Re: Minifilter not intercepting IRP_MJ_WRITE, when a file is copied

Hi,

The condition you mentioned “if ( NULL == FileObject->SectionObjectPointer
|| NULL == FileObject->SectionObjectPointer->DataSection )” works fine for
intercepting IRP_MJ_WRITE.
But it is is not working properly for intercepting IRP_MJ_READ.
When a .jpg file is read by a photoviewer.dll , some IRP_MJ_READ s are
missed by the mini filter.
Please let me know a method to identify whether a IRP_MJ_READ is going to
disk or cache, for a network volume.

Thanks,
S Ramakrishnan

On Sun, Nov 20, 2016 at 11:46 AM, wrote:

>


>
> Notepad uses a memory mapped file, this is analogues to file being cached.
> When Memory Manager flushes dirty pages the filter receives paging IO.
>
>


>
> The correct implementation requires an isolation filter like OSR Data
> Modification Kit.
> In your case you can try to intercept a cached IO for network FS and
> process it as non cached(i.e. encrypt/decrypt) if ( NULL == FileObject->SectionObjectPointer
> || NULL == FileObject->SectionObjectPointer->DataSection ).
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

I do not remember the exact conditions this particular advice was given and I am reading the list through the online version that jettisons the history.

You can only be sure that paging IO will not end up in the cache. All other cases are implementation dependent. With a good probability non-paging read is processed through the cache.

You can find a heuristic for a particular network FSD for some IO cases.

I already tried this.
But non paging read is going to disk in case of word document and excel.

On Thu, Jul 13, 2017 at 8:25 PM, xxxxx@hotmail.com
wrote:

>


>
> I do not remember the exact conditions this particular advice was given
> and I am reading the list through the online version that jettisons the
> history.
>
> You can only be sure that paging IO will not end up in the cache. All
> other cases are implementation dependent. With a good probability
> non-paging read is processed through the cache.
>
> You can find a heuristic for a particular network FSD for some IO cases.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>