing except mouse over shall be granted, it is only one user app that
shall not have granted to the file.

What level of security do you need to achieve?

1a. Do you need to prevent the user from tampering with the file
as the system has been booted into a secondary Windows-installation (e.g.
D:\WINNT instead of C:\WINNT)?

1b. Do you need to prevent the user from tampering with the file
as the system has been booted into fail-safe mode?

A few possible solutions, depending on your requirements

2a. Would it be sufficient to put regular ACL:s on the files to prevent
unauthorized access?

2b. Do you need an external, hardware-based TPM (Trusted Platform Module) /
CSP (Cryptographic Service Provider) to
prevent information disclosure?

2c. … or would it be sufficient just to put a “InfoTip”-string under
HKEY_CLASSES_ROOT\your_file_extension_tag, (for instance, txtfile).
This might prevent explorer.exe from opening the file as the pointer hoovers
over the file.

>>I do not think this is a proper solution even if it work for you this
>>time.
>>Later on you may encounter some Apps/scenario which fires same IRPs with
>>similar
>>access, than you’ll fail them too.

Yes I know that is not the best solution but it works, when it is only one
app that it is applied to I think it could work.

/Mattias

OSR_Community_User · February 25, 2009, 5:02am

Hello Andreas Nilsson,

Thanks for your reply.

>1a. Do you need to prevent the user from tampering with the file
>as the system has been booted into a secondary Windows-installation (e.g.
>D:\WINNT instead of C:\WINNT)?

If they have two installations of windows they must install my driver on both of them.

>1b. Do you need to prevent the user from tampering with the file
>as the system has been booted into fail-safe mode?

If not the user app I filter on are started I do not need to start my driver either and the user app is not started in the safe mode.

>2a. Would it be sufficient to put regular ACL:s on the files to prevent
>unauthorized access?

I think that are affecting all files everywhere on the computer, my driver shall only affect one user app.

>2b. Do you need an external, hardware-based TPM (Trusted Platform Module) /
>CSP (Cryptographic Service Provider) to
>prevent information disclosure?

If I do not understand this I probably do not needing it

>2c. … or would it be sufficient just to put a “InfoTip”-string under
>HKEY_CLASSES_ROOT\your_file_extension_tag, (for instance, txtfile).
>This might prevent explorer.exe from opening the file as the pointer hoovers
>over the file.

Interesting, but that is affecting the whole computer to I think.

Thanks
Mattias Bergkvist