Hi,

My customer has a setup where he uses folder redirection for IE Favorites by Group Policy for their Active Directory. This means that for all the users in Active directory, the “favorites” folder is redirected to a file-server.
The customer has installed my filter driver on the file-server. The filter driver intercepts all the fileaccess requests and sends the file for scanning on a remote machine. Based on the scan results the file is allowed access or deleted.

When customer tries to save a URL from IE 11, the URL file automatically gets deleted from the file-server. But if he disables my filter driver and tries to save the URL, it is not deleted. Also this is not seen (i.e file not deleted) for URLs with favicon. Also the file is not deleted if it is a txt file (i.e only .url files are deleted from this folder).
From procmon data, I cannot see my driver deleteing the files. I could see srv2.sys and iexplorer deleteing the url files.

Who is actually deleting the files here? And why the file is not deleted without my driver? Why this occurs only with .URL files and not with other file types?

Observations:

I ran procmon on the file-server and the user machine. From file-server procmon logs it looks like microsoft smb driver is marking the file for delete
(procmon results filtered by “Detail = Delete: True”):

----------------START-----------------------------------------
Process Name Operation Path Result Detail
System SetDispositionInformationFile C:\homes\nara1\Favorites\Nara 2.url SUCCESS Delete: True

0 fltmgr.sys FltpPerformPreCallbacks + 0x31a
1 fltmgr.sys FltpPassThroughInternal + 0x8c
2 fltmgr.sys FltpPassThrough + 0x2b5
3 fltmgr.sys FltpDispatch + 0x9e
4 ntoskrnl.exe NtSetInformationFile + 0x7fa
5 srv2.sys Smb2ExecuteSetInfoReal + 0xcd
6 srv2.sys SrvProcpWorkerThreadProcessWorkItems + 0x18b
7 srv2.sys SrvProcWorkerThreadCommon + 0xc2
8 ntoskrnl.exe ExpWorkerThread + 0x2b5
9 ntoskrnl.exe PspSystemThreadStartup + 0x58
10 ntoskrnl.exe KxStartSystemThread + 0x16
----------------END-------------------------------------------

Procmon from user-machine indicates that IE is marking the file for delete (procmon results filtered by “Detail = Delete: True”):

----------------START-----------------------------------------
Process Name Operation Path Result Detail
iexplore.exe SetDispositionInformationFile C:\Windows\CSC\v2.0.6\namespace\WIN-2012-CLIENT\homes\nara1\Favorites\Nara 6.url SUCCESS Delete: True
iexplore.exe SetDispositionInformationFile \win-2012-client\homes\nara1\Favorites\Nara 6.url SUCCESS Delete: True
iexplore.exe SetDispositionInformationFile C:\Windows\CSC\v2.0.6\namespace\WIN-2012-CLIENT\homes\nara1\Favorites\Nara 6.url SUCCESS Delete: True

1st entry callstack:
fltmgr.sys FltpPerformPreCallbacks + 0x31a
fltmgr.sys FltpPassThroughInternal + 0x8c
fltmgr.sys FltpPassThrough + 0x2be
fltmgr.sys FltpDispatch + 0x9e
ntoskrnl.exe NtSetInformationFile + 0x7fa
ntoskrnl.exe KiSystemServiceCopyEnd + 0x13
ntoskrnl.exe KiServiceLinkage
csc.sys CscSrvOpenCloseStoreState + 0x511
csc.sys CscSrvOpenCloseStoreState + 0x1ef
ntoskrnl.exe KySwitchKernelStackCallout + 0x27
ntoskrnl.exe KiSwitchKernelStackContinue
ntoskrnl.exe KeExpandKernelStackAndCalloutInternal + 0x218
csc.sys CscStorepLowIoCreateFilePoster + 0x19c
csc.sys CscStorepLowIoSetInformationFilePoster + 0x81
csc.sys CscStorepLowIoSetDeleteDisposition + 0x1c
csc.sys CscEnpComputePqQueueCommand + 0x696
csc.sys ?? ::NNGAKEGL::string' + 0x93e0 csc.sys CscEnFindOrCreateEntry + 0x56 csc.sys CscEnQueryInformationEntry + 0x481 csc.sys CscStoreFindOrCreateEntry + 0x45 csc.sys CscCreate + 0xea7 rdbss.sys RxCollapseOrCreateSrvOpen + 0x232 rdbss.sys RxCreateFromNetRoot + 0x1b0 rdbss.sys RxCommonCreate + 0x1bd rdbss.sys RxFsdCommonDispatch + 0x56e rdbss.sys RxFsdDispatch + 0xcf mrxsmb.sys MRxSmbFsdDispatch + 0x83 mup.sys MupiCallUncProvider + 0xc2 mup.sys MupCreate + 0x5f8 fltmgr.sys FltpLegacyProcessingAfterPreCallbacksCompleted + 0x258 fltmgr.sys FltpCreate + 0x342 ntoskrnl.exe IopParseDevice + 0x7b3 ntoskrnl.exe ObpLookupObjectName + 0x6d8 ntoskrnl.exe ObOpenObjectByName + 0x1e3 ntoskrnl.exe IopCreateFile + 0x372 ntoskrnl.exe NtCreateFile + 0x78 ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 ntdll.dll ZwCreateFile + 0xa KERNELBASE.dll CreateFileInternal + 0x30a KERNELBASE.dll CreateFileW + 0x66 IEFRAME.dll CInternetShortcutPropertyStore::SaveEx + 0xb2 IEFRAME.dll CInternetShortcut::SaveToFile + 0x45 IEFRAME.dll CInternetShortcut::Save + 0x106 IEFRAME.dll PersistShortcut + 0x3e IEFRAME.dll CreateNewFavorite + 0xa2 IEFRAME.dll CreateShortcutInDirEx + 0x178 IEFRAME.dll AddToFavoritesEx + 0x4d0 IEFRAME.dll CShdocvwBroker::CAddToFavoritesEx::STAFunction + 0x8a IEFRAME.dll CShdocvwBroker::CSTAWorkItem<tagofnw>::_ThreadProc + 0x2d<br>KERNEL32.DLL BaseThreadInitThunk + 0xd<br>ntdll.dll RtlUserThreadStart + 0x1d<br><br>2nd entry callstack:<br>fltmgr.sys FltpPerformPreCallbacks + 0x31a <br>fltmgr.sys FltpPassThroughInternal + 0x8c <br>fltmgr.sys FltpPassThrough + 0x2be <br>fltmgr.sys FltpDispatch + 0x9e <br>ntoskrnl.exe NtSetInformationFile + 0x7fa <br>ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 <br>ntdll.dll ZwSetInformationFile + 0xa <br>KERNELBASE.dll BaseMarkFileForDelete + 0xa7 <br>KERNELBASE.dll BasepCopyFileExW + 0x1329 <br>KERNELBASE.dll CopyFileExW + 0xbc <br>KERNEL32.DLL CopyFileW + 0x22 <br>IEFRAME.dll CInternetShortcut::Save + 0xf1 <br>IEFRAME.dll CFaviconDownloader::_SaveInfoToFavorite + 0x26e45e <br>IEFRAME.dll CFaviconDownloader::_SaveInfoToStores + 0x51 <br>IEFRAME.dll CFaviconDownloader::_DoUpdateIcon + 0xc5 <br>IEFRAME.dll CFaviconDownloader::UpdateFavicon + 0x10d <br>IEFRAME.dll UpdateFavoriteIcon + 0xb1 <br>IEFRAME.dll DownloadAndAddIcon + 0x156 <br>IEFRAME.dll CreateNewFavorite + 0x19d <br>IEFRAME.dll CreateShortcutInDirEx + 0x178 <br>IEFRAME.dll AddToFavoritesEx + 0x4d0 <br>IEFRAME.dll CShdocvwBroker::CAddToFavoritesEx::STAFunction + 0x8a <br>IEFRAME.dll CShdocvwBroker::CSTAWorkItem<tagofnw>::_ThreadProc + 0x2d <br>KERNEL32.DLL BaseThreadInitThunk + 0xd <br>ntdll.dll RtlUserThreadStart + 0x1d<br><br>3rd entry callstack:<br>fltmgr.sys FltpPerformPreCallbacks + 0x31a <br>fltmgr.sys FltpPassThroughInternal + 0x8c <br>fltmgr.sys FltpPassThrough + 0x2be <br>fltmgr.sys FltpDispatch + 0x9e <br>ntoskrnl.exe NtSetInformationFile + 0x7fa <br>ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 <br>ntoskrnl.exe KiServiceLinkage <br>csc.sys CscSrvOpenCloseStoreState + 0x511 <br>csc.sys CscStorepLowIoCreateFilePoster + 0x1c3 <br>csc.sys CscStorepLowIoSetInformationFilePoster + 0x81 <br>csc.sys CscStorepLowIoSetDeleteDisposition + 0x1c <br>csc.sys CscEnpComputePqQueueCommand + 0x696 <br>csc.sys ?? ::NNGAKEGL::string’ + 0x93e0
csc.sys CscEnFindOrCreateEntry + 0x56
csc.sys CscEnQueryInformationEntry + 0x481
csc.sys CscStoreFindOrCreateEntry + 0x45
csc.sys CscQueryDirOpenAndUpdateEntry + 0x2d2
csc.sys CscQueryDirStitchSingleEntry + 0x294
csc.sys CscQueryDirStitchRemoteBuffer + 0x50
csc.sys CscQueryDirOnlineAndUpdateCache + 0x155
csc.sys ?? ::NNGAKEGL::`string’ + 0x791
rdbss.sys RxQueryDirectory + 0x3e8
rdbss.sys RxCommonDirectoryControl + 0x94
rdbss.sys RxFsdCommonDispatch + 0x56e
rdbss.sys RxFsdDispatch + 0xcf
mrxsmb.sys MRxSmbFsdDispatch + 0x83
mup.sys MupFsdIrpPassThrough + 0x1ee
fltmgr.sys FltpLegacyProcessingAfterPreCallbacksCompleted + 0x258
fltmgr.sys FltpDispatch + 0xb6
ntoskrnl.exe NtQueryDirectoryFile + 0x1c0
ntoskrnl.exe KiSystemServiceCopyEnd + 0x13
ntdll.dll ZwQueryDirectoryFile + 0xa
SHELL32.dll CEnumFiles::_InitEnumeration + 0x193
SHELL32.dll CFSFolder::ParseDisplayName + 0x7ec
IEFRAME.dll CNscChangeNotifyTask::_IdlRealFromIdlSimple + 0xda
IEFRAME.dll CNscChangeNotifyTask::InternalResumeRT + 0x19
IEFRAME.dll CRunnableTask::Run + 0x5f
IEFRAME.dll CShellTaskThread::ThreadProc + 0xac
IEFRAME.dll CShellTaskThread::s_ThreadProc + 0x22
IEFRAME.dll ExecuteWorkItemThreadProc + 0x3c
ntdll.dll RtlpTpWorkCallback + 0x121
ntdll.dll TppWorkerThread + 0x81a
KERNEL32.DLL BaseThreadInitThunk + 0xd
ntdll.dll RtlUserThreadStart + 0x1d
----------------END-------------------------------------------

Thanks for your time.
Kunal