I am writing a mini-filter which needs to open files before they are
deleted. I am filtering on _MJ_CLOSE and then checking the
DeletePending flag on the associated FILE_OBJECT. I need to open the
file for write access to wipe the contents, but no matter what I have
tried I always get a status STATUS_DELETE_PENDING from the Open
function. I have tried FltCreateFile, ZwCreateFile & IoCreateFile.
There must be some way to do this!
Can anyone shed some light on how this might be accomplished?
Thanks very much!
John
p.s. sorry about the cross-posts!
Read pages 332 & 333 of “Windows NT File Systems Internals” under the first
reference to IRP_MJ_CLOSE. Read pages 525-531 also.
There are some special sematics about the time between IRP_MJ_CLEANUP and
IRP_MJ_CLOSE. For that file object no user IOs can occur since all user
handles to that file object have been closed. This means only paged IOs can
be issued and that includes an attempt to open the file. The FSD knows that
the last user handle indicated the file should be deleted and the FSD is
only waiting until the last close occurs to do such. Implementing object
reuse should probably be done when the cleanup is seen if it is the last
file object for that file. This is the first file object opened that caused
the cache manager to use that file object to handle all paging IO requests
for that file. It might even be a stream file object not created by a user
create but by some part of the kernel. You can hold the cleanup, then issue
writes of zeroes, random data, etc. to the file for the entire file’s size.
To get the bytes at the end of the last cluster that will not be written you
might have to change the file size to be a multiple of the cluster size
which will be a multiple of sector size except for NTFS when the data is
kept in the file’s directory block.
Try searching this newsgroup for more information about problems seen with
encryption and compression being done in file system filters. This may help
you understand the rules and responsibilities that FSFs must follow for
active filters. None of the samples are really active filters that you can
find in the WDK or the older IFS Kits. The swapbuffers is the closest, but
it is not a really complete active filter that modifies the contents of the
data being written.
You might want to consider issuing an undelete request before allowing the
cleanup to occur. That would allow the file to be opened exclusively by you
after the cleanup has completed. This will only work if it is the last file
object for that file. Too bad Windows doesn’t allow object reuse even
though it would be a major overhead on the disk subsystem.
wrote in message news:xxxxx@ntfsd…
>I am writing a mini-filter which needs to open files before they are
> deleted. I am filtering on _MJ_CLOSE and then checking the
> DeletePending flag on the associated FILE_OBJECT. I need to open the
> file for write access to wipe the contents, but no matter what I have
> tried I always get a status STATUS_DELETE_PENDING from the Open
> function. I have tried FltCreateFile, ZwCreateFile & IoCreateFile.
>
> There must be some way to do this!
>
> Can anyone shed some light on how this might be accomplished?
>
> Thanks very much!
> John
>
> p.s. sorry about the cross-posts!
>
>
>
Thank you so much! Your response got me pointed in the right direction.
I was able to get the desired functionality by filtering on _MJ_SET_FILE_INFORMATION
and checking
(FILE_DISPOSITION_INFORMATION*)Data->Iopb->Parameters.SetFileInformation.InfoBuffer)->DeleteFile. Now I can open the file and wipe it’s contents.
Do you see any caveats in this approach?
Thanks again,
John
- Note, DeletePending flag can be turned off by another IRP_MJ_SET_INFORMATION/FileDispositionInformation call
- DeletePending flag can be set in IRP_MJ_CREATE (FILE_DELETE_ON_CLOSE)
-----Původní zpráva-----
Od: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] za uživatele xxxxx@charter.net
Odesláno: Saturday, November 03, 2007 2:45 PM
Komu: Windows File Systems Devs Interest List
Předmět: RE:[ntfsd] Mini-filter: How to open a file with DeletePending?
Thank you so much! Your response got me pointed in the right direction.
I was able to get the desired functionality by filtering on _MJ_SET_FILE_INFORMATION
and checking
(FILE_DISPOSITION_INFORMATION*)Data->Iopb->Parameters.SetFileInformation.InfoBuffer)->DeleteFile. Now I can open the file and wipe it’s contents.
Do you see any caveats in this approach?
Thanks again,
John
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@asw.cz
To unsubscribe send a blank email to xxxxx@lists.osr.com
> Do you see any caveats in this approach?
You mean aside from the facts that you are corrupting the users’ data, not
catching all deletes, processing some deletes that are not actual deletes,
etc.?
Set info does not delete a file. It marks the file for deletion on last
handle close.
Cleanup deletes the file, including deallocating the allocated clusters. If
you “wipe” the data after cleanup, you will be writing to clusters that are
potentially allocated to some other file.
You need to do your work in pre-cleanup. You must know that the file is
marked for deletion, and that this is the last cleanup for the file. Then
you can use the existing file object to do your I/O.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@charter.net
Sent: Saturday, November 03, 2007 7:45 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Mini-filter: How to open a file with DeletePending?
Thank you so much! Your response got me pointed in the right direction.
I was able to get the desired functionality by filtering on
_MJ_SET_FILE_INFORMATION and checking
(FILE_DISPOSITION_INFORMATION*)Data->Iopb->Parameters.SetFileInformation.Inf
oBuffer)->DeleteFile. Now I can open the file and wipe it’s contents.
Do you see any caveats in this approach?
Thanks again,
John
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars (including our new fs
mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@privtek.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
Ok, thanks for the feedback. I now have it wiping the file contents on MJ_CLEANUP when FileObject->DeletePending is true. This seems to work well.
Thanks,
John
>2) DeletePending flag can be set in IRP_MJ_CREATE
(FILE_DELETE_ON_CLOSE)
…in which case is cannot be cleared by
MJ_SET_INFORMATION/FileDispositionInformation, at least on some FSDs.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com