Hello,
I’m writing a minifilter to redirect new files and changes to existing files
that reside on volumes on certain bus types (e.g., USB or 1394) to shadow
files on another volume (e.g., to a temp directory on the boot volume). The
intention being to restore those shadow files to their original destinations
at a later time. The redirection is being done by changing
TargetFileObject->FileName, setting STATUS_REPARSE/IO_REPARSE, and returning
FLT_PREOP_COMPLETE within the IRP_MJ_CREATE callback. This is very similar
to the redirection used in the article “How to Get There from Here –
Redirecting Create Requests”
(http://www.osronline.com/article.cfm?article=397). It works as expected
and all is well for most of the applications that I’ve tested.
However, something is not quite right because I cannot get some Office 2007
apps to play nice - and I fully expect to find more apps with problems. For
example, if an existing Word document is opened from a targeted volume and
changes are made, when the file is saved, Word displays the following error:
“Word cannot complete the save due to a file permission error.”
I can see that the .docx file is redirected; that’s good. I can also see
that the temp files that Word creates during the save are redirected; that’s
good. However, there is an IRP_MJ_CREATE which fails with
STATUS_PRIVILEGE_NOT_HELD after attempting to open a temp file with desired
access 0x1130089 (FILE_GENERIC_READ | DELETE | ACCESS_SYSTEM_SECURITY);
that’s bad. ACCESS_SYSTEM_SECURITY requires SeSecurityPrivilege, and sure
enough, that privilege is missing. I’ve verified with minispy that no such
create is issued with that desired access if my driver is not running, so
it’s obviously a problem that I’m creating somewhere before this create, but
I’ve not been able track it down.
Is this an issue that anyone else has encountered? Any ideas otherwise? Am
I wrong to assume that redirecting IRP_MJ_CREATE with
STATUS_REPARSE/IO_REPARSE is enough to ensure that all file creates and
modifications will be redirected from the target volume to my shadow
location?
Thank you,
Jason