I’m running into a problem trying to find values in the callback data that are passed to the FltCreateFile. I have a mini-filter running at the virtualization layer. A driver above mine opens a file with the Flags set of IO_NO_PARAMETER_CHECKING and IO_IGNORE_SHARE_ACCESS_CHECK in the a call to IoCreateFileEx as the 14th parameter Options. But when I look at the callback data that is passed to my driver, the flags are nowhere to be found.
Does anyone know where in the callback data I should be able to find these values.
These particular options are swallowed by the I/O Manager, they never make
their way into the underlying IRP that is passed along for the open (note
that some of the Options *are* reflected in the OperationFlags member of the
callback data).
You can check to see if the user specified IO_IGNORE_SHARE_ACCESS_CHECK by
calling IoIsFileObjectIgnoringSharing. Note that this is available on
Vista+, there is no equivalent on XP.
IO_NO_PARAMETER_CHECKING simply sets the requestor mode to be Kernel, which
is usually sufficient (generally all you care about with respect to this is
what level of access checking should be performed, user or kernel).
-scott
OSR
wrote in message news:xxxxx@ntfsd…
I’m running into a problem trying to find values in the callback data that
are passed to the FltCreateFile. I have a mini-filter running at the
virtualization layer. A driver above mine opens a file with the Flags set
of IO_NO_PARAMETER_CHECKING and IO_IGNORE_SHARE_ACCESS_CHECK in the a call
to IoCreateFileEx as the 14th parameter Options. But when I look at the
callback data that is passed to my driver, the flags are nowhere to be
found.
Does anyone know where in the callback data I should be able to find these
values.
That explains why I couldn’t find the values. It also explains why I thought they should have been in the OperationFlags (where I found others set).
I have verified that I can use the IoIsFileObjectIgnoringSharing on the file object passed in to the create, and now I can properly identify these two flags.
You can check to see if the user specified IO_IGNORE_SHARE_ACCESS_CHECK by
calling IoIsFileObjectIgnoringSharing. Note that this is available on
Vista+, there is no equivalent on XP.
Anyone have any ideas on how to find these flags in XP?
The only place the information is stored is in the undocumented file object
extension. Thus, groveling through undocumented structures is the only way
to know.
-scott
OSR
wrote in message news:xxxxx@ntfsd…
You can check to see if the user specified IO_IGNORE_SHARE_ACCESS_CHECK by
calling IoIsFileObjectIgnoringSharing. Note that this is available on
Vista+, there is no equivalent on XP.
Anyone have any ideas on how to find these flags in XP?
Note that this only works for local files, not remote ones (IO_IGNORE_SHARE_ACCESS_CHECK is only stored on the local system, it is not sent across the wire).
They’re in the same place (file object extension) it’s just that the API for retrieving them doesn’t exist. While not recommended, for an obsolete OS platform you can probably figure it out from context and then write some code to achieve the same thing.
Looking in the debugger at the FileObjectExtension, it appears that it is not always valid in XP. In fact in one of my tests I saw it set to 0x00650072.
Doing some more testing I did find that in the cases where the caller requested IO_IGNORE_SHARE_ACCESS_CHECK the flags field of the file object contained an undocumented flag of 0x800000. On all the other creates that flag was not set.
Can anyone confirm what that either that flag does stand for the request to ignore the share access, or can state that it stands for something else? Looking in wdm.h it is a flag that is just flat out skipped.
Looking in the debugger at the FileObjectExtension, it appears that it is not always valid in XP. In fact in one of my tests I saw it set to 0x00650072.
Doing some more testing I did find that in the cases where the caller requested IO_IGNORE_SHARE_ACCESS_CHECK the flags field of the file object contained an undocumented flag of 0x800000. On all the other creates that flag was not set.
Can anyone confirm what that either that flag does stand for the request to ignore the share access, or can state that it stands for something else? Looking in wdm.h it is a flag that is just flat out skipped.
