EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Logs access HGFS via VMware guest

Posted: 04/10/2012 05:33:29
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

Hi there,

I am running the latest driver (Version 2.3.46) on a windows XPclient. I have modified the filemon example to intercept and log synchronous callbacks as well as the async notification events.

However, when I attempt to monitor a vmware share in the host PC I get a blue screen with a message "Multiple IRP Complete Requests" - MULTIPLE_IRP_COMPLETE_REQUESTS.

If i run the Microsoft DDK example file system mini-filter called "Minispy" and attach to \device\HGFS (i.e. the nominated vmware share) then I get logs as normal - no blue screen.

Any ideas?
Posted: 04/10/2012 07:03:54
by Vladimir Cherniga (Team)

Callback Filter may not work with a non-Windows shares. Minispy and CBFilter uses a different driver model (minifilter and legacy fs filter driver). Minifilter works with a filter manager(as a plugin), CBFilter works directly with file system.
Anyway, could you share a kernel crash dump with us or provide a working sample to reproduce the problem ? Thanks in advance.
Posted: 04/10/2012 09:07:16
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

Hi Vladimir,

thanks for the quick reply.

So CBFilter is a legacy file system filter driver. Ok. So the legacy file system filter cannot handle HGFS redirects (but its ok with lanman redirector miniport drivers). Is this common between a file system minifilter and a legacy file system driver? I though the minifilters just simplified the process by replacing the usual location of a legacy filter with a filter manager - which handled the mini filters). The I/O requests still goes to either the local file system driver or (in this case) the remote file system driver (via the redirect and TDI transport). The type of remote drive should be irrevalvent. Especially as I get some feedback from the hosts shared folder - so it is almost working.

The sample used was derived from the fileMon sample but I modified the GUI slightly and added callbacks for the synchornous events. I can email you the sample project if that would help.
Posted: 04/10/2012 09:44:03
by Vladimir Cherniga (Team)

The I/O request forwarded to redirector handles the same way the go to the local file system, but some internal fields in file object structure (representing file handle instance) may used differently in third party redirectors. This fields actively used in filter and this may be the source of the problem causing blue screen. To find the solution we need a kernel dump or a way to reproduce the problem. I thinks it is better to open a corresponding ticket in helpdesk and post sample there.
Posted: 06/28/2012 05:22:13
by Jason Coleman (Basic support level)
Joined: 03/21/2012
Posts: 17

Just a quick note on this - the MSDN minifilter sample for FileMon can intercept redirects for VMWare guest shares normally (just like SMB).



Topic viewed 3117 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!