Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

On-Access, Transparent, Per-File Data Encryption:

OSR's File Encryption Solution Framework (FESF) provides all the infrastructure you need to build a transparent file encryption product REALLY FAST.

Super flexible policy determination and customization, all done in user-mode. Extensive starter/sample code provided.

Proven, robust, flexible. In use in multiple commercial products.

Currently available on Windows. FESF for Linux will ship in 2018.

For more info: https://www.osr.com/fesf

Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 8  
23 Jan 12 04:08
Prasad Dabak
xxxxxx@vmware.com
Join Date: 09 Jun 2011
Posts To This List: 125
Best way to ignore remote mailslot/named pipe activity in file system filter driver

Hello, I am continuing the discussion that I had on the topic at http://www.osronline.com/showThread.cfm?link=217431 since that thread aged and I am not able to post a new response there. Just to re-iterate quickly: We want our filter driver to ignore the named pipe/mailslot initiated over lanmanredirector e.g. When code running on machine A opens a named pipe on machine B, the filter driver running on machine A notices the access to \B\pipe\pipename path and we want the filter driver to ignore this. I tried the option of checking FO_NAMED_PIPE and FO_MAILSLOT flags in PostOpCreate and I noticed couple of caveats. 1. The FO_MAILSLOT flag is NOT set in PostOpCreate for mailslot file object. 2. Although, FO_NAMED_PIPE is set correctly for the file object representing named pipe, I see that it is also set for fileobject pointing to \B\IPC$? Is this expected? Can this flag be set in other non-pipe cases? Let me know. Thanks. -Prasad
  Message 2 of 8  
25 Jan 12 00:14
Prasad Dabak
xxxxxx@vmware.com
Join Date: 09 Jun 2011
Posts To This List: 125
Best way to ignore remote mailslot/named pipe activity in file system filter driver

Can someone answer this please? Thanks. -Prasad
  Message 3 of 8  
25 Jan 12 11:40
Scott Brender
xxxxxx@microsoft.com
Join Date: 23 Jul 2009
Posts To This List: 39
Best way to ignore remote mailslot/named pipe activity in file system filter driver

It looks like you will need to filter based on the name of the share to det= ect remote pipes and mailslots. As you've seen the redirector does not set = FO_MAILSLOT and (I haven't confirmed this yet) appears to set FO_NAMED_PIPE= on some file objects not backed by NPFS . Based on your input we will try = to have a better story in the future. Thanks, Scott [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. -----Original Message----- From: xxxxx@lists.osr.com [mailto:bounce-490756-43728@lists.o= sr.com] On Behalf Of xxxxx@vmware.com Sent: Tuesday, January 24, 2012 9:16 PM To: Windows File Systems Devs Interest List Subject: RE:[ntfsd] Best way to ignore remote mailslot/named pipe activity = in file system filter driver Can someone answer this please? Thanks. -Prasad --- NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit:=20 http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.o= sronline.com/page.cfm?name=3DListServer
  Message 4 of 8  
30 Jan 12 06:35
Prasad Dabak
xxxxxx@vmware.com
Join Date: 09 Jun 2011
Posts To This List: 125
Best way to ignore remote mailslot/named pipe activity in file system filter driver

Thanks Scott. So, this basically goes back to your message #3 in my original post at http://www.osronline.com/showThread.cfm?link=217431. On that post, you mentioned to query FLT_FILE_NAME_OPENED name and then check the share for "pipe" or "mailslot". Can I just parse fltObjects->FileObject->FileName instead? The PCFLT_RELATED_OBJECTS fltObjects is passed to PreOpCreate. Let me know. Thanks. -Prasad
  Message 5 of 8  
30 Jan 12 13:20
ntfsd member 2023
xxxxxx@storagecraft.com
Join Date:
Posts To This List: 4274
Best way to ignore remote mailslot/named pipe activity in file system filter driver

> On that post, you mentioned to query FLT_FILE_NAME_OPENED name and = then check the share=20 >for "pipe" or "mailslot". If you go heuristic way, then also find the device/driver objects in = question and look at whether the DrvO name contains "msfs" or "npfs". = Even though you will not be able to catch the client ends of the network = pipes (they are maintained by RDBSS and not NPFS), this is a good idea. --=20 Maxim S. Shatskih Windows DDK MVP xxxxx@storagecraft.com http://www.storagecraft.com
  Message 6 of 8  
30 Jan 12 14:39
Scott Brender
xxxxxx@microsoft.com
Join Date: 23 Jul 2009
Posts To This List: 39
Best way to ignore remote mailslot/named pipe activity in file system filter driver

I think it would be preferable to use the filter manager API which does the= same name parsing from the file object for you. Note for pipes, you may be able to rely on the FO_NAMED_PIPE in post create= after all. Besides named pipes, the connection to the IPC$ (and only to th= e IPC$) is also explicitly marked by the redirector as a pipe connection to= the IPC$. It is a file that supports pipe semantics, though not backed by = the NPFS on the server side. Thanks, Scott [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. -----Original Message----- From: xxxxx@lists.osr.com [mailto:bounce-491143-43728@lists.o= sr.com] On Behalf Of xxxxx@vmware.com Sent: Monday, January 30, 2012 3:37 AM To: Windows File Systems Devs Interest List Subject: RE:[ntfsd] Best way to ignore remote mailslot/named pipe activity = in file system filter driver Thanks Scott. So, this basically goes back to your message #3 in my origina= l post at http://www.osronline.com/showThread.cfm?link=3D217431. On that post, you mentioned to query FLT_FILE_NAME_OPENED name and then che= ck the share for "pipe" or "mailslot". Can I just parse fltObjects->FileObj= ect->FileName instead? The PCFLT_RELATED_OBJECTS fltObjects is passed to Pr= eOpCreate. Let me know. Thanks. -Prasad --- NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit:=20 http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.o= sronline.com/page.cfm?name=3DListServer
  Message 7 of 8  
31 Jan 12 03:24
Prasad Dabak
xxxxxx@vmware.com
Join Date: 09 Jun 2011
Posts To This List: 125
Best way to ignore remote mailslot/named pipe activity in file system filter driver

Thanks Scott and Maxim for your responses. Scott, I agree with your advice to use the filter manager API. However, I had concerns about the overheads of calling FltGetFileNameInformation on each PreOpCreate just to check if the FILE_OBJECT is pointing to named pipe/mailslot. Hence, I was asking if it is safe to directly parse fltObjects->FileObject->FileName instead (after doing standard NULL, length checks etc). Is it possible to have a FILE_OBJECT referring to named pipe/mailslot when fltObjects->FileObject->FileName is not having the pattern \servername*\MAILSLOT\... OR \servername\PIPE\...? Maxim, I am not sure about what you mean by client ends of the network pipe here? When machine A creates a named pipe say "hello" and machine B connects to it, our filter driver running on machine B sees PreOpCreate with FileName=\A\PIPE\Hello. We want to ignore this request and return FLT_PREOP_SUCCESS_NO_CALLBACK from PreOpCreate. Are you saying that, in this case, Drv0 name will be msfs/npfs? Filter on machine B doesn't see this request at all since it will be directly served by NPFS and our filter doesn't attach to it anyways. Thanks. -Prasad
  Message 8 of 8  
31 Jan 12 22:20
Scott Brender
xxxxxx@microsoft.com
Join Date: 23 Jul 2009
Posts To This List: 39
Best way to ignore remote mailslot/named pipe activity in file system filter driver

It isn't ideal, but a pre create open name query should not be a lot of ove= rhead relative to the overall remote create. Fltmgr is just allocating some= memory and parsing the fileobject->Filename. Another benefit is if anyone = else needs the name, it will now be in fltmgr's name cache. For a mailslot you should always have the \servname*\MAILSLOT\ format. For = a pipe, as you've seen you might get IPC$. I'd recommend checking the fileo= bject flags for FO_NAMED_PIPE in post create. Thanks, Scott [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. -----Original Message----- From: xxxxx@lists.osr.com [mailto:bounce-491258-43728@lists.o= sr.com] On Behalf Of xxxxx@vmware.com Sent: Tuesday, January 31, 2012 12:23 AM To: Windows File Systems Devs Interest List Subject: RE:[ntfsd] Best way to ignore remote mailslot/named pipe activity = in file system filter driver Thanks Scott and Maxim for your responses. Scott, I agree with your advice to use the filter manager API. However, I h= ad concerns about the overheads of calling FltGetFileNameInformation on eac= h PreOpCreate just to check if the FILE_OBJECT is pointing to named pipe/ma= ilslot. Hence, I was asking if it is safe to directly parse fltObjects->Fil= eObject->FileName instead (after doing standard NULL, length checks etc). I= s it possible to have a FILE_OBJECT referring to named pipe/mailslot when f= ltObjects->FileObject->FileName is not having the pattern \servername*\MAIL= SLOT\... OR \servername\PIPE\...? Maxim, I am not sure about what you mean by client ends of the network pipe= here? When machine A creates a named pipe say "hello" and machine B connec= ts to it, our filter driver running on machine B sees PreOpCreate with File= Name=3D\A\PIPE\Hello. We want to ignore this request and return FLT_PREOP_S= UCCESS_NO_CALLBACK from PreOpCreate. Are you saying that, in this case, Drv= 0 name will be msfs/npfs? Filter on machine B doesn't see this request at a= ll since it will be directly served by NPFS and our filter doesn't attach t= o it anyways. Thanks. -Prasad --- NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit:=20 http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.o= sronline.com/page.cfm?name=3DListServer
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 09:06.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license