Filter context of file object ?

OSR_Community_User · January 12, 2004, 10:29am

Hi, all,

does anyone know something about the “FilterContext”
of the file object ? This is the value returned by
IoGetFileObjectFilterContext (WinXP, SP1), which can be written
as following:

PVOID IoGetFileObjectFilterContext(PFILE_OBJECT FileObject)
{
if(FileObject->Flags & 0x00800000)
return (FileObject->dwOffs78);
return NULL;
}

I have a problem with it. The file object itself has the size of 0x70 bytes,
but the function gets a DWORD value from offset 0x78.

L.

OSR_Community_User · January 12, 2004, 11:09am

The size of the file object is not germane in this case. Specifically,
note that this flag is the FO_FILE_OBJECT_HAS_EXTENSION flag. Thus, all
they are doing is offseting past the file object into the extension
area; I believe this extension area is private to the OS and is not
available via public symbols.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Monday, January 12, 2004 10:29 PM
To: ntfsd redirect
Subject: [ntfsd] Filter context of file object ?

Hi, all,

does anyone know something about the “FilterContext”
of the file object ? This is the value returned by
IoGetFileObjectFilterContext (WinXP, SP1), which can be written as
following:

PVOID IoGetFileObjectFilterContext(PFILE_OBJECT FileObject) {
if(FileObject->Flags & 0x00800000)
return (FileObject->dwOffs78);
return NULL;
}

I have a problem with it. The file object itself has the size of 0x70
bytes, but the function gets a DWORD value from offset 0x78.

L.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 13, 2004, 1:18am

Thank you very much.

L.

OSR_Community_User · January 15, 2004, 8:11pm

Only file objects that are generated via a call to
IoCreateFileSpecifyDeviceObjectHint() have this file object extension
area.

This is an internal feature of windows and you should not be using it.
Note that future versions of the OS will do this differently.

Is this simply a curiosity question or are you trying to do something
with this?

Neal Christiansen
Microsoft File System Filter Group Lead

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Monday, January 12, 2004 8:09 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Filter context of file object ?

The size of the file object is not germane in this case. Specifically,
note that this flag is the FO_FILE_OBJECT_HAS_EXTENSION flag. Thus, all
they are doing is offseting past the file object into the extension
area; I believe this extension area is private to the OS and is not
available via public symbols.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Monday, January 12, 2004 10:29 PM
To: ntfsd redirect
Subject: [ntfsd] Filter context of file object ?

Hi, all,

does anyone know something about the “FilterContext”
of the file object ? This is the value returned by
IoGetFileObjectFilterContext (WinXP, SP1), which can be written as
following:

PVOID IoGetFileObjectFilterContext(PFILE_OBJECT FileObject) {
if(FileObject->Flags & 0x00800000)
return (FileObject->dwOffs78);
return NULL;
}

I have a problem with it. The file object itself has the size of 0x70
bytes, but the function gets a DWORD value from offset 0x78.

L.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 16, 2004, 1:17am

> Is this simply a curiosity question or are you trying to do something

with this?

No, I worked on a bug that occured in our filter driver
in cooperation another one above it.
Yes, the file object has been created using
IoCreateFileSpecifyDeviceObjectHint(). In our filter,
we duplicate the file object using

ObCreateObject+ObInsertObject+RtlCopyMemory.

(written long ago, don’t shoot at me :-))

The bug is obvious - if the source file object has the
FO_FILE_OBJECT_HAS_EXTENSION flag set, the target
FO will have it too, but won’t have the extension itself.
The solution is not to copy this flag.

Because I don’t have the newest IFS kit, I didn’t know the
meaning of the flag, I only knew its value and how it’s handled by OS.

L.