Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 6  
06 May 18 23:58
support
xxxxxx@vidhvatthamah.com
Join Date: 06 May 2018
Posts To This List: 2
minispy filter IRP_MJ_Create called multiple times

Hi, I'm extending minispyfilter driver part of WDK sample to monitor a folder and send notification as and when a file is opened. The driver has registered only for IRP_MJ_CREATE,Cleanup and Write. When I open a txt file using notepad, I immediately get a notification with Create and Cleanup. When I close the notepad again getting create and cleanup. When I write something in the notepad and close the notepad and select save, I get multiple Create and Cleanup. My requirement is simple. Whenever a user opens a file a notification has to be sent. Whenever the user closes a file again a notification has to be sent. Appreciate if someone can help me on this. Thanks
  Message 2 of 6  
07 May 18 05:10
rod widdowson
xxxxxx@steadingsoftware.com
Join Date: 11 Sep 2006
Posts To This List: 871
minispy filter IRP_MJ_Create called multiple times

Take a look at the stacks when you are called. You will see that everything from your driver up beats on create. A gazillion Win32 calls do opens. Explorer just has to get bored to do an open. Filters do opens. Procomon or Filespy will help insight... > My requirement is simple. Whenever a user opens a file a notification has > to be sent. Whenever the user closes a file again a notification has to be > sent. Sounds like you are meeting your requirements. If you are not getting what you expect you need to revisit your requirements, particularly what you mean by "user": - a Security Principal? - a logged on entity? - an application? - a "session" and maybe what you mean by "open": Open for read? Open for Write? Or perhaps "file": Do metadata channels (C:\$Extend) matter? What about directories? Systems files? executables? This is requirements 101. R
  Message 3 of 6  
07 May 18 22:04
support
xxxxxx@vidhvatthamah.com
Join Date: 06 May 2018
Posts To This List: 2
minispy filter IRP_MJ_Create called multiple times

R, Thanks for the reply. what I meant by the user is the logged in user who is trying to open a file by double-clicking on it. When double-clicking on a file it is opened for read/write. Any changes made to the file will be saved back. I understand IRP_MJ_CREATE in mini-filter called gazillion time. I would like to check a file in particular folder when it is opened and when it is closed. All I need is 2 events. The problem is when the file is opened I get (When Windows explorer launches notepad.exe with file d:\test\test.txt" IRP_MJ_CREATE IRP_MJ_CLEANUP (when notepad.exe is closed) IRP_MJ_CREATE IRP_MJ_CLEANUP When I write additional content in the file and save it I get more events. Is there any way to get fewer events. I see the same issue with FileSpy Thanks On Mon, May 7, 2018 at 2:41 PM, Rod Widdowson <xxxxx@steadingsoftware.com> < xxxxx@lists.osr.com> wrote: > Take a look at the stacks when you are called. You will see that > everything from your driver up beats on create. A gazillion Win32 calls do > opens. Explorer just has to get bored to do an open. Filters do opens. > > Procomon or Filespy will help insight... > > My requirement is simple. Whenever a user opens a file a notification has >> to be sent. Whenever the user closes a file again a notification has to be >> sent. >> <...excess quoted lines suppressed...> --
  Message 4 of 6  
08 May 18 01:38
Mike Boucher
xxxxxx@gmail.com
Join Date: 11 Oct 2015
Posts To This List: 11
minispy filter IRP_MJ_Create called multiple times

Not sure I understand the question, but maybe. Your point is that you are getting a create and cleanup twice, once when notepad is opened and again when notepad is closed. You would prefer to get a create when it is opened and a cleanup when it is closed, is that right? On Mon, May 7, 2018 at 8:03 PM, support <xxxxx@vidhvatthamah.com> < xxxxx@lists.osr.com> wrote: > R, > > Thanks for the reply. what I meant by the user is the logged in user who > is trying to open a file by double-clicking on it. > When double-clicking on a file it is opened for read/write. Any changes > made to the file will be saved back. > > I understand IRP_MJ_CREATE in mini-filter called gazillion time. I would > like to check a file in particular folder when it is opened and when it is > closed. <...excess quoted lines suppressed...> --
  Message 5 of 6  
08 May 18 05:20
NtDev Geek
xxxxxx@gmail.com
Join Date: 09 Aug 2013
Posts To This List: 43
minispy filter IRP_MJ_Create called multiple times

Welcome to the most astonishing world of windows device driver. all you want is 2 event and you are getting a lot.this is normal behavior since you are not alone in the system. why not just try to focus on your open/r/w/close calls rest you can bypass. which is easy with minifilter. you need to learn a lot about how minifilter works and try to get used to procmon and filespy utils. ./nT
  Message 6 of 6  
16 May 18 08:46
Gabriel Bercea
xxxxxx@gmail.com
Join Date: 03 Mar 2008
Posts To This List: 320
minispy filter IRP_MJ_Create called multiple times

<QUOTE> My requirement is simple. Whenever a user opens a file a notification has to be sent. Whenever the user closes a file again a notification has to be sent. </QUOTE> In windows "a user" usually means a security access token obtained after a successful user logon, which is the assigned to all the processes/threads that are created by that user. Winlogon.exe usually creates the first "user" process after you login. All of the processes coming from this, usually children of Wininit will have the same access token unless something like LogonUser/CreateProcessAsUser is done. Hence: " when a user opens a file" means all the processes/treads created with that access opens a file. A file open = a call to CreateFile. This happens all the time, at least on your Windows installation volume. What you are seeing at the filesystem filter level is simply threads requesting access to files on different volumes or even network. The fact that you have certain expectation to the number of CREATE/CLOSES that should come due to a interactive user-mode GUI action is simply wrong. You can expect sometimes double clicking a file to see 10 creates coming down ( indexing services, backgrounds processes, other filters, etc.. could decide to open the file as a result of the interactive user's action), sometimes none ( perhaps because of some form of caching ). You cannot make such assumptions when you are writing a filter or you will have a bad time. I would advise you to redesign your filter taking this into account.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 23:48.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license