I want to know which IRP is called when a file is deleted? I developed a file system filter to do same on c:\ drive. After having a look at previous post I marked for files by
for IRP_MJ_CREATE with IrpSp->Parameters.Create.Options == FILE_DELETE_ON_CLOSE but nothing showed up.
for IRP_MJ_SET_INFORMATION with IrpStack->Parameters.SetFile.FileInformationClass == FileDispositionInformation but still nothing showed up.
for IRP_MJ_CLEANUP AND IRP_MJ_CLOSE everything showed up even those that were not delted i.e. file handle was closed.
Going through the documentation also I didnot find any IRp associated with ZwDeleteFile even. So how do I know through IRPs any other mechanism in filter drivers that a file has been deleted?
PsSetLoadImageNotifyRoutine shows only images loaded into memory. What about the reverse? Is there any IRP to track when a image is unloaded from system?
I am not sure I understand your post correctly, are you saying you created a
context of points 1…3? or you used them as separate delete tracking cases?
IIRC (and it has been a while I have worked with FSFs) When
FILE_FLAG_DELETE_ON_CLOSE is used in create, the delete ‘intention’ is
recorded in the cache control block. When IRP_MJ_CLEANUP arrives for the
file object, the flag is promoted from CCB -> FCB.
FileDispositionInformation only toggles the delete pending state of the FCB.
So the pending deletion state cannot be touched in the CCB.
Also, ZwDeleteFile will wait for all handles to be closed on this file
before it deletes it. So basically it will mark the file for DeletePending
hope this helps
amitr0
On Sat, Mar 5, 2011 at 10:07 PM, wrote:
> I want to know which IRP is called when a file is deleted? I developed a > file system filter to do same on c:\ drive. After having a look at previous > post I marked for files by > 1) for IRP_MJ_CREATE with IrpSp->Parameters.Create.Options == > FILE_DELETE_ON_CLOSE but nothing showed up. > 2) for IRP_MJ_SET_INFORMATION with > IrpStack->Parameters.SetFile.FileInformationClass == > FileDispositionInformation but still nothing showed up. > 3) for IRP_MJ_CLEANUP AND IRP_MJ_CLOSE everything showed up even those > that were not delted i.e. file handle was closed. > Going through the documentation also I didnot find any IRp > associated with ZwDeleteFile even. So how do I know through IRPs any other > mechanism in filter drivers that a file has been deleted? > PsSetLoadImageNotifyRoutine shows only images loaded into memory. What > about the reverse? Is there any IRP to track when a image is unloaded from > system? > > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Saturday, March 05, 2011 2:11 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] ZwDeleteFile! Which Irp is called?
I am not sure I understand your post correctly, are you saying you created a
context of points 1…3? or you used them as separate delete tracking cases?
IIRC (and it has been a while I have worked with FSFs) When
FILE_FLAG_DELETE_ON_CLOSE is used in create, the delete ‘intention’ is
recorded in the cache control block. When IRP_MJ_CLEANUP arrives for the
file object, the flag is promoted from CCB -> FCB.
FileDispositionInformation only toggles the delete pending state of the FCB.
So the pending deletion state cannot be touched in the CCB.
Also, ZwDeleteFile will wait for all handles to be closed on this file
before it deletes it. So basically it will mark the file for DeletePending
hope this helps
amitr0
On Sat, Mar 5, 2011 at 10:07 PM, wrote:
I want to know which IRP is called when a file is deleted? I developed a file system filter to do same on c:\ drive. After having a look at previous post I marked for files by 1) for IRP_MJ_CREATE with IrpSp->Parameters.Create.Options == FILE_DELETE_ON_CLOSE but nothing showed up. 2) for IRP_MJ_SET_INFORMATION with IrpStack->Parameters.SetFile.FileInformationClass == FileDispositionInformation but still nothing showed up. 3) for IRP_MJ_CLEANUP AND IRP_MJ_CLOSE everything showed up even those that were not delted i.e. file handle was closed. Going through the documentation also I didnot find any IRp associated with ZwDeleteFile even. So how do I know through IRPs any other mechanism in filter drivers that a file has been deleted? PsSetLoadImageNotifyRoutine shows only images loaded into memory. What about the reverse? Is there any IRP to track when a image is unloaded from system?
As well as other comments made, if you are deleting a file through
Explorer it is not getting deleted, it is getting renamed to the trash
folder. Avoid this by deleting files from the cmd line and you will see
the SetDisposition being sent on the file, if not there is a bug in your
code. Per Martin’s comment, run FileSpy to see these requests.
For the image ‘unload’, no, there is no call back. But you do know when
the process ended by registering a process create callback which also
notifies you when a process is ending.
Pete
On 3/5/2011 1:26 PM, Martin O’Brien wrote:
You might want to try IrpTracker.
Good luck,
mm
*From:*xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] *On Behalf Of *amitr0
*Sent:* Saturday, March 05, 2011 2:11 PM
*To:* Windows File Systems Devs Interest List
*Subject:* Re: [ntfsd] ZwDeleteFile! Which Irp is called?
I am not sure I understand your post correctly, are you saying you
created a context of points 1…3? or you used them as separate delete
tracking cases?
IIRC (and it has been a while I have worked with FSFs) When
FILE_FLAG_DELETE_ON_CLOSE is used in create, the delete ‘intention’ is
recorded in the cache control block. When IRP_MJ_CLEANUP arrives for the
file object, the flag is promoted from CCB -> FCB.
FileDispositionInformation only toggles the delete pending state of the
FCB. So the pending deletion state cannot be touched in the CCB.
Also, ZwDeleteFile will wait for all handles to be closed on this file
before it deletes it. So basically it will mark the file for DeletePending
hope this helps
amitr0
On Sat, Mar 5, 2011 at 10:07 PM, > mailto:xxxxx> wrote: > > I want to know which IRP is called when a file is deleted? I developed a > file system filter to do same on c:\ drive. After having a look at > previous post I marked for files by > 1) for IRP_MJ_CREATE with IrpSp->Parameters.Create.Options == > FILE_DELETE_ON_CLOSE but nothing showed up. > 2) for IRP_MJ_SET_INFORMATION with > IrpStack->Parameters.SetFile.FileInformationClass == > FileDispositionInformation but still nothing showed up. > 3) for IRP_MJ_CLEANUP AND IRP_MJ_CLOSE everything showed up even those > that were not delted i.e. file handle was closed. > Going through the documentation also I didnot find any IRp associated > with ZwDeleteFile even. So how do I know through IRPs any other > mechanism in filter drivers that a file has been deleted? > PsSetLoadImageNotifyRoutine shows only images loaded into memory. What > about the reverse? Is there any IRP to track when a image is unloaded > from system? > > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer > > > > > – > > - amitr0 > > — NTFSD is sponsored by OSR For our schedule of debugging and file > system seminars visit: http://www.osr.com/seminars To unsubscribe, visit > the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer > > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer
– Kernel Drivers Windows File System and Device Driver Consulting www.KernelDrivers.com 866.263.9295</mailto:xxxxx>
I am deleting a file from kernel driver using ZwDelete() and it is getting deleted directly and not moving to recycle bin.
How to see setDisposition sent to file? I am unable to run FileSpy. There is no manual also.
It is not always necessary that a process exits and it unloads all its image. For Example, a kernel driver may not unload but its loading process may.
What do you mean when you say that you can’t run FileSpy? What happens?
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Monday, March 07, 2011 6:08 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] ZwDeleteFile! Which Irp is called?
which os are u running it on? hope uac is not stopping u…
On Mon, Mar 7, 2011 at 5:07 PM, wrote:
> Only the FileSpy GUI opens. Nothing else happens. Just a blank screen. How > to start it? > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
Are you running on x64? If so, did you ‘Run As Administrator?’
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Monday, March 07, 2011 6:37 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] ZwDeleteFile! Which Irp is called?
Only the FileSpy GUI opens. Nothing else happens. Just a blank screen. How
to start it?
I am running it from windows xp 32 bit as administrator only. But still the same blank screen However the file Fspys.sys is already loaded.
Is there anything I need to configure before starting it?
Are you saying that the UI is starting, but there’s nothing being logged?
If so, that’s normal. You have to tell it to monitor something. Try
looking under the ‘Volumes’ menu.
You’re going to have to experiment with this tool.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Monday, March 07, 2011 6:51 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] ZwDeleteFile! Which Irp is called?
I am running it from windows xp 32 bit as administrator only. But still the
same blank screen However the file Fspys.sys is already loaded.
Is there anything I need to configure before starting it?
I noticed one thing whenever I am deleting a file using windows GUI using shift delete I am finding entry with FileDisposition under IRP_MJ_SET_INFORMATION but if I am deleting using ZwDeleteFile() I am not finding any such entry in Filespy. Can anybody explain why is it so?
Is there no IRP through which I can track this type of file deletion?