EldoS | Feel safer!

Software components for data protection, secure storage and transfer

OnCloseFile event handling issue

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#25329
Posted: 06/18/2013 02:19:22
by Bhushan Manekar (Standard support level)
Joined: 07/18/2012
Posts: 10

Hi,

I am working on ELDOS Callback File System, running C++ Mapper Sample application.
I want to detect File Close operation for different types of files. I am using OnCloseFile event of Callback FS but facing some issues with it.
Can you please help me to solve it?
While Testing C++ Mapper application with different file Types I found that OnCloseFile event is called even when file is saved or directory is opened in windows explorer.
Following is behaviour of onCloseFile Event for different types of files:

1) Microsoft Excel: (File name: new.xlsx)

New File is created: OnFileClose event is called with input file name(new.xlsx)
Existing File is opened and saved: OnFileClose event is called on temporary file (90904.xlsx)
File is closed: OnFileClose event is called on ~new.xlsx

2) Microsoft Word ( File name: new.docx)

New File is created: OnFileClose event is called with input file name (new.docx)
Existing File is opened and saved: OnFileClose event is called on temporary file (new.tmp)
File is closed: OnFileClose event is not triggered at all.

3) Microsoft ppt (new.ppt)

New File is created: OnFileClose event is called 3 times with input file name (new.xlsx), with ~new.ppt and new.tmp file.
Existing File is opened and saved: OnFileClose event is called on temporary file (new.tmp)
File is closed: OnFileClose event is called on ~new.ppt


As behaviour of OnCloseFile event is different for different types of files, it is getting triggered even for temporary system files(~.docx or .tmp files)
OnCloseFile event is called on file save, directory browsing operations. So, is there any way to detect whether an input file (of any type i.e. doc, pdf, ppt, jpg) is “really” closed or open?
Any help is highly appreciated.

Thanks!
#25332
Posted: 06/18/2013 03:55:57
by Volodymyr Zinin (EldoS Corp.)

A little theory about the subject:
In Windows with the "close" request actually two requests are associated - IRP_MJ_CLEANUP and IRP_MJ_CLOSE. The first is synchronously called when a handle to a file is being closed (there is the optional OnCleanup callback for it). The other one, which is associated with the OnClose callback, is called asynchronously and can be delayed for quite long time (although in CallbackFS there is mechanism to force this event).
For example some program can use a memory mapped section to a file in the following way:
1. A file is opened as memory mapped section by the use of the win32 API CreateFile and then CreateFileMapping calls. At the moment when CreateFile is being called CallbackFS calls the OnCreate or OnOpen callback.
2. Then the program decides to close the handle to the file and leaves only the memory mapped section. I.e. it calls the win32 API CloseHandle. At this moment Windows sends the IRP_MJ_CLEANUP request to the file system driver and CallbackFS calls the OnCleanup callback.
3. Programs works with the memory mapped section and then closes handle to it. It causes the IRP_MJ_CLOSE callback to be sent to the file system driver and CallbackFS calls the OnClose callback. But this can be delayed too because the system memory manager don't have enough time to flush the modified file data from the memory mapped section.

In more "usual" situations a file is just opened and closed. This caused the OnClose callback to be called almost immediately. But and in such situations there can be delay in calling of the OnClose callback. For example an antivirus is still scanning the file. I.e. you obtain the following sequences of the CallbackFS callbacks:
1. OnOpen
2. any callbacks (caused by the program activity)
3. OnCleanup (when the handle is closed)
4. several OnRead callbacks (caused by the antivirus activity)
5. OnClose callback

About your question:
Quote
Adrian Grayson wrote:
is there any way to detect whether an input file (of any type i.e. doc, pdf, ppt, jpg) is “really” closed or open?

Actually only after the last OnClose callback is called (see the CallbackFS property CallAllOpenCloseCallbacks) the file is really completely closed. But you can be notified when handles to the file are being closed by using the OnCleanup callback. But after all handles have been closed the OnRead and OnWrite callbacks can still come.

BTW Process Monitor from sysinternals.com allows to show both of these close requests by checking the menu item "Filter"->"Enable advanced output".

Reply

Statistics

Topic viewed 1439 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!