Hi, All
Is there any way to intercept subdirectory creation in the minifilter driver 
preoperation (or postoperation) callback routine? I track all calls with 
MajorFunction == IRP_MJ_WRITE but when subdirectory is created, DesiredAccess 
(Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess) value is set 
to 0x100001 (FILE_READ_DATA/FILE_LIST_DIRECTORY | SYNCHRONIZE) and any write 
access is not specified.

Thanks, Eugene.

Directories are created with IRP_MJ_CREATE so I am not sure why you are 
looking at write calls.  If you are not aware file system questions are 
best answered on the NTFSD forum hosted at http://www.osronline.com/  That 
is the list where all the file system people (including a number from 
Microsoft) hang out.


Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr




> -----Original Message-----
> From: Eugene [mailto:Eugene@discussions.microsoft.com]
> Posted At: Monday, July 05, 2010 8:38 AM
> Posted To: microsoft.public.development.device.drivers
> Conversation: Intercept subdirectory creation in the minifilter driver
> Subject: Intercept subdirectory creation in the minifilter driver
>
> Hi, All
> Is there any way to intercept subdirectory creation in the minifilter 
> driver
> preoperation (or postoperation) callback routine? I track all calls with
> MajorFunction == IRP_MJ_WRITE but when subdirectory is created, 
> DesiredAccess
> (Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess) value is 
> set to
> 0x100001 (FILE_READ_DATA/FILE_LIST_DIRECTORY | SYNCHRONIZE) and any 
> write
> access is not specified.
>
> Thanks, Eugene.
>
>
> __________ Information from ESET Smart Security, version of virus 
> signature
> database 5251 (20100704) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>

Thanks, Don,
Sorry for mistake, of course i'm tracking calls with IRP_MJ_CREATE.

"Don Burn" wrote:

> Directories are created with IRP_MJ_CREATE so I am not sure why you are 
> looking at write calls.  If you are not aware file system questions are 
> best answered on the NTFSD forum hosted at http://www.osronline.com/  That 
> is the list where all the file system people (including a number from 
> Microsoft) hang out.
> 
> 
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> 

You need to inspect the create disposition, not the desired access. Search 
for disposition here:

http://msdn.microsoft.com/en-us/library/ff548630(VS.85).aspx

And follow the link to see the available options.

You can see the FASTFAT source for an example of extracting the disposition 
from the create options.

(Also, Don's advice of going to NTFSD is good)

-scott

-- 
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com


"Eugene" <Eugene@discussions.microsoft.com> wrote in message 
news:B73FE3C3-B3CE-4BAC-9A87-111F38E556D2@microsoft.com...
> Thanks, Don,
> Sorry for mistake, of course i'm tracking calls with IRP_MJ_CREATE.
>
> "Don Burn" wrote:
>
>> Directories are created with IRP_MJ_CREATE so I am not sure why you are
>> looking at write calls.  If you are not aware file system questions are
>> best answered on the NTFSD forum hosted at http://www.osronline.com/ 
>> That
>> is the list where all the file system people (including a number from
>> Microsoft) hang out.
>>
>>
>> Don Burn (MVP, Windows DKD)
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>
> 

Thank you very much, Done!

All works fine.

Eugene

"Scott Noone" wrote:

> You need to inspect the create disposition, not the desired access. Search 
> for disposition here:
> 
> http://msdn.microsoft.com/en-us/library/ff548630(VS.85).aspx
> 
> And follow the link to see the available options.
> 
> You can see the FASTFAT source for an example of extracting the disposition 
> from the create options.
> 
> (Also, Don's advice of going to NTFSD is good)
> 
> -scott
> 
> -- 
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com