MiniFilter redirection without STATUS_REPARSE. Is it possible?

Mauro_Leggieri-1 · June 22, 2015, 9:51pm

Hi,

I’m trying to resolve some issues related to redirecting a folder to a different volume in a minifilter’s PreCreate callback. For most operations works as expected but some Low Integrity processes have trouble to open some files.

In these specific situations, the effect I see is minifilter correctly returning STATUS_REPARSE with the new full target but Process Monitor only shows “REPARSE” as a result and the IRP_MJ_CREATE is not reissued with the new path. If I browse the files and folders using Windows Explorer, redirection works as expected.

Despite of this I was thinking if another alternative exists. Can I, from my PreCreate routine, open the real target file and modify the Irp in some way to use the new opened file instead of letting Obj Manager to do its job with the STATUS_REPARSE status?

Regards,
Mauro.

Peter_Scott · June 22, 2015, 11:32pm

You can do this but you will implementing a layered file system driver.
You will need to handle all accesses to the file objects which you take
control of, redirecting requests to the file object which you open in
your layered FS driver. Search for shadow file objects to see the issues
and requirements for implementing this type of design.

Pete

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com http:</http:>
866.263.9295

------ Original Message ------
From: xxxxx@caiman.com.ar
To: “Windows File Systems Devs Interest List”
Sent: 6/22/2015 7:50:46 PM
Subject: [ntfsd] MiniFilter redirection without STATUS_REPARSE. Is it
possible?

>Hi,
>
>I’m trying to resolve some issues related to redirecting a folder to a
>different volume in a minifilter’s PreCreate callback. For most
>operations works as expected but some Low Integrity processes have
>trouble to open some files.
>
>In these specific situations, the effect I see is minifilter correctly
>returning STATUS_REPARSE with the new full target but Process Monitor
>only shows “REPARSE” as a result and the IRP_MJ_CREATE is not reissued
>with the new path. If I browse the files and folders using Windows
>Explorer, redirection works as expected.
>
>Despite of this I was thinking if another alternative exists. Can I,
>from my PreCreate routine, open the real target file and modify the Irp
>in some way to use the new opened file instead of letting Obj Manager
>to do its job with the STATUS_REPARSE status?
>
>Regards,
>Mauro.
>
>
>—
>NTFSD is sponsored by OSR
>
>OSR is hiring!! Info at http://www.osr.com/careers
>
>For our schedule of debugging and file system seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer

Mauro_Leggieri-1 · June 23, 2015, 8:34am

Hi Peter, thank you for answering.

a) Do you know, some hint, why sometimes returning STATUS_REPARSE does not trigger reissuing the request? Some calls have the FILE_FLAG_OPEN_REPARSE_POINT and/or FILE_FLAG_OPEN_NO_RECALL flags but others doesn’t. I cannot figure out some pattern.

b) Is there some starting sample I can watch to begin a research?

Regards,
Mauro.