Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 1  
02 Feb 18 01:37
Kunal
xxxxxx@hotmail.com
Join Date: 08 Dec 2014
Posts To This List: 6
URL files deleted from IE Favorites folder when folder redirection is enabled.

Hi, My customer has a setup where he uses folder redirection for IE Favorites by Group Policy for their Active Directory. This means that for all the users in Active directory, the "favorites" folder is redirected to a file-server. The customer has installed my filter driver on the file-server. The filter driver intercepts all the fileaccess requests and sends the file for scanning on a remote machine. Based on the scan results the file is allowed access or deleted. When customer tries to save a URL from IE 11, the URL file automatically gets deleted from the file-server. But if he disables my filter driver and tries to save the URL, it is not deleted. Also this is not seen (i.e file not deleted) for URLs with favicon. Also the file is not deleted if it is a txt file (i.e only .url files are deleted from this folder). From procmon data, I cannot see my driver deleteing the files. I could see srv2.sys and iexplorer deleteing the url files. Who is actually deleting the files here? And why the file is not deleted without my driver? Why this occurs only with .URL files and not with other file types? Observations: ============= I ran procmon on the file-server and the user machine. From file-server procmon logs it looks like microsoft smb driver is marking the file for delete (procmon results filtered by "Detail = Delete: True"): ----------------START----------------------------------------- Process Name Operation Path Result Detail System SetDispositionInformationFile C:\homes\nara1\Favorites\Nara 2.url SUCCESS Delete: True 0 fltmgr.sys FltpPerformPreCallbacks + 0x31a 1 fltmgr.sys FltpPassThroughInternal + 0x8c 2 fltmgr.sys FltpPassThrough + 0x2b5 3 fltmgr.sys FltpDispatch + 0x9e 4 ntoskrnl.exe NtSetInformationFile + 0x7fa 5 srv2.sys Smb2ExecuteSetInfoReal + 0xcd 6 srv2.sys SrvProcpWorkerThreadProcessWorkItems + 0x18b 7 srv2.sys SrvProcWorkerThreadCommon + 0xc2 8 ntoskrnl.exe ExpWorkerThread + 0x2b5 9 ntoskrnl.exe PspSystemThreadStartup + 0x58 10 ntoskrnl.exe KxStartSystemThread + 0x16 ----------------END------------------------------------------- Procmon from user-machine indicates that IE is marking the file for delete (procmon results filtered by "Detail = Delete: True"): ----------------START----------------------------------------- Process Name Operation Path Result Detail iexplore.exe SetDispositionInformationFile C:\Windows\CSC\v2.0.6\namespace\WIN-20 12-CLIENT\homes\nara1\Favorites\Nara 6.url SUCCESS Delete: True iexplore.exe SetDispositionInformationFile \\win-2012-client\homes\nara1\Favorite s\Nara 6.url SUCCESS Delete: True iexplore.exe SetDispositionInformationFile C:\Windows\CSC\v2.0.6\namespace\WIN-20 12-CLIENT\homes\nara1\Favorites\Nara 6.url SUCCESS Delete: True 1st entry callstack: fltmgr.sys FltpPerformPreCallbacks + 0x31a fltmgr.sys FltpPassThroughInternal + 0x8c fltmgr.sys FltpPassThrough + 0x2be fltmgr.sys FltpDispatch + 0x9e ntoskrnl.exe NtSetInformationFile + 0x7fa ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 ntoskrnl.exe KiServiceLinkage csc.sys CscSrvOpenCloseStoreState + 0x511 csc.sys CscSrvOpenCloseStoreState + 0x1ef ntoskrnl.exe KySwitchKernelStackCallout + 0x27 ntoskrnl.exe KiSwitchKernelStackContinue ntoskrnl.exe KeExpandKernelStackAndCalloutInternal + 0x218 csc.sys CscStorepLowIoCreateFilePoster + 0x19c csc.sys CscStorepLowIoSetInformationFilePoster + 0x81 csc.sys CscStorepLowIoSetDeleteDisposition + 0x1c csc.sys CscEnpComputePqQueueCommand + 0x696 csc.sys ?? ::NNGAKEGL::`string' + 0x93e0 csc.sys CscEnFindOrCreateEntry + 0x56 csc.sys CscEnQueryInformationEntry + 0x481 csc.sys CscStoreFindOrCreateEntry + 0x45 csc.sys CscCreate + 0xea7 rdbss.sys RxCollapseOrCreateSrvOpen + 0x232 rdbss.sys RxCreateFromNetRoot + 0x1b0 rdbss.sys RxCommonCreate + 0x1bd rdbss.sys RxFsdCommonDispatch + 0x56e rdbss.sys RxFsdDispatch + 0xcf mrxsmb.sys MRxSmbFsdDispatch + 0x83 mup.sys MupiCallUncProvider + 0xc2 mup.sys MupCreate + 0x5f8 fltmgr.sys FltpLegacyProcessingAfterPreCallbacksCompleted + 0x258 fltmgr.sys FltpCreate + 0x342 ntoskrnl.exe IopParseDevice + 0x7b3 ntoskrnl.exe ObpLookupObjectName + 0x6d8 ntoskrnl.exe ObOpenObjectByName + 0x1e3 ntoskrnl.exe IopCreateFile + 0x372 ntoskrnl.exe NtCreateFile + 0x78 ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 ntdll.dll ZwCreateFile + 0xa KERNELBASE.dll CreateFileInternal + 0x30a KERNELBASE.dll CreateFileW + 0x66 IEFRAME.dll CInternetShortcutPropertyStore::SaveEx + 0xb2 IEFRAME.dll CInternetShortcut::SaveToFile + 0x45 IEFRAME.dll CInternetShortcut::Save + 0x106 IEFRAME.dll PersistShortcut + 0x3e IEFRAME.dll CreateNewFavorite + 0xa2 IEFRAME.dll CreateShortcutInDirEx + 0x178 IEFRAME.dll AddToFavoritesEx + 0x4d0 IEFRAME.dll CShdocvwBroker::CAddToFavoritesEx::STAFunction + 0x8a IEFRAME.dll CShdocvwBroker::CSTAWorkItem<tagOFNW>::_ThreadProc + 0x2d KERNEL32.DLL BaseThreadInitThunk + 0xd ntdll.dll RtlUserThreadStart + 0x1d 2nd entry callstack: fltmgr.sys FltpPerformPreCallbacks + 0x31a fltmgr.sys FltpPassThroughInternal + 0x8c fltmgr.sys FltpPassThrough + 0x2be fltmgr.sys FltpDispatch + 0x9e ntoskrnl.exe NtSetInformationFile + 0x7fa ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 ntdll.dll ZwSetInformationFile + 0xa KERNELBASE.dll BaseMarkFileForDelete + 0xa7 KERNELBASE.dll BasepCopyFileExW + 0x1329 KERNELBASE.dll CopyFileExW + 0xbc KERNEL32.DLL CopyFileW + 0x22 IEFRAME.dll CInternetShortcut::Save + 0xf1 IEFRAME.dll CFaviconDownloader::_SaveInfoToFavorite + 0x26e45e IEFRAME.dll CFaviconDownloader::_SaveInfoToStores + 0x51 IEFRAME.dll CFaviconDownloader::_DoUpdateIcon + 0xc5 IEFRAME.dll CFaviconDownloader::UpdateFavicon + 0x10d IEFRAME.dll UpdateFavoriteIcon + 0xb1 IEFRAME.dll DownloadAndAddIcon + 0x156 IEFRAME.dll CreateNewFavorite + 0x19d IEFRAME.dll CreateShortcutInDirEx + 0x178 IEFRAME.dll AddToFavoritesEx + 0x4d0 IEFRAME.dll CShdocvwBroker::CAddToFavoritesEx::STAFunction + 0x8a IEFRAME.dll CShdocvwBroker::CSTAWorkItem<tagOFNW>::_ThreadProc + 0x2d KERNEL32.DLL BaseThreadInitThunk + 0xd ntdll.dll RtlUserThreadStart + 0x1d 3rd entry callstack: fltmgr.sys FltpPerformPreCallbacks + 0x31a fltmgr.sys FltpPassThroughInternal + 0x8c fltmgr.sys FltpPassThrough + 0x2be fltmgr.sys FltpDispatch + 0x9e ntoskrnl.exe NtSetInformationFile + 0x7fa ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 ntoskrnl.exe KiServiceLinkage csc.sys CscSrvOpenCloseStoreState + 0x511 csc.sys CscStorepLowIoCreateFilePoster + 0x1c3 csc.sys CscStorepLowIoSetInformationFilePoster + 0x81 csc.sys CscStorepLowIoSetDeleteDisposition + 0x1c csc.sys CscEnpComputePqQueueCommand + 0x696 csc.sys ?? ::NNGAKEGL::`string' + 0x93e0 csc.sys CscEnFindOrCreateEntry + 0x56 csc.sys CscEnQueryInformationEntry + 0x481 csc.sys CscStoreFindOrCreateEntry + 0x45 csc.sys CscQueryDirOpenAndUpdateEntry + 0x2d2 csc.sys CscQueryDirStitchSingleEntry + 0x294 csc.sys CscQueryDirStitchRemoteBuffer + 0x50 csc.sys CscQueryDirOnlineAndUpdateCache + 0x155 csc.sys ?? ::NNGAKEGL::`string' + 0x791 rdbss.sys RxQueryDirectory + 0x3e8 rdbss.sys RxCommonDirectoryControl + 0x94 rdbss.sys RxFsdCommonDispatch + 0x56e rdbss.sys RxFsdDispatch + 0xcf mrxsmb.sys MRxSmbFsdDispatch + 0x83 mup.sys MupFsdIrpPassThrough + 0x1ee fltmgr.sys FltpLegacyProcessingAfterPreCallbacksCompleted + 0x258 fltmgr.sys FltpDispatch + 0xb6 ntoskrnl.exe NtQueryDirectoryFile + 0x1c0 ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 ntdll.dll ZwQueryDirectoryFile + 0xa SHELL32.dll CEnumFiles::_InitEnumeration + 0x193 SHELL32.dll CFSFolder::ParseDisplayName + 0x7ec IEFRAME.dll CNscChangeNotifyTask::_IdlRealFromIdlSimple + 0xda IEFRAME.dll CNscChangeNotifyTask::InternalResumeRT + 0x19 IEFRAME.dll CRunnableTask::Run + 0x5f IEFRAME.dll CShellTaskThread::ThreadProc + 0xac IEFRAME.dll CShellTaskThread::s_ThreadProc + 0x22 IEFRAME.dll ExecuteWorkItemThreadProc + 0x3c ntdll.dll RtlpTpWorkCallback + 0x121 ntdll.dll TppWorkerThread + 0x81a KERNEL32.DLL BaseThreadInitThunk + 0xd ntdll.dll RtlUserThreadStart + 0x1d ----------------END------------------------------------------- Thanks for your time. Kunal
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 15:46.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license