That is correct. Once you register with FM, your InitInstance callback
will be invoked for all currently mounted volumes as well as any new
volumes introduced into the system.
Pete
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: “Frank Rizzo”
To: “Windows File Systems Devs Interest List”
Sent: 2/19/2017 4:18:55 PM
Subject: Re: [ntfsd] Minifilter attach to locked volume? (Part 2)
>The more I read, the more questions I have.
>
>The minispy app has NULL for the InstanceSetupCallback inside the
>FLT_REGISTRATION struct that it uses. MSDN says:
>
>“The filter manager calls this routine to allow the minifilter driver
>to respond to an automatic or manual attachment request. If this
>routine returns an error or warning NTSTATUS code, the minifilter
>driver instance is not attached to the given volume. Otherwise, the
>minifilter driver instance is attached to the given volume.”
>
>If I am reading that correctly, there should be NO NEED for the
>userspace app to tell the driver to attach to a volume mounted after
>the minispy driver is registered with FltMgr. Is this correct?
>
>-Frank
>
>------ Original Message ------
>From: “Frank Rizzo”
>To: “Windows File Systems Devs Interest List”
>Sent: 2/16/2017 9:39:38 PM
>Subject: [ntfsd] Minifilter attach to locked volume? (Part 2)
>
>>Hey guys, sorry for going off half-cocked before. Here’s more info.
>>
>>I modified the user space minispy app to allow me to kick off a
>>monitoring thread. The thread is fairly standard, but contains this
>>chunk of code that watches for the volume to get mounted, and then
>>tries to mount it in a loop until it succeeds. (Yes, I know this is
>>terrible, and should never be done in production, but this is a
>>learning exercise.)
>>
>>do {
>>
>>assert((FIELD_OFFSET(FILTER_VOLUME_BASIC_INFORMATION,
>>FilterVolumeName) + volumeBuffer->FilterVolumeNameLength) <=
>>(sizeof(buffer) - sizeof(WCHAR)));
>>Analysis_assume((FIELD_OFFSET(FILTER_VOLUME_BASIC_INFORMATION,
>>FilterVolumeName) + volumeBuffer->FilterVolumeNameLength) <=
>>(sizeof(buffer) - sizeof(WCHAR)));
>>
>>volumeBuffer->FilterVolumeName[volumeBuffer->FilterVolumeNameLength /
>>sizeof(WCHAR)] = UNICODE_NULL;
>>
>>instanceCount = IsAttachedToVolume(volumeBuffer->FilterVolumeName);
>>
>>// If this is the right one baby, (un huh)
>>if (0 == _wcsnicmp(volumeBuffer->FilterVolumeName, L"\Device\<1st 5
>>of device name goes here>", 13))
>>{
>>printf(“Found it! [%ws]\n”, volumeBuffer->FilterVolumeName);
>>
>> do
>> {
>> hResult = FilterAttach( MINISPY_NAME,
>>
>>volumeBuffer->FilterVolumeName,
>> NULL, // instance name
>> 0,
>> 0);
>>
>> if (SUCCEEDED( hResult ))
>> {
>> printf( “Attached!\n”);
>> }
>> else
>> {
>> printf( “\n Could not attach to device:
>>0x%08x\n”, hResult );
>> DisplayError( hResult );
>> Sleep(100);
>> }
>> }
>> while(!SUCCEEDED( hResult ));
>>
>>done = TRUE;
>>break;
>>}
>>} while (SUCCEEDED(hResult = FilterVolumeFindNext(volumeIterator,
>>FilterVolumeBasicInformation,
>>volumeBuffer,
>>sizeof(buffer) - sizeof(WCHAR), //save space to null terminate name
>>&volumeBytesReturned)));
>>
>>
>>When I pipe the output to a file, I get this:
>>Connecting to filter’s port…
>>Creating logging thread…
>>
>>Dos Name Volume Name Status
>>-------------- ------------------------------------ --------
>> \Device\Mup
>>C: \Device\HarddiskVolume2
>> \Device\HarddiskVolume1
>> \Device\HarddiskVolumeShadowCopy3
>>
>>Hit [Enter] to begin command mode…
>>
>> > Log to file logging.txt
>> >Thread started!
>> >Found it! [\Device<devicename goes here>]
>>
>> Could not attach to device: 0x80070003
>> The system cannot find the path specified.
>>
>>
>>(Repeats 138 times)
>>
>> Could not attach to device: 0x80070005
>> Access is denied.
>>
>>
>>(Repeats 167 times)
>>
>>(I shut down the app here)
>>Could not attach to device: 0x80070003 The system cannot find the path
>>specified. (Repeats 46 times before I can stop minispy.)
>>
>>And lastly, this is what I get from the minispy log file:
>>Opr SeqNum PreOp Time PostOp Time Process.Thrd Major Operation Minor
>>Operation IrpFlags DevObj FileObj Transactn status:inform Arg 1 Arg 2
>> Arg 3 Arg 4 Arg 5 Arg 6 Name — ---------- ------------
>>------------ ------------- -----------------------------------
>>----------------------------------- --------------- ------------------
>>------------------ ------------------ -----------------------------
>>------------------
>>------------------ ------------------ ------------------ ------------------ ---------- --------------------------------------------------
>>FIO 0x000002D4 13:22:09:230 13:22:10:275 588.604 IRP_MJ_VOLUME_MOUNT
>>0x00000000 ---- 0xFFFFFA8003F0E060 0x0000000000000000
>>0x0000000000000000 0xc0000013:0x0000000000000000 0x0000000000000008
>>0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000 >>NAME> FIO 0x000002D5 13:22:10:337 13:22:10:337 588.604
>>IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8006818250
>>0x0000000000000000 0x0000000000000000 0xc000014f:0x0000000000000000
>>0x0000000000000008
>>0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000 >>NAME> FIO 0x000002D6 13:22:10:337 13:22:10:337 588.604
>>IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800494BDE0
>>0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000
>>0x0000000000000008
>>0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000 >>NAME> FIO 0x000002D7 13:22:19:744 13:22:19:744 990.f44
>>IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800401E300
>>0x0000000000000000 0x0000000000000000 0xc0000185:0x0000000000000000
>>0x0000000000000008
>>0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000 >>NAME> FIO 0x000002D8 13:22:19:760 13:22:19:760 990.f44
>>IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8003FEC630
>>0x0000000000000000 0x0000000000000000 0xc000014f:0x0000000000000000
>>0x0000000000000008
>>0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000 >>NAME> FIO 0x000002D9 13:22:19:760 13:22:19:760 990.f44
>>IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA80041A1060
>>0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000
>>0x0000000000000008
>>0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000 >>NAME> FIO 0x000002DA 13:22:19:775 13:22:19:838 990.f44
>>IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800494BDE0
>>0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000
>>0x0000000000000008
>>0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000 >>NAME> FIO 0x000002DB 13:22:22:209 13:22:22:209 990.6e0
>>IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA800497F340
>>0x0000000000000000 0x0000000000000000 0xc0000185:0x0000000000000000
>>0x0000000000000003
>>0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000 >>NAME> FIO 0x000002DC 13:22:22:209 13:22:22:240 990.6e0
>>IRP_MJ_VOLUME_MOUNT 0x00000000 ---- 0xFFFFFA8003F4E060
>>0x0000000000000000 0x0000000000000000 0x00000000:0x0000000000000000
>>0x0000000000000003
>>0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000 >>NAME> So, my question is. How do I get around the “Access is denied”
>>response on the FilterAttach call? (Yes, everything is run as admin).
>>-Frank
>>
>>------ Original Message ------
>>From: “Gabriel Bercea”
>>To: “Windows File Systems Devs Interest List”
>>Sent: 2/6/2017 12:55:01 AM
>>Subject: Re: [ntfsd] Minifilter attach to locked volume?
>>
>>>You are not able to attach to it is not enough information.
>>>What is the error you are getting ?
>>>Are you not notified for instance setup ?
>>>You have to give us a little more to go on.
>>>
>>>Gabriel.
>>>www.kasardia.com
>>>
>>>On Mon, Feb 6, 2017 at 7:57 AM, wrote:
>>>>Hey guys, I’m tinkering with the minispy sample app from MS.
>>>>
>>>>If I have a locked volume, I am unable to attach to it. But,
>>>>running Procmon, or filespy, I can see AVG & MS Security Essentials
>>>>attaching to it, and checking files on it.
>>>>
>>>>What gives? What am I missing?
>>>>
>>>>-Frank
>>>>
>>>>—
>>>>NTFSD is sponsored by OSR
>>>>
>>>>
>>>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>>software drivers!
>>>>Details at http:
>>>>
>>>>To unsubscribe, visit the List Server section of OSR Online at
>>>>http:>>>>http:>
>>>
>>>
>>>
>>>–
>>>Bercea. G.
>>>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump
>>>analysis, WDF, Windows internals and software drivers! Details at To
>>>unsubscribe, visit the List Server section of OSR Online at
>>
>>—
>>NTFSD is sponsored by OSR
>>
>>
>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>software drivers!
>>Details at http:
>>
>>To unsubscribe, visit the List Server section of OSR Online at
>>http:
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:></http:></http:></http:></http:></http:>