Handling IOCTL 0x140410

I keep receiving this IOCTL in my file system driver which seems to be undocumented. In http://www.osronline.com/showthread.cfm?link=133922, this seems to hint that it’s a REMOTE_COPY IOCTL.

Any clue to (a) what’s the expected behavior for a file system when receiving this IOCTL, and (b) what is the struct that I need to cast the buffer in the IRP?

Many thanks

Note that I came across this while investigating IOCTL_COPYCHUNK [1] , which has function code 262.

[1] http://msdn.microsoft.com/en-us/library/cc512134(v=vs.85).aspx

ioctl 0x140410
IOCTL_QUERY_REMOTE_SERVER_NAME

I don’t have information about the associated structure(s).

L.

Thanks - where did you get this? Also, I’m also getting an IOCTL for function code = 261 right afterwards.

I have my own tool that I wrote few years ago that can decode
IOCTL numbers, called Ioctl.exe.
http://www.zezula.net/fstools.html

You just enter ioctl.exe 0x140410 and see the result.

L.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, July 18, 2014 9:10 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Handling IOCTL 0x140410

Thanks - where did you get this? Also, I’m also getting an IOCTL for
function code = 261 right afterwards.


NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks Ladislav, this is useful. Unfortunately, it’s still a mystery how one is supposed to handle these two IOCTLS…

@ladislav zezula do you have a referance to the name.

0:000> .load decodeioctl
0:000> !decodeioctl 140410
IoControlCode 140410 is defined as undefined ioctl code
CTL_CODE(00000014 = FILE_DEVICE_NETWORK_FILE_SYSTEM , 00000104 , METHOD_BUFFERED
. FILE_ANY_ACCESS
0:000>

On 7/18/14, xxxxx@gmail.com wrote:
> Thanks Ladislav, this is useful. Unfortunately, it’s still a mystery how one
> is supposed to handle these two IOCTLS…
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

> @ladislav zezula do you have a referance to the name.

Do you mean IOCTL_QUERY_REMOTE_SERVER_NAME?

L.

i have a windbg extension which decodes ioctls it could decode this
140410 to its proper file device FILEDEVICE bt did not know the name
so i tried to lookup but couldnt find any referance to the name i
looked inside your executable and observe that you have special cased
this name along with other 4 names so i was interested to know if
there is any public referance that you can point me to regarding the
name

the output of my windbg extension is as follows i added the name to my
list courtesy of this post but it would be great if there is any
reference to lean back to (winddk upto 7600 doesnt seem to have this
name )

0:000> .load decodeioctl

0:000> !decodeioctl 140410
IoControlCode 140410 is defined as undefined ioctl code
CTL_CODE(00000014 = FILE_DEVICE_NETWORK_FILE_SYSTEM , 00000104 , METHOD_BUFFERED
. FILE_ANY_ACCESS

0:000> !findioctl IOCTL_QUERY_REMOTE_SERVER_NAME
IOCTL_QUERY_REMOTE_SERVER_NAME is not a defined ioctl

0:000> !addioctl /?
!addioctl

- ioctlcode like 0xd3daf987 (base 16)
- string Like IOCTL_SOME_FOO_BLAH
- filedevicecode like 0xdead (base 16)
- string Like FILE_DEVICE_DEAD
add an Ioctl Description

0:000> !addioctl 140410 IOCTL_QUERY_REMOTE_SERVER_NAME 14
FILE_DEVICE_NETWORK_FILE_SYSTEM
FileDeviceCode Already Exists
adding to c:\ioctls.txt 0x00140410,IOCTL_QUERY_REMOTE_SERVER_NAME

0:000> !findioctl IOCTL_QUERY_REMOTE_SERVER_NAME
IOCTL_QUERY_REMOTE_SERVER_NAME = 0x00140410

0:000> !decodeioctl 140410
IoControlCode 140410 is defined as IOCTL_QUERY_REMOTE_SERVER_NAME
CTL_CODE(00000014 = FILE_DEVICE_NETWORK_FILE_SYSTEM , 00000104 , METHOD_BUFFERED
. FILE_ANY_ACCESS
0:000>

On 7/19/14, xxxxx@volny.cz wrote:
>> @ladislav zezula do you have a referance to the name.
>
> Do you mean IOCTL_QUERY_REMOTE_SERVER_NAME?
>
> L.
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Thanks everyone for the replies – still a mystery how a file system needs to respond to these two IOCTLs and what the request and response structs look like…

A file system wouldn’t normally see this - it would be sent from an SMB client to an SMB server. As for its format, I’d expect it would be fairly straight-forward to figure this out from looking at the return data (e.g., my guess is that it is either a counted string or a null terminated string, with the former more likely). This kind of query wouldn’t typically have any request data (since it is “hey, what’s your name?” there’s no REASON to send along additional information).

Have you tried issuing this IOCTL on an open SMB/CIFS file handle to see what happens?

Tony
OSR