Thursday, September 15, 2011

What's New in Win8 for File System Filters

So i guess i'm as excited as everyone about Windows 8 and i figured i'd get the preview and take a look at what's new. I haven't had much time to tinker with it, but here are some highlights of what to expect.

One thing that's been missing from FltMgr since the beginning and the developers have complained about was the ability to filter other devices that have file system semantics, and in particular named pipes (NPFS). It looks like in Win8 that's finally going to happen and we'll finally be able to write minifilters for NPFS. Moreover, it looks like the folks in Redmond went the extra mile and have added support for the Mailslot file system (MSFS) as well:

C:\Windows\system32>fltmc volumes                                                            
Dos Name                        Volume Name                              FileSystem   Status 
------------------------------  ---------------------------------------  ----------  --------
                                \Device\Mup                              Remote              
C:                              \Device\HarddiskVolume2                  NTFS                
                                \Device\HarddiskVolume1                  NTFS                
                                \Device\NamedPipe                        NamedPipe           
                                \Device\Mailslot                         Mailslot            
D:                              \Device\CdRom0                           UDFS        Detached
                                \Device\HarddiskVolumeShadowCopy1        NTFS                
D:                              \Device\CdRom0                           UDFS                

There is even an in-box filter attached to NPFS:

C:\Far>fltmc filters

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
WdFilter                                6       328010         0
luafv                                   1       135000         0
npsvctrig                               1        46000         0
FileInfo                                6        45000         0

C:\Far>fltmc instances -f npsvctrig

Instances for npsvctrig filter:

Volume Name                              Altitude        Instance Name       Frame  VlStatus
-------------------------------------  ------------  ----------------------  -----  --------
\Device\NamedPipe                          46000     npsvctrig                 0

As you can see there are two more minifilters installed by default (at least in this version). There is npsvctrig, which seems to be (according to the INF file) the "Named pipe service trigger provider". There is also WdFilter, which i couldn't find the INF for but the entry in the services key seems to suggest it's related to some anti-malware protection feature.

One more thing I've done was to look at what's new in fltmgr.sys. It has increased in size from the Win7 version I have by about 15% (on the x86 version), so there's bound to be something interesting in there. Looking at the exports we can see a bunch of new APIs, which i've grouped by name into some categories. Some of them are actually documented in MSDN and I'll leave reading the documentation for them up to you:

FltGetContextsEx
FltReleaseContextsEx

FltGetSectionContext
FltCreateSectionForDataScan
FltRegisterForDataScan
FltCloseSectionForDataScan

FltFastIoMdlReadComplete
FltFastIoMdlWriteComplete
FltFastIoMdlRead
FltFastIoPrepareMdlWrite

FltPrepareToReuseEcp

FltOplockKeysEqual
FltOplockFsctrlEx

FltSetQuotaInformationFile
FltQueryQuotaInformationFile

FltCreateNamedPipeFile
FltCreateMailslotFile

FltGetActivityIdCallbackData
FltSetActivityIdCallbackData

FltEnumerateInstanceInformationByVolumeName
FltEnumerateInstanceInformationByDeviceObject

FltPropagateActivityIdToThread

FltWriteFileEx
FltReadFileEx

Please note that i'm pretty sure i'm barely scratching the surface here, for example some APIs might have changed their parameters and my simple perl script wouldn't be able to figure that out. I'm looking forward to the presentations and new samples in the WDK for these things and I wanted to get everybody as excited as I am.