Hi,
Each time File System Filter Driver intercepts the I/O
requests, it needs to make a call to underlying file system driver to
get some information about the file from it. My doubt is, if the
filter driver creates a new IRP- Does the new IRP get intercepted by
the same filter dirver? or directly does it send to the File System
Driver?
( Hope it will directly sends to the file system itself , but need
detail explanation )
Which is the best way to get a file information (full path
name,thread-id,process-id,…) from the file system driver other than
Building own IRP?
Thanks & Regards
SivaRaja
> My doubt is, if the
filter driver creates a new IRP- Does the new IRP get intercepted by
the same filter dirver? or directly does it send to the File System
Driver?
This depends of the filter driver itself - if the filter
sends the request to the underlying device or to the
filter device itself.
You should always send the requests to the lower device only,
this will prevent many recursion issues.
L.
Hi SivaRaja
If you use the Zw calls … eg ZwCreateFile, ZwQueryInformationFile, ZwClose
… then the IRP/FastIo which these calls generate will indeed start at the
top of the file system device stack and hence recurse through your filter
and filters above you. This is of course an issue not least of all becuase
of limited kernel thread stacks. You should start with a search of the NTFSD
archive and OSR Online site for IoCreateFileSpecifyDeviceObjectHint for some
information about how to avoid this recursion.
If you want to know how to get the full path name I suggest you look at
FileSpy in the IFS KIT. If you dont have the IFS KIT then I advise you to
stop right now, buy the IFS KIT, at least study the file systems specific
documentation and the sample filters, before you attempt to continue filter
driver development. I suggest that you should also at this point in time be
giving serious thought to writing a mini-filter which uses the Filter
Manager as opposed to a legacy filter driver.
Good luck
Lyndon
“raja raja” wrote in message news:xxxxx@ntfsd…
> Hi,
>
> Each time File System Filter Driver intercepts the I/O
> requests, it needs to make a call to underlying file system driver to
> get some information about the file from it. My doubt is, if the
> filter driver creates a new IRP- Does the new IRP get intercepted by
> the same filter dirver? or directly does it send to the File System
> Driver?
>
> ( Hope it will directly sends to the file system itself , but need
> detail explanation )
>
> Which is the best way to get a file information (full path
> name,thread-id,process-id,…) from the file system driver other than
> Building own IRP?
>
>
> Thanks & Regards
> SivaRaja
>