Reading a file in Post Create when STATUS_OPLOCK_BREAK_IN_PROGRESS is returned

NTFSD
1

Hello,
We have an anti-malware product in which we calculate the hash of the file contents before sending the information (like process name, file path, etc) to our user mode agent. The user mode service decides based on the hash whether to allow the open request. In each post create, we check for successful status and read the file to calculate the hash. However, I have noticed that if STATUS_OPLOCK_BREAK_IN_PROGRESS and we try to read the file, the call gets stuck (perhaps waiting for the oplock break to occur).
What’s the best strategy to read the file in this case? Obviously since our decision to allow/ disallow file open depends on hash, we really need to read the file in the open path.

Thanks,
Tushar

2

If you see that status I post create it means a few things, which I am not going to go into great length here, but here are a few things you can do.

First of all an oplock was already acquired on the file so the file was previously parsed by you. And now somebody is breaking the oplock, could be the same process that got the oplock in the first place , and the thread you are in could be the one acknowledging the break. So I am saying you can assume the file is allowed since it was opened previously and you already allowed it, and after you allowed it it requested an oplock and it was granted.

You could, let the create request go and wait for oplock break acknowledge and “scan” the file there. Just check oplock semantics doc from Microsoft to see how oplock breaks are acknowledged, more so for enhanced oplocks.

Third you could deliver the “scan” to a worker thread. Your worker will try to open the file, and the create there will hang, but hang only until the break is acknowledged, and then from the worker thread you could again “scan” the file.

Better yet understand how oplocks work and be sure to look over the enhanced oplocks introduced later.

Hope this helps. Good luck.

Gabriel Bercea

Windows Kernel Driver Consulting

www.kasardia.com

From: xxxxx@gmail.com

Sent: Thursday, May 5, 17:59

Subject: [ntfsd] Reading a file in Post Create when STATUS_OPLOCK_BREAK_IN_PROGRESS is returned

To: Windows File Systems Devs Interest List

Hello, We have an anti-malware product in which we calculate the hash of the file contents before sending the information (like process name, file path, etc) to our user mode agent. The user mode service decides based on the hash whether to allow the open request. In each post create, we check for successful status and read the file to calculate the hash. However, I have noticed that if STATUS_OPLOCK_BREAK_IN_PROGRESS and we try to read the file, the call gets stuck (perhaps waiting for the oplock break to occur). What’s the best strategy to read the file in this case? Obviously since our decision to allow/ disallow file open depends on hash, we really need to read the file in the open path. Thanks, Tushar — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

3

Just a quick competition to the third option, not to misunderstand it somehow. You deliver the scan request to your worker thread, and let the original request go. I guess it goes without saying, but just in case.

Gabriel Bercea

Windows Kernel Driver Consulting

www.kasardia.com

From: xxxxx@kasardia.com

Sent: Thursday, May 5, 18:18

Subject: Re: [ntfsd] Reading a file in Post Create when STATUS_OPLOCK_BREAK_IN_PROGRESS is returned

To: Windows File Systems Devs Interest List

If you see that status I post create it means a few things, which I am not going to go into great length here, but here are a few things you can do.

First of all an oplock was already acquired on the file so the file was previously parsed by you. And now somebody is breaking the oplock, could be the same process that got the oplock in the first place , and the thread you are in could be the one acknowledging the break. So I am saying you can assume the file is allowed since it was opened previously and you already allowed it, and after you allowed it it requested an oplock and it was granted.

You could, let the create request go and wait for oplock break acknowledge and “scan” the file there. Just check oplock semantics doc from Microsoft to see how oplock breaks are acknowledged, more so for enhanced oplocks.

Third you could deliver the “scan” to a worker thread. Your worker will try to open the file, and the create there will hang, but hang only until the break is acknowledged, and then from the worker thread you could again “scan” the file.

Better yet understand how oplocks work and be sure to look over the enhanced oplocks introduced later.

Hope this helps. Good luck.

Gabriel Bercea

Windows Kernel Driver Consulting

www.kasardia.com

From: xxxxx@gmail.com

Sent: Thursday, May 5, 17:59

Subject: [ntfsd] Reading a file in Post Create when STATUS_OPLOCK_BREAK_IN_PROGRESS is returned

To: Windows File Systems Devs Interest List

Hello, We have an anti-malware product in which we calculate the hash of the file contents before sending the information (like process name, file path, etc) to our user mode agent. The user mode service decides based on the hash whether to allow the open request. In each post create, we check for successful status and read the file to calculate the hash. However, I have noticed that if STATUS_OPLOCK_BREAK_IN_PROGRESS and we try to read the file, the call gets stuck (perhaps waiting for the oplock break to occur). What’s the best strategy to read the file in this case? Obviously since our decision to allow/ disallow file open depends on hash, we really need to read the file in the open path. Thanks, Tushar — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at