reading files on network device

In a minifilter, I’d like to do the following - for files on the network (MUP device) if a file is ever modified, read the final file data and calculate some digest.
Initially I’ve tried to use the same file object for reading, but found that
it will not let me read if no read access was requested by the caller.
Attempts to duplicate the file handle, etc. also didn’t work.
Am I right in concluding that this only can be done reliably by using a shadow file object model?

> it will not let me read if no read access was requested by the caller.

Right - the access to the file will be arbitrated on the remote system.
Think about it - thats in a different domain and if anything allowed access
to data on a random handle that would be security hole a mile wide.

Am I right in concluding that this only can be done reliably by using a
shadow file object model?
Not really. I wouldn’t do that.

Why not just open the file for read, do the digest thing and then close that
handle. For extra points capture the security context during create and
use that (since you may be somewhere entirely different by that time,
although its unlikely)

R

I should also add that you should expect this to fail from time to time and
to adversely impact other applications - sharing is also arbitrated on the
remote machine so other applications which specify noreadshare will fail -
also you may not have read access to the file (it is quite acceptable to
have write only files, think of student submissions).

> Why not just open the file for read, do the digest thing and then close that
handle

I’m just afraid to be too intrusive, since that could break for example the next caller wishing to open the file with no sharing.

I should also add that you should expect this to fail from time to time and
to adversely impact other applications

Yes, that’s exactly what I’d hate to happen.

also you may not have read access to the file

I guess if the caller has only write access, I can safely skip this file.

> I guess if the caller has only write access, I can safely skip this file.

Another option is to “just add” read access. Write only is rare

> I guess if the caller has only write access, I can safely skip this file.

Sorry start again. You might want to just add read access if it isn’t set.
Its rare to see write/noread and rarer still to see WriteShare/NoReadShare.
You might want to fall back to write along if you get access denied back.

R

I was thinking about that, but thought it could fail if the caller doesn’t
have read access.
However, in that case there is no way to read the file anyway,
so I agree this is probably the optimal solution.
Thanks for your help!