Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 9 April 2018

Writing WDF Drivers I: Core Concepts, Manchester, NH, 7 May 2018

Kernel Debugging & Crash Analysis for Windows, Manchester, NH, 21 May 2018


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 6  
16 Apr 18 09:51
CA Tan
xxxxxx@gmail.com
Join Date: 16 Apr 2018
Posts To This List: 3
How to determine a file open event via mini filter?

I don't know why I cannot seem to find a straightforward answer to the question "How to determine file open event via mini filter?" In Microsoft's docs (https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create), it is explained that : "The I/O Manager sends the IRP_MJ_CREATE request when a new file or directory is being created, or when an existing file, device, directory, or volume is being opened." In the same Microsoft doc on IRP_MJ_CREATE, it says: "Irp->IoStatus Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the requested operation. The file system sets the Information member of this structure to one of the following values: FILE_CREATED FILE_DOES_NOT_EXIST FILE_EXISTS FILE_OPENED FILE_OVERWRITTEN FILE_SUPERSEDED" How do I identify if the status of the event is FILE_OPENED? The question is, when IRP_MJ_CREATE is sent, can I determine if this is a result of an existing file being open? And if I can, can I therefore identify the name of the file that is being opened, and which AD account has opened it? Thanks.
  Message 2 of 6  
16 Apr 18 10:01
Don Burn
xxxxxx@windrvr.com
Join Date: 23 Feb 2011
Posts To This List: 174
How to determine a file open event via mini filter?

Traditionally, the approach is to allow the open to proceed, then on the POST operation check the flag. You can get the filename and the SID of the user as part of the pre/post operations. Don Burn Windows Driver Consulting Website: http://www.windrvr.com -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com Sent: Monday, April 16, 2018 9:51 AM To: Windows File Systems Devs Interest List <xxxxx@lists.osr.com> Subject: [ntfsd] How to determine a file open event via mini filter? I don't know why I cannot seem to find a straightforward answer to the question "How to determine file open event via mini filter?" In Microsoft's docs (https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create ), it is explained that : "The I/O Manager sends the IRP_MJ_CREATE request when a new file or directory is being created, or when an existing file, device, directory, or volume is being opened." In the same Microsoft doc on IRP_MJ_CREATE, it says: "Irp->IoStatus Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the requested operation. The file system sets the Information member of this structure to one of the following values: FILE_CREATED FILE_DOES_NOT_EXIST FILE_EXISTS FILE_OPENED FILE_OVERWRITTEN FILE_SUPERSEDED" How do I identify if the status of the event is FILE_OPENED? The question is, when IRP_MJ_CREATE is sent, can I determine if this is a result of an existing file being open? And if I can, can I therefore identify the name of the file that is being opened, and which AD account has opened it? Thanks. --- NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>
  Message 3 of 6  
17 Apr 18 00:40
CA Tan
xxxxxx@gmail.com
Join Date: 16 Apr 2018
Posts To This List: 3
How to determine a file open event via mini filter?

Thanks Don. I'm sorry that I am pretty new to filters. How do I check the flag on the POST operation? While I will attempt again to understand the minifilter documentation on Microsoft's github page, do you have a recommended tutorial or steps that I can use? Thanks. CA Tan On Mon, 16 Apr 2018, 10:01 PM Don Burn <xxxxx@windrvr.com>, < xxxxx@lists.osr.com> wrote: > Traditionally, the approach is to allow the open to proceed, then on the > POST operation check the flag. You can get the filename and the SID of > the > user as part of the pre/post operations. > > > Don Burn > Windows Driver Consulting > Website: http://www.windrvr.com > <...excess quoted lines suppressed...> --
  Message 4 of 6  
17 Apr 18 03:38
NtDev Geek
xxxxxx@gmail.com
Join Date: 09 Aug 2013
Posts To This List: 38
How to determine a file open event via mini filter?

use filetest utility and start playing with this awesome tool. put a break point using windbg in your precreate dispatch and see the cdb values there you an find all of your questions. better to start with pass through filter sample of ddk. hope this will help. ./nT
  Message 5 of 6  
20 Apr 18 04:55
CA Tan
xxxxxx@gmail.com
Join Date: 16 Apr 2018
Posts To This List: 3
How to determine a file open event via mini filter?

Thanks nT. I downloaded filetest ( http://www.zezula.net/en/fstools/filetest.html) and tried to use it. I'm not sure if I follow what you meant for me to use it for. Would it be the same effect if I simply opened a text file while having DbgView turned on? As for windbg, I'm not sure if I am thinking correctly that this might be an overkill. All I just want to know is how do I call out the flag of the POST operation (as per Don Burn's post). I guess the fault is really mine when I don't understand what you mean by "pass through filter sample of ddk". I did try to understand the passThrough filter sample on Microsoft's github, but I might have failed to understand the relation. Appreciate if you might have more specific directions as I am still trying to understand file systems and minifilters. Thanks. On Tue, Apr 17, 2018 at 3:37 PM, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote: > use filetest utility and start playing with this awesome tool. put a break > point using windbg in your precreate dispatch and see the cdb values there > you an find all of your questions. > > better to start with pass through filter sample of ddk. > > hope this will help. > > ./nT > <...excess quoted lines suppressed...> -- Regards, CA --
  Message 6 of 6  
20 Apr 18 06:11
Gaurav Khuntale
xxxxxx@gmail.com
Join Date: 05 Sep 2014
Posts To This List: 19
How to determine a file open event via mini filter?

Hello CA, Please check documentation for FLT_CALLBACK_DATA structure which is passed as parameter to PostOperation callback in minifilter. In this structure, you will find IO_STATUS_BLOCK structure member and Information field of this structure will tell you whether existing file is opened or existing file is overwritten or new file is created. Hope this help you. Regards, Gaurav Khuntale
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 08:29.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license