First File System Filter Driver - Legacy or Filter Manager

Hi,

So I’m going to write a small simple free utility using a file system filter driver, first file system driver (done device filters and legacy driver in past), looked years ago at legacy sample and seemed straight forward for basic stuff. Looking things up now they say something about a “Filter Manager”, is that the way to go now? Are there samples using that as well?

TIA!!

All of the samples are now minifilters using the Filter Manager, it is
definitely the way to go.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@terabyteunlimited.com
Sent: Monday, October 02, 2017 6:46 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] First File System Filter Driver - Legacy or Filter Manager

Hi,

So I’m going to write a small simple free utility using a file system filter
driver, first file system driver (done device filters and legacy driver in
past), looked years ago at legacy sample and seemed straight forward for
basic stuff. Looking things up now they say something about a “Filter
Manager”, is that the way to go now? Are there samples using that as well?

TIA!!


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:>

Legacy filters are dead, you want to write a Filter Manager Minifilter. Samples are here:

https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter

If you give a high level description of what you?re trying to do we might be able to guide you further.

-scott
OSR
@OSRDrivers

basically make existing files in a directory read-only (abort any attempted open that isn’t read only, including delete requests), but allow new files to be created. Then a way to allow deletes when wanted.

> basically make existing files in a directory read-only (abort any

attempted open that
isn’t read only, including delete requests), but allow new files to be
created. Then
a way to allow deletes when wanted.

I’d absolutely suggest that you do this with a minifilter, but this is
almost a perfect example of something which appears really easy (look at the
desired access and respond) and turns out to have a whole bunch of issues…

https://xkcd.com/1425/

What you want to do is (of course) possible but you need to think about the
following:

  • What are you going to do about dispositions like FILE_OPEN_IF ? (create a
    file if it doesn’t exist). It may seem that there is a trick you can play
    by looking at the Information field in post create and if the file hasn’t
    been created cancel the create. But lower filters will have seen the open
    and may have already written to the file. Also, read on.

  • What are you going to do about the destructive dispositions? Are they
    write access (as I recall they do not require write access).

  • FILE_OVERWRITE_IF combines both these problems. A successful open of an
    existing file will have erased it so doing a FltCancelOpen is too late.

  • Delete on close is another case to worry about.

  • And then there all the ways of deleting a file which do not involved
    opening it for write (destructive link creation and rename spring to mind
    but there may be others)

  • Finally you might be surprised by the bone headed way many applications
    work. Several will create a file, close it and then reopen it for write.
    By your rules the second open will be denied, but I’ll bet you that the
    application will complain. Often enough you’ll discover that it won’t even
    check that the second open worked…

So, this is all possible to do, but it will involved a great deal of work
and I’ll bet you end up hitting performance (so add some “allowable
performance” metrics to your requirements.