FltQueryDirectoryFile missing

OSR_Community_User · March 24, 2005, 10:34am

It appears there is no FltQueryDirectoryFile routine.

Are there plans for it?

Would there be any negative consequences to using ZwQueryDirectoryFile on a
handle opened with FltCreateFileEx?

Thanks,

Dan.

OSR_Community_User · March 24, 2005, 10:39am

We’d love to hear from Neal and/or Molly on this, but I suspect it is
because ZwQueryDirectoryFile() isn’t supported on Windows 2000. That’s
probably the underlying function that FltQueryDirectoryFile would need to
call, and if it’s not available…

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Kyler
Sent: Thursday, March 24, 2005 10:34 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FltQueryDirectoryFile missing

It appears there is no FltQueryDirectoryFile routine.

Are there plans for it?

Would there be any negative consequences to using ZwQueryDirectoryFile on a
handle opened with FltCreateFileEx?

Thanks,

Dan.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · March 24, 2005, 10:53am

> We’d love to hear from Neal and/or Molly on this, but I suspect it is

because ZwQueryDirectoryFile() isn’t supported on Windows 2000.

???

This is from w2k SP4:

C:\WINNT\system32>dumpbin /exports ntoskrnl.exe | grep -i directo
221 C6 00099A32 FsRtlNotifyChangeDirectory
223 C8 00099A5A FsRtlNotifyFullChangeDirectory
556 225 000E6626 LdrFindResourceDirectory_U
665 292 000A6380 NtNotifyChangeDirectoryFile
669 296 000A6320 NtQueryDirectoryFile
879 36A 00059A12 RtlImageDirectoryEntryToData
1066 429 0002EAF4 ZwCreateDirectoryObject
1093 444 0002EF28 ZwOpenDirectoryObject
1108 453 0002F0E8 ZwQueryDirectoryFile
1109 454 0002F0F8 ZwQueryDirectoryObject

Nt(Zw)QueryDirectoryFile is a fundamental important syscall used in all NTs to
underly FindFirst(Next)File.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Jon_Anglin · March 24, 2005, 10:56am

Just roll your own with what you to have!
– Jon Anglin

NTSTATUS
FltQueryDirectoryFile(
IN PFLT_INSTANCE InitiatingInstance,
IN PFILE_OBJECT FileObject,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
)
{
NTSTATUS status;
PFLT_CALLBACK_DATA CallbackData;
PFLT_PARAMETERS Params;

ASSERT(NULL != InitiatingInstance);
ASSERT(NULL != IoStatusBlock);
ASSERT(NULL != FileInformation);
ASSERT(Length > 0);

status = FltAllocateCallbackData( InitiatingInstance,
FileObject,
&CallbackData );
if (!NT_SUCCESS(status)) {

IoStatusBlock->Status = status;
IoStatusBlock->Information = 0;

return status;
}

CallbackData->Iopb->MajorFunction = IRP_MJ_DIRECTORY_CONTROL;
CallbackData->Iopb->MinorFunction = IRP_MN_QUERY_DIRECTORY;

if (RestartScan) {

SetFlag(CallbackData->Iopb->OperationFlags, SL_RESTART_SCAN);
}

if (ReturnSingleEntry) {

SetFlag(CallbackData->Iopb->OperationFlags, SL_RETURN_SINGLE_ENTRY);
}

Params = &CallbackData->Iopb->Parameters;
Params->DirectoryControl.QueryDirectory.Length = Length;
Params->DirectoryControl.QueryDirectory.FileName = FileName;
Params->DirectoryControl.QueryDirectory.FileInformationClass =
FileInformationClass;
Params->DirectoryControl.QueryDirectory.DirectoryBuffer = FileInformation;
Params->DirectoryControl.QueryDirectory.MdlAddress = NULL;

FltPerformSynchronousIo(CallbackData);

IoStatusBlock->Status = CallbackData->IoStatus.Status;
IoStatusBlock->Information = CallbackData->IoStatus.Information;
status = IoStatusBlock->Status;

FltFreeCallbackData(CallbackData);

return status;

} // FltQueryDirectoryFile

“Dan Kyler” wrote in message news:xxxxx@ntfsd…
> It appears there is no FltQueryDirectoryFile routine.
>
> Are there plans for it?
>
> Would there be any negative consequences to using ZwQueryDirectoryFile on
> a handle opened with FltCreateFileEx?
>
> Thanks,
> - Dan.
>
>

OSR_Community_User · March 24, 2005, 11:08am

Hmm … from the documentation for ZwQueryDirectoryFile: “This routine is
available on MicrosoftR WindowsR XP and later.”

I never actually tried to use it on Win2K. If it really is there, that’d be
great, but the docs sure need to be updated.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, March 24, 2005 10:56 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] FltQueryDirectoryFile missing

We’d love to hear from Neal and/or Molly on this, but I suspect it is
because ZwQueryDirectoryFile() isn’t supported on Windows 2000.

???

This is from w2k SP4:

C:\WINNT\system32>dumpbin /exports ntoskrnl.exe | grep -i directo
221 C6 00099A32 FsRtlNotifyChangeDirectory
223 C8 00099A5A FsRtlNotifyFullChangeDirectory
556 225 000E6626 LdrFindResourceDirectory_U
665 292 000A6380 NtNotifyChangeDirectoryFile
669 296 000A6320 NtQueryDirectoryFile
879 36A 00059A12 RtlImageDirectoryEntryToData
1066 429 0002EAF4 ZwCreateDirectoryObject
1093 444 0002EF28 ZwOpenDirectoryObject
1108 453 0002F0E8 ZwQueryDirectoryFile
1109 454 0002F0F8 ZwQueryDirectoryObject

Nt(Zw)QueryDirectoryFile is a fundamental important syscall used in all NTs
to
underly FindFirst(Next)File.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · March 24, 2005, 11:22am

There may be no prototype for ZwQueryDirectoryFile on W2K, but it certainly
exists.

I doubt the FltXXX I/O functions call Zw functions, because they take a
file object rather than a handle. Most likely they roll Irps. There’s
nothing to prevent rolling a IRP_MJ_DIRECTORY_CONTROL Irp on W2K. My
legacy filter does it even on NT4.

Dan.

At 10:39 AM 3/24/2005 -0500, you wrote:

We’d love to hear from Neal and/or Molly on this, but I suspect it is
because ZwQueryDirectoryFile() isn’t supported on Windows 2000. That’s
probably the underlying function that FltQueryDirectoryFile would need to
call, and if it’s not available…

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Kyler
Sent: Thursday, March 24, 2005 10:34 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FltQueryDirectoryFile missing

It appears there is no FltQueryDirectoryFile routine.

Are there plans for it?

Would there be any negative consequences to using ZwQueryDirectoryFile on a
handle opened with FltCreateFileEx?

Thanks,

Dan.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@privtek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · March 24, 2005, 11:26am

Thanks, Jon. That looks like a good solution.

Dan.

At 10:56 AM 3/24/2005 -0500, you wrote:

Just roll your own with what you to have!
– Jon Anglin

NTSTATUS
FltQueryDirectoryFile(
IN PFLT_INSTANCE InitiatingInstance,
IN PFILE_OBJECT FileObject,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
)
{
NTSTATUS status;
PFLT_CALLBACK_DATA CallbackData;
PFLT_PARAMETERS Params;

ASSERT(NULL != InitiatingInstance);
ASSERT(NULL != IoStatusBlock);
ASSERT(NULL != FileInformation);
ASSERT(Length > 0);

status = FltAllocateCallbackData( InitiatingInstance,
FileObject,
&CallbackData );
if (!NT_SUCCESS(status)) {

IoStatusBlock->Status = status;
IoStatusBlock->Information = 0;

return status;
}

CallbackData->Iopb->MajorFunction = IRP_MJ_DIRECTORY_CONTROL;
CallbackData->Iopb->MinorFunction = IRP_MN_QUERY_DIRECTORY;

if (RestartScan) {

SetFlag(CallbackData->Iopb->OperationFlags, SL_RESTART_SCAN);
}

if (ReturnSingleEntry) {

SetFlag(CallbackData->Iopb->OperationFlags, SL_RETURN_SINGLE_ENTRY);
}

Params = &CallbackData->Iopb->Parameters;
Params->DirectoryControl.QueryDirectory.Length = Length;
Params->DirectoryControl.QueryDirectory.FileName = FileName;
Params->DirectoryControl.QueryDirectory.FileInformationClass =
FileInformationClass;
Params->DirectoryControl.QueryDirectory.DirectoryBuffer = FileInformation;
Params->DirectoryControl.QueryDirectory.MdlAddress = NULL;

FltPerformSynchronousIo(CallbackData);

IoStatusBlock->Status = CallbackData->IoStatus.Status;
IoStatusBlock->Information = CallbackData->IoStatus.Information;
status = IoStatusBlock->Status;

FltFreeCallbackData(CallbackData);

return status;

} // FltQueryDirectoryFile

“Dan Kyler” wrote in message news:xxxxx@ntfsd…
> > It appears there is no FltQueryDirectoryFile routine.
> >
> > Are there plans for it?
> >
> > Would there be any negative consequences to using ZwQueryDirectoryFile on
> > a handle opened with FltCreateFileEx?
> >
> > Thanks,
> > - Dan.
> >
> >
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@privtek.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · March 24, 2005, 1:41pm

> Hmm … from the documentation for ZwQueryDirectoryFile: "This routine is

available on MicrosoftR WindowsR XP and later."

Microsoft’s policy visible from this text is really amazing.

They decided to document the syscall at last. But why saying “it is supported
since XP?”, if, in the reality, it is supported since at least NT4, if not NT
3.1?

The usual explanation on why MS does not document something is “we want to have
some room for ourselves for possible future changes”. But sorry, if
ZwQueryDirectoryFile is documented for “XP and later”, it is now carved in
stone and cannot be changed. Also note that w2k and NT4 will not change too due
to being old and more-or-less obsolete.

So, why MS did not say us that this routine is very well existing since NT4?

Another good undocumented routine - PsLookupProcessByProcessId. It exists from
NT4 up to w2k3 with the same prototype and semantics.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · March 25, 2005, 1:05am

Yes, we will be adding a FltQueryDirectoryFile API to filter manager in
the future. The only reason it is not currently implemented is due to
our limited resources and prioritizing everything else we needed to do
to get filter manager released.

The implementation that Jon gave is correct and looks almost exactly how
we would implement it ourselves (nice work). Internally we do not call
Zw APIs to implement the Flt routines; we generate a callback data
structure as Jon did.

Let me answer some of the previous questions on this thread:

Dan asked if it would be ok to call ZwQueryDirectoryFile. The answer
to that question is: it depends. One of our goals with filters has been
to eliminate recursive IO. If you were to call ZwQueryDirectoryFile on
a file object that is simply passed to you as part of an operation then
the request would go to the top of the IO stack and come back through
your filter. In this scenario we would recommend against calling
ZwQueryDirectoryFile. Had the file been opened targeted by your filter
with IoCreateFileSpecifyDeviceObjectHint (for legacy filters) or
FltCreateFile then ZwQueryDirectoryFile would have been fine. All
operations to a file object opened targeted are implicitly targeted;
even if you call Zw APIs. The advantage you have with the Flt APIs is
that they support targeted operations for file objects that were not
originally opened targeted.
As has been pointed out, ZwQueryDirectoryFile does exist in W2K and
NT4 as well as NT3x. The original policy for NTIF.H was to only put the
bare minimum that was necessary into it. When Molly and I joined
Microsoft (several months before w2K was released) we started addressing
these oversights (like adding many missing Zw API’s to NTIFS.H) and
adding new functionality to the system to better support filters. These
changes were first released in XP. The problem we have with the
documentation and why the docs say this API exists in XP and later is
that they only want to document what is defined in NTIFS.H for each OS
release. If you go look at your latest IFSKit you will see that the W2K
version of NTIFS.H does not have ZwQueryDirectoryFile but the XP and
later versions do. This is why the docs are the way they are.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Kyler
Sent: Thursday, March 24, 2005 8:26 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] FltQueryDirectoryFile missing

Thanks, Jon. That looks like a good solution.

Dan.

At 10:56 AM 3/24/2005 -0500, you wrote:

Just roll your own with what you to have!
– Jon Anglin

NTSTATUS
FltQueryDirectoryFile(
IN PFLT_INSTANCE InitiatingInstance,
IN PFILE_OBJECT FileObject,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
)
{
NTSTATUS status;
PFLT_CALLBACK_DATA CallbackData;
PFLT_PARAMETERS Params;

ASSERT(NULL != InitiatingInstance);
ASSERT(NULL != IoStatusBlock);
ASSERT(NULL != FileInformation);
ASSERT(Length > 0);

status = FltAllocateCallbackData( InitiatingInstance,
FileObject,
&CallbackData );
if (!NT_SUCCESS(status)) {

IoStatusBlock->Status = status;
IoStatusBlock->Information = 0;

return status;
}

CallbackData->Iopb->MajorFunction = IRP_MJ_DIRECTORY_CONTROL;
CallbackData->Iopb->MinorFunction = IRP_MN_QUERY_DIRECTORY;

if (RestartScan) {

SetFlag(CallbackData->Iopb->OperationFlags, SL_RESTART_SCAN);
}

if (ReturnSingleEntry) {

SetFlag(CallbackData->Iopb->OperationFlags,
SL_RETURN_SINGLE_ENTRY);
}

Params = &CallbackData->Iopb->Parameters;
Params->DirectoryControl.QueryDirectory.Length = Length;
Params->DirectoryControl.QueryDirectory.FileName = FileName;
Params->DirectoryControl.QueryDirectory.FileInformationClass =
FileInformationClass;
Params->DirectoryControl.QueryDirectory.DirectoryBuffer =
FileInformation;
Params->DirectoryControl.QueryDirectory.MdlAddress = NULL;

FltPerformSynchronousIo(CallbackData);

IoStatusBlock->Status = CallbackData->IoStatus.Status;
IoStatusBlock->Information = CallbackData->IoStatus.Information;
status = IoStatusBlock->Status;

FltFreeCallbackData(CallbackData);

return status;

} // FltQueryDirectoryFile

“Dan Kyler” wrote in message news:xxxxx@ntfsd…
> > It appears there is no FltQueryDirectoryFile routine.
> >
> > Are there plans for it?
> >
> > Would there be any negative consequences to using
ZwQueryDirectoryFile on
> > a handle opened with FltCreateFileEx?
> >
> > Thanks,
> > - Dan.
> >
> >
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@privtek.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com