EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Number of ClosefFile callback is less than openfile callback

Posted: 03/30/2009 06:00:24
by Wang Sheng (Basic support level)
Joined: 02/16/2009
Posts: 44

I am running your samples:encrypt. Open a *.txt using notepad.exe,

I notice that:

The number of Callback Firing of CloseFile callback is less than Openfile callback.

sometimes is: openFile callback -closefile cacllback -openFilecallback ReadFile callback -closeFile callback.

in much time is: openFile callback ,closefile callback , OpenFile callback ReadFile callback

the times of the CloseFile callback is less than the OpenFile callback
,as We Know that:In encrypt samples, wo call Openfile api to open the file in the openFile callback, so without the closeFile callback,we can not close the File handle.
Posted: 03/31/2009 03:33:48
by Vladimir Cherniga (Team)

You should bear in mind that only postcreate request signals about successfuly opened file handle, precreate request may end up with error status. Besides, another process, for example "explorer", could have opened handle to the target file. For this case it makes sense to check OriginatorProcessID from PostCreate/Close requests and increment/decrement reference counter depends on ProcessID.
There are also ProcMon utility from microsoft which allows process activity monitoring. You could compare the result from this tool with Encrypt sample output.
Posted: 04/01/2009 00:17:49
by Wang Sheng (Basic support level)
Joined: 02/16/2009
Posts: 44

Hi,I edit your sample:encrypt

void CbFltOpenFileC(
CallbackFilter* Sender,
LPWSTR FileName,
PACCESS_MASK DesiredAccess,
PWORD FileAttributes,
PWORD ShareMode,
PDWORD CreateOptions,
LPBOOL RequestAccepted)
WCHAR process[MAX_PATH * 2];
unsigned long l1=MAX_PATH * 2;
char myprocess[128];
int nLen = wcslen(process)+1;
WideCharToMultiByte(CP_ACP, 0, process, nLen, myprocess, 2*nLen, NULL, NULL);
char *tmp1=strstr(myprocess,"notepad.exe");
*RequestAccepted = FALSE;
*RequestAccepted = TRUE;

Do not make any changes on :
void CbFltPostOpenFileC(
void CbFltCloseFileC(
void CbFltReadFileC(

So allow only notpad.exe to open *.txt File

1)Many times wo see only two callback Firing
not CloseFile Callback firing ,why?

2)sometimes,I also see such callback Firing


ReadFile callback Is firing After the closefile callback.
So,UserContext has alreaddy been deleted by the closeFile callback, how can
the *BytesToRead = Context->Read(*Position, Buffer, *BytesToRead) be executed
Posted: 04/01/2009 01:33:28
by Vladimir Cherniga (Team)

Hi,i will check your code. Did you attach/detach filter and restart notepad during this tests ?
Posted: 04/07/2009 01:16:21
by Wang Sheng (Basic support level)
Joined: 02/16/2009
Posts: 44

Hi,No Answers?
I have download ProcMon utility from microsoft sysinternal.
From the result Gived out by the ProcMon,It is very clear that:Every Createfile
Must be ended with closeFile.

But Your samples:encrypt is not ,much times,Only OpenFile callback,ReadFile callback is Firing,CloseFile callback Is not firing. Sometimes even closeFile callback is called before the ReadFile callback.
Posted: 04/07/2009 07:52:54
by Vladimir Cherniga (Team)

Try the attached driver with Encrypt sample. It should solve CloseFile related issue when such applications like notepad uses memory-mapped files. This driver version is
The problem is in the reference on FileObject, that is held by the OS. This reference prevents from close request which is as usual is a pair on first open request for the specified file. This reference preserves system cache from being purged. When the same file is opened next time, this previously cached datas are used instead of datas from the secondary storage device. This is how OS increase file system preformance. I suppose that in your scenario you have lost the first create request, which close pair request could be suspended on unpredictable period of time.

[ Download ]
Posted: 04/08/2009 01:59:33
by Wang Sheng (Basic support level)
Joined: 02/16/2009
Posts: 44

It is normal now.
Can you give out Release version ?
Posted: 04/09/2009 03:12:56
by Wang Sheng (Basic support level)
Joined: 02/16/2009
Posts: 44

Hi,find another bug.
System hang when execute ReadFile(mHandle,) in void CbFltCloseFileC callback.
(While writeFile van execute correctly in CbFltCloseFileC callback)

Driver version is your attached driver,version
Posted: 04/09/2009 03:27:54
by Wang Sheng (Basic support level)
Joined: 02/16/2009
Posts: 44

System also hang when execute writeFile in CbFltCloseFileC callback.

Please Check it.
Posted: 04/10/2009 03:21:10
by Eugene Mayevski (Team)

Please don't crosspost the questions to Forum and HelpDesk. Answered in HelpDesk.

Sincerely yours
Eugene Mayevski



Topic viewed 7826 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!