tag:blogger.com,1999:blog-971876119771204189.comments2024-03-12T22:24:25.119-07:00Of Filesystems And Other DemonsAnonymoushttp://www.blogger.com/profile/04456600991354270152noreply@blogger.comBlogger148125tag:blogger.com,1999:blog-971876119771204189.post-68221612887966788042013-08-14T10:24:09.392-07:002013-08-14T10:24:09.392-07:00If I remember correctly there are several 'cor...If I remember correctly there are several 'correct' network paths, some of which include the mapped drive letter. I don't have a list handy and I can't seem to be able to find them listed anywhere. Anyway, from what I remember a name that looks something like: "\Device\LanmanRedirector\;X:000000000000abce\foo\bar" is valid. So what name exactly are you seeing ? <br /><br />If what bothers you is that the behavior seems to change when your filter is added into the mix, I'm afraid you'll probably have to debug it yourself. I've done this and it usually helps to print all the names that your filter sees and generates and such. Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-11187499740654935642013-08-13T23:43:25.303-07:002013-08-13T23:43:25.303-07:00Yes, I forgot to point this out, it happens exactl...Yes, I forgot to point this out, it happens exactly for network filesystems. As I wrote before, the "normalized" name, which the upper filter gets, still contains the disk letter for a mapped share. Is there something special about name providers on network filesystems?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-90583782384023763412013-08-13T18:23:34.563-07:002013-08-13T18:23:34.563-07:00Well, you could implement something based on obser...Well, you could implement something based on observed FltMgr behavior but you'll probably need some hacks (which you might be OK with, depending on your particular requirements). <br />If I remember correctly FltMgr will do things a bit differently when a name provider minifilter is present, however I'm not sure what is happing to trigger the behavior you observed. Does your minifilter attach to network filesystems ? In general there already is a name provider minifilter loaded on the system, LUAFV, so your minifilter shouldn't change behavior too much, except if attached to a network filesystem...Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-87901589322490270932013-08-12T07:42:33.495-07:002013-08-12T07:42:33.495-07:00Thanks for the answer. It seems that there is no 1...Thanks for the answer. It seems that there is no 100% way, but as I could notice on Windows 7, fltmgr sets up FILE_OPEN_FOR_BACKUP_INTENT for name-construction creates.<br />Now I got into a new issue: it seems that the very presence of my name provider in the system somehow changes the fltmgr behaviour for minifilters "above" my name provider. If an upper minifilter asks for normalized name for a network path, it gets it in opened format (i.e. the mapped by net use share has the disk letter in th resulting path). Is it something with my name provider callbacks or just a part of how fltmgr works?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-87631566478946338362013-08-06T17:47:41.015-07:002013-08-06T17:47:41.015-07:00As far as I know there isn't a reliable way. Y...As far as I know there isn't a reliable way. You could implement some fancy heuristic I suppose. But i'd say don't bother, name normalization is much faster in Win8 and doesn't make much use of this path so it's probably not worth the effort. Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-87067491371310019512013-08-06T08:13:48.021-07:002013-08-06T08:13:48.021-07:00Alex, thank you for the guide! I have a question: ...Alex, thank you for the guide! I have a question: is there a way to separate "additional" IRP_MJ_CREATE, which I get as a name provider from "usual" ones? This will be helpful to reduce overhead from double checking the requests.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-36878533228260419012013-06-05T10:39:31.399-07:002013-06-05T10:39:31.399-07:00Thanks for the quick response and for the link! I ...Thanks for the quick response and for the link! I will try to use this solution in my case.<br />Actually solution for Win8 is enough for me. I have a problem with my minifilter which redirects page file to another volume. In this case Windows remembers the full path to the page file which includes the name of this volume and then is trying to access this path at boot time, when my driver is not started yet and there is no my volume object. This problem occurs only in Windows 8.<br /><br />Thank you!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-5500520789076315772013-06-05T08:40:04.749-07:002013-06-05T08:40:04.749-07:00Well, for Win8 you can use the ECP technique as de...Well, for Win8 you can use the ECP technique as described here: http://fsfilters.blogspot.com/2012/02/reparsing-to-different-volume-in-win7.html. <br /><br />For older windows versions (pre-Win8) I don't know a good generic solution that doesn't involve looking at undocumented structures :(. I've generally been able to work around the issue by ignoring the create that got the STATUS_REPARSE and the new create that comes in. Of course, one might have a requirement that "the file should be processed only when it comes through this volume mount point no matter where the file is actually located" but personally I've yet to see a case where this is necessary. <br /><br />Thanks,<br />Alex.Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-58276050907861399282013-06-05T08:25:35.445-07:002013-06-05T08:25:35.445-07:00Alex, thanks for the very interesting blog!
Btw do...Alex, thanks for the very interesting blog!<br />Btw do you know a solution how to return correct file path, including volume name, in case of cross-volume reparse?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-9222041855415026952013-01-23T17:43:27.173-08:002013-01-23T17:43:27.173-08:00I don't know about the crash, did you initiali...I don't know about the crash, did you initialize the FILE_LOCK properly ? Also, please note that it's ok for FltProcessFileLock to return STATUS_PENDING, see http://www.osronline.com/showThread.CFM?link=105826. You don't need to deal with this yourself, you should return the status to the caller. <br />I would recommend looking at the FastFat source to see how a file system deals with this. What a minifilter that owns the FILE_OBJECT needs to do is very similar to that. <br /><br />Thanks,<br />Alex.Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-21823143705440051142013-01-22T16:39:23.949-08:002013-01-22T16:39:23.949-08:00Hi Alex, I am implementing ByteRange Lock support...Hi Alex, I am implementing ByteRange Lock support for minifilter(which is layered FS and owns the FileObject). Wondering<br />if FltProcessFileLock() is the right approach to support IRP_MJ_LOCK_CONTROL. When implementing this my minifilter keeps on crashing in FltProcessFileLock (when it is trying to complete the IRP). And some times this Function pends the IO operation, is there any way to deal with this ? Sridhar Uyyalahttps://www.blogger.com/profile/08470251387315114863noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-25133162558457828382012-12-21T09:46:50.034-08:002012-12-21T09:46:50.034-08:00This API is now documented. No need to worry about...This API is now documented. No need to worry about it changing.<br /><br />http://msdn.microsoft.com/en-us/library/windows/hardware/jj569382%28v=vs.85%29.aspxAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-76719819716297063092012-12-03T04:05:47.023-08:002012-12-03T04:05:47.023-08:00Alex, great article! Thank you! But what about the...Alex, great article! Thank you! But what about the case when the FltGetFileNameInformationUnsafe routine is called at APC_LEVEL or inside the guarded region (and its description really claims IRQL: <= APC_LEVEL), for instance, as a part of processing LoadImageNotifyCallback? In this case calling FltCreateFile(Ex2) and FltQueryDirectoryFile will either hang the system or trigger the Driver Verifier. As I remember, the latter callback routine is always called at APC_LEVEL (on Windows versions prior Vista or Server 2003) or inside the guarded region (on Windows Vista and beyond). And here's the real case - Sysinternals ProcMon utility, but of course, there should be some minifilter with a name provider installed in the system.Anonymoushttps://www.blogger.com/profile/14686674500164093371noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-16681521283911299762012-12-01T12:19:50.298-08:002012-12-01T12:19:50.298-08:00Hi Yorath,
You cannot do that with a minifilter ...Hi Yorath, <br /><br />You cannot do that with a minifilter (the file system is not a minifilter and so it doesn't have an instance). Moreover, this is generally not a good idea because you don't know what the filesystem actually looks like (it is possible that a filter below yours encrypts the file contents or the file names or even the FILE_OBJECT and so you could end up causing a bugcheck or worse, data corruption). <br /><br />Thanks,<br />Alex.Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-90339230867902658962012-11-25T03:07:20.412-08:002012-11-25T03:07:20.412-08:00Thanks for the excellent article. I have a questio...Thanks for the excellent article. I have a question about it: when you allocate callbackdata using FltAllocateCallbackData(), you specify an instance that initiating the IO. And the instances attached below the specified instance can receive this IRP. Is there a way to send this IRP to FS directly and bypass all the filter? Thanks a lot.Anonymoushttps://www.blogger.com/profile/09178102353627576317noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-25251397693781123112012-11-04T15:18:23.285-08:002012-11-04T15:18:23.285-08:00Further to Alex's statement "...once a fi...Further to Alex's statement "...once a filter is loaded it is associated with a frame and it can only create instances at altitudes within that frame..." : This means if your minifilter has a default instance with altitude of, say, 3045000 then it cannot have other instances at greater altitudes of, say, 3045000.1 . Once the minifilter is loaded, the default altitude sets the upper bound for all other instances' altitudes. If you try to explicitly attach an instance with FltAttachVolume or FltAttachVolumeAtAltitude, the function will fail with STATUS_NOT_SUPPORTED (0xC00000BBL). (This error code provides no hint as to the problem!) If you provide an InstanceSetup callback, it is never called for any instances that you might specify in the registry but which have a "too high" altitude. -- Robert Phillips, Citrix Systems, Inc.rsp_in_mahttps://www.blogger.com/profile/15310508394213033026noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-54898399787355826542012-11-02T11:15:12.176-07:002012-11-02T11:15:12.176-07:00Hmm, not sure what to say. According to the docume...Hmm, not sure what to say. According to the documentation for PFLT_NORMALIZE_NAME_COMPONENT_EX (http://msdn.microsoft.com/en-us/library/windows/hardware/ff551105(v=vs.85).aspx) the FileObject is an _In_ parameter, so it's not optional. I use the same code and haven't seen any issues. Could you perhaps send me a stack trace (offline, you should be able to find my email address in my contact information) ?Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-79620700235360506782012-10-29T02:20:13.674-07:002012-10-29T02:20:13.674-07:00Great post, thanks. Hard to find good information...Great post, thanks. Hard to find good information on minifilters, your blog seems to be a never ending source of it :). However, I think you're missing a NULL check:<br /><br /> txnParameter = IoGetTransactionParameterBlock( FileObject ); <br /><br />I'm getting a fatal exception at least when that line's being run when FileObject is null. Or is it me that's doing something wrong?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-14190679022757183712012-10-11T11:09:24.598-07:002012-10-11T11:09:24.598-07:00Hi Alex, I think Re-entrancy in general for mini-f...Hi Alex, I think Re-entrancy in general for mini-filters but IRP_MJ_CREATE is most sought after.<br /><br /> This is a complex topic but I had to research so much to proof my minifilter from re-entrancy in various cases (My minifilter is layered FS). <br /><br />For example, TopLevelIRP is being used to distinguish to deal with Cache manager and VM interactions in read/writes. Using a different deviceObject whenever opening a file in my filter, so i can distinguish if at all it comes back to me (for example, CSC driver will put it on the stack if the file is residing locally). And have seen legacy driver used TLS to identify the original thread that requested the IO. Would be great if reentrancy can be discussed as an article without explaining the interactions (these can be found in many books ) but techniques as a resource in such cases. <br />Sridhar Uyyalahttps://www.blogger.com/profile/08470251387315114863noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-70865889328025322332012-10-11T08:44:18.392-07:002012-10-11T08:44:18.392-07:00Hi Sridhar,
Are you referring to the IRP_MJ_CREA...Hi Sridhar, <br /><br />Are you referring to the IRP_MJ_CREATE path or do you mean IO in general ? I would like more specifics on the problem :).<br /><br />Thanks,<br />Alex.Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-28869997824043562012-10-05T13:57:18.172-07:002012-10-05T13:57:18.172-07:00Great Post. This blog is getting better all the ti...Great Post. This blog is getting better all the time and my main resource for filter driver development.<br /><br />Thank you Alex.Sridhar Uyyalahttps://www.blogger.com/profile/08470251387315114863noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-63229328469132136262012-10-05T11:48:31.536-07:002012-10-05T11:48:31.536-07:00Hi Alex, Can you write about how to handle re-entr...Hi Alex, Can you write about how to handle re-entrancy in minifilter. Even though FltXX functions does provide some insulation but there are many cases that IO can reenter. For example, how to identify if the IO issued by mini-filter reenters the stack due to underlying filter sending it to top of the stock. I have seen legacy driver use TLS or TOpLevelIRp and in some cases secondary device object. But its NOT really clear which one to use when. Would be helpful if there is some light on it. I know this is also a vague question. Let me know if you want more specifics of the problemSridhar Uyyalahttps://www.blogger.com/profile/08470251387315114863noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-7133240672519428612012-09-20T06:45:18.173-07:002012-09-20T06:45:18.173-07:00Great article!
One more I should notice. Calling ...Great article!<br /><br />One more I should notice. Calling FltGetFileNameInformation with FLT_FILE_NAME_NORMALIZED for network path in pre create operation consumes a lot of time. So much that we had to use FLT_FILE_NAME_OPENED...FilterLoverhttps://www.blogger.com/profile/09116824999788999681noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-51334183974255799732012-08-15T13:48:26.780-07:002012-08-15T13:48:26.780-07:00Christian, thanks for taking the time and explaini...Christian, thanks for taking the time and explaining this! Finally it makes sense! :)Anonymoushttps://www.blogger.com/profile/04456600991354270152noreply@blogger.comtag:blogger.com,1999:blog-971876119771204189.post-85836705783616435212012-08-10T18:08:06.649-07:002012-08-10T18:08:06.649-07:00Although the docs aren't updated yet, CreateFi...Although the docs aren't updated yet, CreateFile2 (in Windows 8 RTM) doesn't allow opening a file that you don't have write access to if you don't specify FILE_SHARE_READ, whether called from a Metro app or not. It does indeed use FILE_DISALLOW_EXCLUSIVE internally.<br /><br />The purpose is to close the long-standing problem where a caller who doesn't have the right to modify a file is able to deny read access to callers who do have the right to modify the file. The logic is that if all you can do is read a file, there's no good reason why you should be able to prevent others from reading it.Christian Allred [MSFT]noreply@blogger.com