How to access file which is opened in exclusive mode by other process?

Hi All,

As we all know if a file is already opened with exclusive access mode, any call
to open such a file will fail. But my requirement is to read the file even if it
is already opened with exclusive access mode by any other process.

I know that these checks are done by the OS when we call CreateFile API. My Idea
is to bypass these checks so that I can open the file and access it’s data.

So please tell me is it possible to do so in user and kernel mode?
And which are the ways to do it?

Thanks & Regards,
Amit.

Have a look at opening the file with FILE_FLAG_BACKUP_SEMANTICS. To
use this you will also need to ensure that you have
SE_BACKUP_NAME/SE_RESTORE_NAME privileges for your process.

At 11:18 02/03/2009, xxxxx@yahoo.com wrote:

Hi All,

As we all know if a file is already opened with exclusive access
mode, any call
to open such a file will fail. But my requirement is to read the
file even if it
is already opened with exclusive access mode by any other process.

I know that these checks are done by the OS when we call CreateFile
API. My Idea
is to bypass these checks so that I can open the file and access it’s data.

So please tell me is it possible to do so in user and kernel mode?
And which are the ways to do it?

Thanks & Regards,
Amit.

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> Have a look at opening the file with FILE_FLAG_BACKUP_SEMANTICS.

I think this is from a bit different field - IIRC, this flags allows you to skip security checks that are related to file ownership. However, " exclusive access " does not necessarily imply ownership - it just means that someone has passed zero as ShareMode parameter to CreateFile(), so that all subsequent attempts to open a given file will fail until file handle gets closed…

Anton Bassov

At 11:48 02/03/2009, xxxxx@hotmail.com wrote:

> Have a look at opening the file with FILE_FLAG_BACKUP_SEMANTICS.

I think this is from a bit different field - IIRC, this flags
allows you to skip security checks that are related to file
ownership. However, " exclusive access " does not necessarily imply
ownership - it just means that someone has passed zero as ShareMode
parameter to CreateFile(), so that all subsequent attempts to open a
given file will fail until file handle gets closed…

You may be right, it’s a long time since I used it. Of course,
backup apps these days work off a snapshot rather than having to
solve this problem, so not many people would be trying to do this these days.

Maybe the OP can tell us if it works or not ?

wrote:
> But my requirement is to read the file even if it
> is already opened with exclusive access mode by any other
> process.

What is the reason behind being able to read a file previously opened with exclusive access?

Is this for a backup application? If so, then you should really look into VSS (Volume Shadow Copy Service):

http://msdn.microsoft.com/en-us/library/aa384649(VS.85).aspx

Razvan

>>backup apps these days work off a snapshot rather than having to

>solve this problem,

Then how can I take snapshot?
Doe’s it mean I have to read disk data-structures to read the file data?

wrote:
> Then how can I take snapshot?
> Doe’s it mean I have to read disk data-structures to read
> the file data?

You don’t need to read on-disk structures to read the file date because the snapshot is exposed as a read-only volume which is mounted by NTFS.

I recommend that you start playing with the VSS SDK in order to learn how to take snapshots programmatically. In the mean time you could play with the vshadow command line tool in order to get the feeling of how snapshots work.

Regards,
Razvan

At 12:11 02/03/2009, xxxxx@yahoo.com wrote:

>>backup apps these days work off a snapshot rather than having to
>>solve this problem,

Then how can I take snapshot?
Doe’s it mean I have to read disk data-structures to read the file data?

Let’s step back and re-ask the question Razvan asked. What is your
purpose in needing to open this type of file ? Are you indeed
writing a backup application ?

Take a look at IoCreateFileSpecifyDeviceObjectHint it has flags to do this,
but do it only for reading otherwise you are likely to see a disaster.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> Hi All,
>
> As we all know if a file is already opened with exclusive access mode, any
> call
> to open such a file will fail. But my requirement is to read the file even
> if it
> is already opened with exclusive access mode by any other process.
>
> I know that these checks are done by the OS when we call CreateFile API.
> My Idea
> is to bypass these checks so that I can open the file and access it’s
> data.
>
> So please tell me is it possible to do so in user and kernel mode?
> And which are the ways to do it?
>
> Thanks & Regards,
> Amit.
>

> Maybe the OP can tell us if it works or not ?

Well, if I had Windows somewhere around I would just test it myself before making a post - after all, running a test like that is, apparently, quicker than typing in a post itself. However, once I don’t, I have to avoid any assertions here- my statement about ShareMode is just a suggestion that may easily turn out to be wrong…

Anton Bassov

You can use the IO_IGNORE_SHARE_ACCESS_CHECK flag with IoCreateFileSpecifyDeviceObjectHint (or with FltCreateFile, for a mini-filter) just as Don Burn had suggested, but be very careful.

xxxxx@yahoo.com wrote:

As we all know if a file is already opened with exclusive access mode, any call
to open such a file will fail. But my requirement is to read the file even if it
is already opened with exclusive access mode by any other process.

I love this kind of post. “We all know that X is impossible. My
requirement is to do X. How can I do it?”

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I *think* that you can do this if you enable the backup privilege for the process opening the handle. But I could be remembering this incorrectly - something to try out.

-p

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Monday, March 02, 2009 9:54 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to access file which is opened in exclusive mode by other process?

xxxxx@yahoo.com wrote:

As we all know if a file is already opened with exclusive access mode, any call
to open such a file will fail. But my requirement is to read the file even if it
is already opened with exclusive access mode by any other process.

I love this kind of post. “We all know that X is impossible. My
requirement is to do X. How can I do it?”

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks to all for this valuable information.

So from above discussion I have concluded it will be nice to use IoCreateFileSpecifyDeviceObjectHint API
as I just want to read the file. I will try it now and will report the result here in this post.

But IoCreateFileSpecifyDeviceObjectHint API works on XP and above, Is there any way to do it on 2K?

Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/

Please refer to http://www.osronline.com/article.cfm?article=258.

Thanks for the URL.
?
I have gone through it. Yes we can send create request to devoice object billow us using technique explained in the article. But my requirement is different and using that technique I can not able to pass IO_IGNORE_SHARE_ACCESS_CHECK.
?
What do you think can I achieve functionality provided by IO_IGNORE_SHARE_ACCESS_CHECK using that article?

Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/

You’re right, you cannot use IO_IGNORE_SHARE_ACCESS_CHECK with this implementation (I remembered that you could, but apparently I was wrong).

You can use FltCreateFile() from a mini-filter.

Hi All,
?
It is really working well, Thanks.
?
But in description about IO_IGNORE_SHARE_ACCESS_CHECK in MSDN states that it "Indicates that the I/O manager should not perform share-access checks on the file object after it is created. However, the file system might still perform these checks. "
?
Now if file system perform these checks then again we will not able to open the file. So following are some questions that came in my mind…
?
1> Which are the file systems that perform these checks? Or?In which circumstances file systems perform these checks?
?
2> is there any way to bypass them?
?
Thanks & Regards,
Amit.

Check out the all-new Messenger 9.0! Go to http://in.messenger.yahoo.com/

Hay! What happened, no one is responding to this post.

OK, Here I ask it again…

Description about IO_IGNORE_SHARE_ACCESS_CHECK in MSDN states that it? "Indicates that the I/O manager should not perform share-access checks on the file object after it is created. However, the file system might still perform these checks. "

Now if file system perform these checks then again we will not able to open the file. So following are some questions that came in my mind…

1> Which are the file systems that perform these checks? Or In which circumstances file systems perform these checks?

2> is there any way to bypass them?

Thanks & Regards,
Amit.

Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/

>Hay! What happened, no one is responding to this post.

As is often mentioned here, this isn’t a paid support list. If someone feels
like answering the question they will, if not they won’t. This is also
probably a better question for NTFSD.

MSDN states that it "Indicates that the I/O manager should not perform
share-access checks on the file object after it is created. >However, the
file system might still perform these checks. "

That statement is pretty confusing. The way it works is that when you
perform an open with IGNORE_SHARE_ACCESS_CHECK the resulting file object is
flagged as having been opened with this bit set. Later when the file system
passes this file object to Io{Set|Check|Update|Remove}ShareAccess the
operation is a NOP.

The end result is that this only bypasses the sharing checks done by the I/O
manager routines. A file system may in fact choose to not use those
routines, which would make this flag useless (all MS supplied FSDs that I
know do use this API though).

In addition, the file system may perform its own checks for incompatible
opens outside of this API.

1> Which are the file systems that perform these checks? Or In which
circumstances file systems perform these checks?

No way to know, it’s under the mercy of the developer of the FSD. The
FASTFAT source is a good reference though.

2> is there any way to bypass them?

What we usually do is just open the file without any data access
(SYNCHRONIZE), as it’s the data access that gets in your way. Then convert
the handle you have into a file object. Once you have a file object you can
roll your own IRPs and send reads/writes to it since the FSDs typically
don’t do any access checking in their I/O routines.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

Looking forward to seeing you at the next OSR Kernel Debugging Class April
6, 2009 in Portland, OR!

“Amit Kulkarni” wrote in message
news:xxxxx@ntdev…
Hay! What happened, no one is responding to this post.

OK, Here I ask it again…

Description about IO_IGNORE_SHARE_ACCESS_CHECK in MSDN states that it
"Indicates that the I/O manager should not perform share-access checks on
the file object after it is created. However, the file system might still
perform these checks. "

Now if file system perform these checks then again we will not able to open
the file. So following are some questions that came in my mind…

1> Which are the file systems that perform these checks? Or In which
circumstances file systems perform these checks?

2> is there any way to bypass them?

Thanks & Regards,
Amit.

Check out the all-new Messenger 9…0! Click here.