Unknown FSCTL FILE_DEVICE_FILE_SYSTEM/239 on OneDrive

Hello everyone!
I try logging of operation on filesystem introduced by OneDrive but encountered with the problem : after I send an incoming file to OneDrive via Internet, in my mini-filter driver I see only one OPEN_FILE request and two FSCTL_ with code:239 to OneDrive storage and then file appeared in storage…
I find topic https://www.osronline.com/showthread.cfm?link=286466 with the same problem.
What is magic code 239 and how it works?
Thank you!

I still have the same questions as last time:

What is the call stack when you see this FSCTL? Be sure to do a .reload /user before getting the call stack.

Are you above or below CldFlt?

-scott
OSR
@OSRDrivers

I’m above CldFlt.

OK, I put this under Process Monitor and checked a few call stacks. Looks
like the FSCTL 0x903bc (9/239/0) is the *one* FSCTL used for all Cloud
Filter APIs from user mode. For example here’s one stack:

NtFsControlFile + 0x14
DeviceIoControl + 0x111
DeviceIoControlImplementation + 0x80
IssueHsmControl + 0x119
CfHydratePlaceholder + 0xa4
<lambda_b9c59366b7b72eef8885827a75bce7b9>::operator() + 0x124
<lambda_e14dae719a439946fdc25bf9b67195ed>::operator() + 0x144
<lambda_96f1580a475abedb5b0ccd0a97f888b6>::operator() + 0x105

(Aside: man do I hate other people’s lambdas…)

And another:

NtFsControlFile + 0x14
DeviceIoControl + 0x111
DeviceIoControlImplementation + 0x80
IssueHsmControl + 0x119
CfSetCorrelationVector + 0xd7
<lambda_b9c59366b7b72eef8885827a75bce7b9>::operator() + 0x95
<lambda_e14dae719a439946fdc25bf9b67195ed>::operator() + 0x144

You can find documentation on the CfXxx APIs here:

https://msdn.microsoft.com/en-us/library/windows/desktop/mt827575(v=vs.85).aspx

Based on the call stack, if I needed to give this FSCTL a name I’d call it
FSCTL_ISSUE_HSM_CONTROL. Though that doesn’t really tell you anything as it
clearly does lots of different things depending on the associated control
structure.

You’ll need to sit beneath the Cloud Filter if you want to see the writes.

-scott
OSR
@OSRDrivers</lambda_e14dae719a439946fdc25bf9b67195ed></lambda_b9c59366b7b72eef8885827a75bce7b9></lambda_96f1580a475abedb5b0ccd0a97f888b6></lambda_e14dae719a439946fdc25bf9b67195ed></lambda_b9c59366b7b72eef8885827a75bce7b9>