EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Rename file notification

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#9256
Posted: 03/13/2009 04:16:18
by Dan Cooper (Basic support level)
Joined: 06/27/2007
Posts: 125

I have setup a filter to notify me of file renames, however when I get the notification the oldname and new name are the same, the only difference being that the new name has '\??\' at the start.

For example, if I rename:

C:\Testing.txt to C:\Testing.dat

I will get in the callback:

FileName: C:\Testing.dat
NewFileName: \??\C:\Testing.dat


#9257
Posted: 03/13/2009 04:43:44
by Dan Cooper (Basic support level)
Joined: 06/27/2007
Posts: 125

This is only the case for Notify, Callback contains the correct names.
#9261
Posted: 03/13/2009 07:33:00
by Vladimir Cherniga (EldoS Corp.)

Still couldn't reproduce with FileMon. Is it some special conditions needs to reproduce this bug ? Does such bug is reproduced permanently ?
#9262
Posted: 03/13/2009 07:45:01
by Dan Cooper (Basic support level)
Joined: 06/27/2007
Posts: 125

I simply started FileMon to watch C:\*.* and rename a file with a breakpoint on CbFltRenameOrMoveFileN. Both FileName and NewFileName are exactly the same with the exception that NewFileName starts with '\??\'
#9289
Posted: 03/16/2009 06:01:18
by Vladimir Cherniga (EldoS Corp.)

Could you reproduce error with attached sample ?


[ Download ]
#9465
Posted: 03/31/2009 02:22:54
by Dan Cooper (Basic support level)
Joined: 06/27/2007
Posts: 125

Please see attached image.

I renamed C:\eula.1031.txt to C:\eula.1031-2.txt. As you can see in the pic, both names are the same with the exception of the '\??\'

Also, there does not seem to be any callback for delete even though it's mentioned in the documentation.


#9467
Posted: 03/31/2009 03:16:03
by Daniel Öberg (Standard support level)
Joined: 02/26/2009
Posts: 18

If I'm not misstaken this error is fixed in the lastest version. 1.0.16.

Try to download the latest driver and install it on you machine and then try the FileMon again.


You can add Delete callbacks with

AddFilterCallbackRule(szPath, (CallbackFilter::CbFltCallbackFlags)(CallbackFilter::DeleteCallback));

From CbFlt.h:

typedef void (*CbFltCanFileBeDeletedEventC)(
CallbackFilter* Sender,
LPWSTR FileName,
LPBOOL DeleteFile,
PVOID* UserContext,
LPBOOL RequestAccepted
);
#9469
Posted: 03/31/2009 03:41:01
by Dan Cooper (Basic support level)
Joined: 06/27/2007
Posts: 125

The latest version on the download area is 1.0.13 which is what I'm running. Where can I get 1.0.16 from?
#9470
Posted: 03/31/2009 04:15:48
by Dan Cooper (Basic support level)
Joined: 06/27/2007
Posts: 125

Also, the CanFileBeDeleted call does not guarantee that DeleteFile will actually be deleted does it?
#9471
Posted: 03/31/2009 04:34:03
by Daniel Öberg (Standard support level)
Joined: 02/26/2009
Posts: 18

I took 1.0.16 from the prerelease section:
http://www.eldos.com/cbflt/download-prerelease.php


Nope, you are right. You can never know that a file is really removed, or will be. That is the problem with deleting files in NTFS. There can always be another drive in another level that removes the delete flag.

Also, more interessting is that this is how the recycle bin works. Windows marks the file for deletion to see if anyone objects, if not the file is unmarked as "can-be-deleted" and instead moved to the recycle bin folder. So, no there is never a way to be 100% sure. Not even if you write your own legacy driver from scratch.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 20690 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!