Hi All,
is it possible to find out which filter(mini, legacy) driver has triggered some IRP in some other mini-filter driver(in my own mini-filter driver)? Who initially triggered? This stuff i need to identify when anti virus triggers IRP_MJ_CREATE…
Best Regards, Mitja
The usual way to do this is to create the second “mirror” device object
from the antivirus driver, and send antivirus creates to this device object.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Hi All,
>
> is it possible to find out which filter(mini, legacy) driver has triggered
some IRP in some other mini-filter driver(in my own mini-filter driver)? Who
initially triggered? This stuff i need to identify when anti virus triggers
IRP_MJ_CREATE…
>
> Best Regards, Mitja
>
Maxim, i would like identify AV driver triggered IRP in my driver only, i do not have any access to AV driver…
If you are trying to find your way around a specific antivirus product in
this way, then this must surely be a bad idea.
But you can find out if A minifilter initiated the the operation by checking
for the FLTFL_CALLBACK_DATA_GENERATED_IO flag.
Your minifilter callbacks receive a FLT_RELATED_OBJECTS which contains an
instance related to the operation. Hopefully if a minifilter instance
initiates an operation, the instance parameter of that structure will be set
to that (documentation leaves everything to be desired). With
FltGetFilterFromInstance you can receive the filter that created the
instance. You can use FltGetFilterInformation to get information about the
filter. You can find out about instances above you using
FltGetUpperInstance/FltGetTopInstance. That’s as far as minifilters are
concerned.
For legacy filters you have to find another route if there is any. With
FltEnumerateFilterInformation you can find all filters (including legacy
fsf) in the system.
//Daniel
wrote in message news:xxxxx@ntfsd…
> Hi All,
>
> is it possible to find out which filter(mini, legacy) driver has triggered
> some IRP in some other mini-filter driver(in my own mini-filter driver)?
> Who initially triggered? This stuff i need to identify when anti virus
> triggers IRP_MJ_CREATE…
>
> Best Regards, Mitja
>
I believe that the Instance member of FLT_RELATED_OBJECTS is a pointer
to the instance of your minifilter. For example, the documentation for
FltGetContexts takes a PFLT_RELATED_OBJECTS and returns the contexts
that a filter has for the operation.
I may be wrong on this point though.
~Eric
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@resplendence.com
Sent: Monday, June 09, 2008 12:00 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Which FS driver triggered some IRP
If you are trying to find your way around a specific antivirus product
in this way, then this must surely be a bad idea.
But you can find out if A minifilter initiated the the operation by
checking for the FLTFL_CALLBACK_DATA_GENERATED_IO flag.
Your minifilter callbacks receive a FLT_RELATED_OBJECTS which contains
an instance related to the operation. Hopefully if a minifilter instance
initiates an operation, the instance parameter of that structure will be
set to that (documentation leaves everything to be desired). With
FltGetFilterFromInstance you can receive the filter that created the
instance. You can use FltGetFilterInformation to get information about
the filter. You can find out about instances above you using
FltGetUpperInstance/FltGetTopInstance. That’s as far as minifilters are
concerned.
For legacy filters you have to find another route if there is any. With
FltEnumerateFilterInformation you can find all filters (including legacy
fsf) in the system.
//Daniel
wrote in message news:xxxxx@ntfsd…
> Hi All,
>
> is it possible to find out which filter(mini, legacy) driver has
> triggered some IRP in some other mini-filter driver(in my own
mini-filter driver)?
> Who initially triggered? This stuff i need to identify when anti virus
> triggers IRP_MJ_CREATE…
>
> Best Regards, Mitja
>
—
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@edsiohio.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
Hi Mitja!
Do you really want to put that in your code?
If you JUST want to IDENTIFY the driver, then how about using WinDbg and looking at the call stack? You can easily come to know the driver name from that.
Regards,
Ayush Gupta
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hermes-softlab.com
Sent: Monday, June 09, 2008 12:33 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Which FS driver triggered some IRP
Hi All,
is it possible to find out which filter(mini, legacy) driver has triggered some IRP in some other mini-filter driver(in my own mini-filter driver)? Who initially triggered? This stuff i need to identify when anti virus triggers IRP_MJ_CREATE…
Best Regards, Mitja
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@yahoo.co.in
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are right, the FLT_RELATED_OBJECTS structure points to the your minifilter instance.
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Eric Diven
Sent: Monday, June 09, 2008 10:22 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Which FS driver triggered some IRP
I believe that the Instance member of FLT_RELATED_OBJECTS is a pointer
to the instance of your minifilter. For example, the documentation for
FltGetContexts takes a PFLT_RELATED_OBJECTS and returns the contexts
that a filter has for the operation.
I may be wrong on this point though.
~Eric
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@resplendence.com
Sent: Monday, June 09, 2008 12:00 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Which FS driver triggered some IRP
If you are trying to find your way around a specific antivirus product
in this way, then this must surely be a bad idea.
But you can find out if A minifilter initiated the the operation by
checking for the FLTFL_CALLBACK_DATA_GENERATED_IO flag.
Your minifilter callbacks receive a FLT_RELATED_OBJECTS which contains
an instance related to the operation. Hopefully if a minifilter instance
initiates an operation, the instance parameter of that structure will be
set to that (documentation leaves everything to be desired). With
FltGetFilterFromInstance you can receive the filter that created the
instance. You can use FltGetFilterInformation to get information about
the filter. You can find out about instances above you using
FltGetUpperInstance/FltGetTopInstance. That’s as far as minifilters are
concerned.
For legacy filters you have to find another route if there is any. With
FltEnumerateFilterInformation you can find all filters (including legacy
fsf) in the system.
//Daniel
wrote in message news:xxxxx@ntfsd…
> Hi All,
>
> is it possible to find out which filter(mini, legacy) driver has
> triggered some IRP in some other mini-filter driver(in my own
mini-filter driver)?
> Who initially triggered? This stuff i need to identify when anti virus
> triggers IRP_MJ_CREATE…
>
> Best Regards, Mitja
>
—
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@edsiohio.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
—
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com