Hi all,
I observe strange behavior using IO_IGNORE_SHARE_ACCESS_CHECK. The following is a scenario of what I’m doing in my mini-filter:
- Open some file using FltCreateFileEx() with DesiredAccess set to read/write, ShareAccess set to 0 and IO_IGNORE_SHARE_ACCESS_CHECK flag.
- Store FileHandle and FileObject values.
- Call ZwCreateSection() with just returned FileHandle and read/write access.
- Call ZwMapViewOfSection() with returned SectionHandle for read/write access.
- Call ObDereferenceObject() for FileObject.
- Call ZwClose() for SectionHandle.
After this I can freely open this file from user mode applications, and even from notepad.exe which can then successfully perform “Save File” operation for this file.
But when I removed IO_IGNORE_SHARE_ACCESS_CHECK flag from FltCreateFileEx() call, the file became inaccessible from any user mode application, i.e. any open request for this file was failing with STATUS_SHARING_VIOLATION. Strictly speaking, it was the very behavior I was expecting the first time when I was using IO_IGNORE_SHARE_ACCESS_CHECK flag.
So it turns out that this flag affects all possible subsequent opens for a file which was originally opened with no sharing? Or maybe I’m wrong?
In addition one more question: say I created a section for a file and I want to disable all subsequent section creation requests for this file. Are there any documented methods to accomplish this task? Or I can only do it by failing PreAcquireForSectionSynchronization requests or even worse by hooking (only for 32-bit OSes) ZwCreateSection()/ZwMapViewOfSection() calls?
Thanks beforehand. Any suggestions are welcome.
WBR,
Konstantin Manurin