I am in the context of the PreAcquireForSectionSynchronization call back and
would like to open the file that is being referred to by the
Data->FileObject->Filename for READ access, read the data, and then close it
before this call is allowed to proceed.

I have enclosed a copy of the "open " that I've been using with most
everything else when I need to read a file, but it does not work here!

STATUS_SHARING_VIOLATION is returned,
IO_STATUS_BLOCK has Information = 35
Pointer = 35
Information =35

Can you advise me about a strategy that will work.

PS. I have gone through "The NT Insider:Finding File Contents in Memory"
article from OSR.
It does not cover all cases and is only about 80% complete, furthermore, it
does not deal with files larger that 256K, . The articles references
structures that have no IFS kit documentation.

InitializeObjectAttributes(&ObjAttrs,InFile,OBJ_KE RNEL_HANDLE|OBJ_CASE_INSEN
SITIVE,NULL,NULL);
//

Status =
ZwCreateFile(&FileHandle,GENERIC_READ|FILE_READ_AT TRIBUTES|FILE_READ_DATA,
&ObjAttrs,&StatusBlock,0, //allocation size
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ|FILE_SHARE_DELETE, //share access
FILE_OPEN, // disposition
FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALE RT, // CreateOptions,
0, // EaBuffer OPTIONAL,
0 ); // EaLength

}



--
Gak -
Finecats

Finecats,

I believe in this case you want to follow the same recommendations I gave
when you were filtering IRP_MJ_WRITE:

3 Memory-mapped. To catch these writes call
FsRtlRegisterFileSystemFilterCallbacks to register a
PreAcquireForSectionSynchronization callback routine in DriverEntry.
· Once a file is identified to copy, open it with
IoCreateFileSpecifyDeviceObjectHint() specifying all types of shared
access, and
use memory mapping to read the file. Specify both Options =
IO_IGNORE_SHARE_ACCESS_CHECK and ShareAccess = FILE_SHARE_READ |
FILE_SHARE_WRITE
| FILE_SHARE_DELETE.

Hope that helps!
[MS] Jeff McCashland
jeffm@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.