So i guess i'm as excited as everyone about Windows 8 and i figured i'd get the preview and take a look at what's new. I haven't had much time to tinker with it, but here are some highlights of what to expect.
One thing that's been missing from FltMgr since the beginning and the developers have complained about was the ability to filter other devices that have file system semantics, and in particular named pipes (NPFS). It looks like in Win8 that's finally going to happen and we'll finally be able to write minifilters for NPFS. Moreover, it looks like the folks in Redmond went the extra mile and have added support for the Mailslot file system (MSFS) as well:
C:\Windows\system32>fltmc volumes
Dos Name Volume Name FileSystem Status
------------------------------ --------------------------------------- ---------- --------
\Device\Mup Remote
C: \Device\HarddiskVolume2 NTFS
\Device\HarddiskVolume1 NTFS
\Device\NamedPipe NamedPipe
\Device\Mailslot Mailslot
D: \Device\CdRom0 UDFS Detached
\Device\HarddiskVolumeShadowCopy1 NTFS
D: \Device\CdRom0 UDFS
There is even an in-box filter attached to NPFS:
C:\Far>fltmc filters Filter Name Num Instances Altitude Frame ------------------------------ ------------- ------------ ----- WdFilter 6 328010 0 luafv 1 135000 0 npsvctrig 1 46000 0 FileInfo 6 45000 0 C:\Far>fltmc instances -f npsvctrig Instances for npsvctrig filter: Volume Name Altitude Instance Name Frame VlStatus ------------------------------------- ------------ ---------------------- ----- -------- \Device\NamedPipe 46000 npsvctrig 0
As you can see there are two more minifilters installed by default (at least in this version). There is npsvctrig, which seems to be (according to the INF file) the "Named pipe service trigger provider". There is also WdFilter, which i couldn't find the INF for but the entry in the services key seems to suggest it's related to some anti-malware protection feature.
One more thing I've done was to look at what's new in fltmgr.sys. It has increased in size from the Win7 version I have by about 15% (on the x86 version), so there's bound to be something interesting in there. Looking at the exports we can see a bunch of new APIs, which i've grouped by name into some categories. Some of them are actually documented in MSDN and I'll leave reading the documentation for them up to you:
FltGetContextsEx FltReleaseContextsEx FltGetSectionContext FltCreateSectionForDataScan FltRegisterForDataScan FltCloseSectionForDataScan FltFastIoMdlReadComplete FltFastIoMdlWriteComplete FltFastIoMdlRead FltFastIoPrepareMdlWrite FltPrepareToReuseEcp FltOplockKeysEqual FltOplockFsctrlEx FltSetQuotaInformationFile FltQueryQuotaInformationFile FltCreateNamedPipeFile FltCreateMailslotFile FltGetActivityIdCallbackData FltSetActivityIdCallbackData FltEnumerateInstanceInformationByVolumeName FltEnumerateInstanceInformationByDeviceObject FltPropagateActivityIdToThread FltWriteFileEx FltReadFileEx
Please note that i'm pretty sure i'm barely scratching the surface here, for example some APIs might have changed their parameters and my simple perl script wouldn't be able to figure that out. I'm looking forward to the presentations and new samples in the WDK for these things and I wanted to get everybody as excited as I am.
Posts
Thanks for the article.
ReplyDeleteMSDN says that FltOplockFsctrlEx and FltOplockKeysEqual are available starting with Windows 7.
Interesting. I can see them in my header file in the WDK but they don't seem to be exported by the binaries i have. Dumpbin will find FltOplockFsctrlEx in the Function Table section but not in the exports section and FltOplockKeysEqual is completely missing. I guess they were never exported in Win7 ?
ReplyDelete