Hello,I read many posts about files names in minifilter, but didn’t find the answer :
-when I try getting files name in preWrite callback sometimes FltGetFileNameInformation() return STATUS_FLT_NAME_CACHE_MISS (for example for files stream Device\MyFile.txt:stream) and sometimes STATUS_FLT_INVALID_NAME_REQUEST…But in postCreate callback I receive file name fine! I try use STREAM_CONTEXT : FltSetStreamContext() in postCreate for files name and than get it in preWrite, but sometimes FltGetContexts() failed!
Also I try to use FILE_OBJECT pointer in postCreate callback as key in files names list and then find by key files name in preWrite, but sometimes FILE_OBJECT in preWrite != FILE_OBJECT in postCreate…
How I can solve this problem?
The general approach taken for tracking file names is to go the route of
stream contexts. Obtain the file name in post-create and set the context
accordingly. Then in pre-write grab the context to determine the file name.
If you are seeing failures in pre-write when retrieving a context it is
most likely because you did not allocate a context for that file in
post-create. There are several cases which this might happen, for
instance if you are not a boot time loaded filter then there could be
files that were opened prior to your filter loading. As well you can’t
track the paging file through the filter mgr’s context package.
Pete
On 10/10/2012 5:11 AM, xxxxx@gmail.com wrote:
Hello,I read many posts about files names in minifilter, but didn’t find the answer :
-when I try getting files name in preWrite callback sometimes FltGetFileNameInformation() return STATUS_FLT_NAME_CACHE_MISS (for example for files stream Device\MyFile.txt:stream) and sometimes STATUS_FLT_INVALID_NAME_REQUEST…But in postCreate callback I receive file name fine! I try use STREAM_CONTEXT : FltSetStreamContext() in postCreate for files name and than get it in preWrite, but sometimes FltGetContexts() failed!
Also I try to use FILE_OBJECT pointer in postCreate callback as key in files names list and then find by key files name in preWrite, but sometimes FILE_OBJECT in preWrite != FILE_OBJECT in postCreate…
How I can solve this problem?
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Peter Scott, thank you for reply!
I have some problem with minifilter unload :
FILTER VERIFIER ERROR: A filter (Filter = FFFFFA800EC52450 (Minifilter)) leaked references to the following resources:
00000001 Filter Context Structures
00000000 FLT_CALLBACK_DATA structures
00000000 FLT_DEFERRED_IO_WORKITEM structures
00000000 FLT_GENERIC_WORKITEM structures
00000000 FLT_FILE_NAME_INFORMATION structures
00000000 FILE_OBJECT structures
00000000 FLT_OBJECT structures
Type “!fltkd.filter FFFFFA800EC52450 8 1” in the debugger for a list of leaked references
Break, ignore, zap or remove ?
But types “!fltkd.filter FFFFFA800EC52450 8 1” does nothing…
It means that I forgot to call FltReleaseContext() after FltGetStreamContext()?
Did you actually type a ‘b’ where it asks to
Break, ignore, zap or remove?
If you break in, by typing a ‘b’, then you can type in the string
requested to retrieve the necessary information.
Pete
On 10/10/2012 1:22 PM, xxxxx@gmail.com wrote:
Peter Scott, thank you for reply!
I have some problem with minifilter unload :
FILTER VERIFIER ERROR: A filter (Filter = FFFFFA800EC52450 (Minifilter)) leaked references to the following resources:
00000001 Filter Context Structures
00000000 FLT_CALLBACK_DATA structures
00000000 FLT_DEFERRED_IO_WORKITEM structures
00000000 FLT_GENERIC_WORKITEM structures
00000000 FLT_FILE_NAME_INFORMATION structures
00000000 FILE_OBJECT structures
00000000 FLT_OBJECT structures
Type “!fltkd.filter FFFFFA800EC52450 8 1” in the debugger for a list of leaked references
Break, ignore, zap or remove ?
But types “!fltkd.filter FFFFFA800EC52450 8 1” does nothing…
It means that I forgot to call FltReleaseContext() after FltGetStreamContext()?
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295