Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 4  
30 Jan 18 06:20
alex isep
xxxxxx@isep.ipp.pt
Join Date: 26 Jan 2018
Posts To This List: 4
Identify file operations with missing files

Hi all, I am trying to identify file read operations with missing files in a particular folder. For that I am using IRP_MJ_CREATE and I am performing the following logic in the FLT_PREOP_CALLBACK: I call the functions FltGetFileNameInformation(), FltParseFileNameInformation() and verify if the path of the object belongs to my desired folder, if so I call FltCreateFile(). Now, I assume three possible status for the FltCreateFile() method: SUCCESS, everything is fine; STATUS_OBJECT_NAME_NOT_FOUND, the file does not exists in the file system so I print a message informing that the file is missing; And finally, any other error, I simply print a message informing that an error ocurred. My question is: is this the correct approach? The reason why I ask this is because I am having some problems. For instance, if I create a folder "New folder" inside my watched directory, I get several events for the objects "New folder\desktop.ini", "folder.jpg" and "folder.gif" that when opened return STATUS_OBJECT_NAME_NOT_FOUND, so I flag them as missing files. In order to solve this when I verify the path of the object, I simply verify if the final component corresponds to "desktop.ini", "folder.jpg" and "folder.gif", and if so I ignore it. Other problem I have is when opening a file that exists, I get an event for an object with the name "test.txt:Zone.Identifier", again, to solve this I am ignoring files with the string ":Zone.Identifier" in the final component. When I also create a file in the folder (by copy/pasting or right click > new > file) I also get some events that later, when opening the file get STATUS_OBJECT_NAME_NOT_FOUND... Is this the correct way to do this? or there is a better approach? Thanks for any input.
  Message 2 of 4  
30 Jan 18 08:34
Gabriel Bercea
xxxxxx@gmail.com
Join Date: 03 Mar 2008
Posts To This List: 318
Identify file operations with missing files

I am not sure I understand what you are trying to accomplish here. What does "identify file read operations with missing files in a particular folder" mean ? If the files are present in the folder then the Create request will succeed otherwise it will return an error. Simply check the Post-Create Data->IoStatus.Status value and see if the operation failed and with what code. Calling FltGetFileNameInformation in Pre Create, this will simply try to open the file and query the name, among many other things, but just to cut it short for your scenario. Also you need to describe better what you want to do. It is very vague and abstract. Cheers, Gabriel www.kasardia.com On Tue, Jan 30, 2018 at 12:20 PM, xxxxx@isep.ipp.pt <xxxxx@lists.osr.com> wrote: > Hi all, > > I am trying to identify file read operations with missing files in a > particular folder. For that I am using IRP_MJ_CREATE and I am performing > the following logic in the FLT_PREOP_CALLBACK: > > I call the functions FltGetFileNameInformation(), > FltParseFileNameInformation() and verify if the path of the object belongs > to my desired folder, if so I call FltCreateFile(). > <...excess quoted lines suppressed...> -- Bercea. G. --
  Message 3 of 4  
30 Jan 18 10:02
alex isep
xxxxxx@isep.ipp.pt
Join Date: 26 Jan 2018
Posts To This List: 4
Identify file operations with missing files

Sorry for the vague description of the problem, in my head it seemed very clear. Essencialy I have a user appliation that will try to read a list of files inside a particular folder, those files might or might not exist (this is what I meant by perform a read of a missing file). I was trying to create a minifilter driver that would recieve the "file request", verify if the file is on disk, and if it isn't, it would download it. In order to do that I was filtering IRP_MJ_CREATE requests, and in the Pre-Create I was doing the following: 1) FltGetFileNameInformation(); 2) FltParseFileNameInformation(); 3) Verify if file belongs to a particular folder; 4) If so, do FltCreateFile(); 5) Now if, FltCreateFile returns "succes" everything is OK, if returns "status object name not found" I log a message indicating the file is missing and try to download it, if any other error I simply log the error message. My question is if this is the correct approach for what I want. The reason why I ask this is because I have some problems with false positives.
  Message 4 of 4  
30 Jan 18 11:28
Gabriel Bercea
xxxxxx@gmail.com
Join Date: 03 Mar 2008
Posts To This List: 318
Identify file operations with missing files

The logical steps seem OK. The technical requirements not so good. First of all there are no such things as false positives in such a case. An application is free to call CreateFile with any name they chose to. The fact that you have some "expectations" for what the names should be in your "watched" folder is your problem. Also the ":Zone.Identifier" is in fact an alternate data stream and all files could have one or more of those if the file-system supports it. So you should not make a lot of assumptions about those either. So what I am reading is that you want your user-mode mode process to "wait" in the CreateFile call until the file becomes available and then let go of the create when that file becomes available. If so, then yes your approach seems OK in terms of logical steps, but there are again several things you need check and decide upon. You will see indeed a lot of creates being thrown at you. You need to decide on your implementation and for which DesiredAccess you will bring the file to disk. I believe a more interesting approach would be to create all the files that should be in that folder and mark them as offline, using the FILE_ATTRIBUTE_OFFLINE. Now, instead of doing all the work in PreCreate you switch to PostCreate and if the file that is being accessed is one you are monitoring and has the OFFLINE attribute set, then you know you need to bring it. So you download it and then let the post-create request finish. Cheers, Gabriel www.kasardia.com
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 17:45.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license