ZwCreateFile

NTSTATUS
    ZwCreateFile(

        OUT PHANDLE FileHandle,
        IN ACCESS_MASK DesiredAccess,
        IN POBJECT_ATTRIBUTES ObjectAttributes,
        OUT PIO_STATUS_BLOCK IoStatusBlock,
        IN PLARGE_INTEGER AllocationSize,        /* optional */
        IN ULONG FileAttributes,
        IN ULONG ShareAccess,
        IN ULONG CreateDisposition,
        IN ULONG CreateOptions,
        IN PVOID EaBuffer,                /* optional */
        IN ULONG EaLength
        );

ZwCreateFile either causes a new file or directory to be created, or it opens an existing file, device, directory, or volume, giving the caller a handle for the file object. This handle can be used by subsequent calls to manipulate data within the file or the file object’s state or attributes. For example, a driver might call this routine during initialization to open a file of microcode for its device.

Parameters

FileHandle
Points to a variable that receives the file handle if the call is successful.
DesiredAccess
Specifies the type of access that the caller requires to the file or directory. The set of system-defined DesiredAccess flags determines the following specific access rights for file objects:

DesiredAccess Flags

Meaning

DELETE

The file can be deleted.

FILE_READ_DATA

Data can be read from the file.

FILE_READ_ATTRIBUTES

FileAttributes flags, described later, can be read.

FILE_READ_EA

Extended attributes associated with the file can be read. This flag is irrelevant to device and intermediate drivers.

READ_CONTROL

The access control list (ACL) and ownership information associated with the file can be read.

FILE_WRITE_DATA

Data can be written to the file.

FILE_WRITE_ATTRIBUTES

FileAttributes flags can be written.

FILE_WRITE_EA

Extended attributes (EAs) associated with the file can be written. This flag is irrelevant to device and intermediate drivers.

FILE_APPEND_DATA

Data can be appended to the file.

WRITE_DAC

The discretionary access control list (DACL) associated with the file can be written.

WRITE_OWNER

Ownership information associated with the file can be written.

SYNCHRONIZE

The returned FileHandle can be waited on to synchronize with the completion of an I/O operation.

FILE_EXECUTE

Data can be read into memory from the file using system paging I/O. This flag is irrelevant to device and intermediate drivers.

Callers of ZwCreateFile can specify one or a combination of the following, possibly ORed with additional compatible flags from the preceding DesiredAccess Flags list, for any file object that does not represent a directory file:

DesiredAccess to File Values

Maps to DesiredAccess Flags

GENERIC_READ

STANDARD_RIGHTS_READ, FILE_READ_DATA, FILE_READ_ATTRIBUTES, and FILE_READ_EA

GENERIC_WRITE

STANDARD_RIGHTS_WRITE, FILE_WRITE_DATA, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, and FILE_APPEND_DATA

GENERIC_EXECUTE

STANDARD_RIGHTS_EXECUTE, SYNCHRONIZE, and FILE_EXECUTE. This value is irrelevant to device and intermediate drivers.

The STANDARD_RIGHTS_XXX are predefined system values used to enforce security on system objects.

To open or create a directory file, as also indicated with the CreateOptions parameter, callers of ZwCreateFile can specify one or a combination of the following, possibly ORed with one or more compatible flags from the preceding DesiredAccess Flags list:

DesiredAccess to Directory Values

Meaning

FILE_LIST_DIRECTORY

Files in the directory can be listed.

FILE_TRAVERSE

The directory can be traversed: that is, it can be part of the pathname of a file.

The FILE_READ_DATA, FILE_WRITE_DATA, FILE_EXECUTE, and FILE_APPEND_DATA DesiredAccess flags are incompatible with creating or opening a directory file.

ObjectAttributes
Points to a structure already initialized with InitializeObjectAttributes. Members of this structure for a file object include the following:

Member

Value

ULONG Length

Specifies the number of bytes of ObjectAttributes data supplied. This value must be at least sizeof(OBJECT_ATTRIBUTES).

PUNICODE_STRING ObjectName

Points to a buffered Unicode string naming the file to be created or opened. This value must be a fully qualified file specification or the name of a device object, unless it is the name of a file relative to the directory specified by RootDirectory. For example, \Device\Floppy1\myfile.dat or \??\B:\myfile.dat could be the fully qualified file specification, provided that the floppy driver and overlying file system are already loaded. (Note: \?? replaces \DosDevices as the name of the Win32 object namespace. \DosDevices will still work, but \?? is translated faster by the object manager.)

HANDLE RootDirectory

Optionally specifies a handle to a directory obtained by a preceding call to ZwCreateFile. If this value is NULL, the ObjectName member must be a fully qualified file specification that includes the full path to the target file. If this value is nonNULL, the ObjectName member specifies a file name relative to this directory.

PSECURITY_DESCRIPTOR SecurityDescriptor

Optionally specifies a security descriptor to be applied to a file. ACLs specified by such a security descriptor are only applied to the file when it is created. If the value is NULL when a file is created, the ACL placed on the file is file-system-dependent; most file systems propagate some part of such an ACL from the parent directory file combined with the caller's default ACL. Device and intermediate drivers can set this member to NULL.

PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService

Specifies the access rights a server should be given to the client's security context. This value is nonNULL only when a connection to a protected server is established, allowing the caller to control which parts of the caller’s security context are made available to the server and whether the server is allowed to impersonate the caller. Device and intermediate drivers usually set this member to NULL.

ULONG Attributes

Is a set of flags that controls the file object attributes. This value can be zero or OBJ_CASE_INSENSITIVE, which indicates that name-lookup code should ignore the case of ObjectName rather than performing an exact-match search. The value OBJ_INHERIT is irrelevant to device and intermediate drivers.

IoStatusBlock
Points to a variable that receives the final completion status and information about the requested operation. On return from ZwCreateFile, the Information member contains one of the following values:

FILE_CREATED
FILE_OPENED
FILE_OVERWRITTEN
FILE_SUPERSEDED
FILE_EXISTS
FILE_DOES_NOT_EXIST

AllocationSize
Optionally specifies the initial allocation size in bytes for the file. A nonzero value has no effect unless the file is being created, overwritten, or superseded.
FileAttributes
Explicitly specified attributes are applied only when the file is created, superseded, or, in some cases, overwritten. By default, this value is FILE_ATTRIBUTE_NORMAL, which can be overridden by any other flag or by an ORed combination of compatible flags. Possible FileAttributes flags include the following:

FileAttributes Flags

Meaning

FILE_ATTRIBUTE_NORMAL

A file with standard attributes should be created.

FILE_ATTRIBUTE_READONLY

A read-only file should be created.

FILE_ATTRIBUTE_HIDDEN

A hidden file should be created.

FILE_ATTRIBUTE_SYSTEM

A system file should be created.

FILE_ATTRIBUTE_ARCHIVE

The file should be marked so that it will be archived.

FILE_ATTRIBUTE_TEMPORARY

A temporary file should be created.

FILE_ATTRIBUTE_ATOMIC_WRITE

An atomic-write file should be created. This flag is irrelevant to device and intermediate drivers.

FILE_ATTRIBUTE_XACTION_WRITE

A transaction-write file should be created. This flag is irrelevant to device and intermediate drivers.

ShareAccess
Specifies the type of share access that the caller would like to the file, as zero, or as one or a combination of the following:

ShareAccess Flags

Meaning

FILE_SHARE_READ

The file can be opened for read access by other threads’ calls to ZwCreateFile.

FILE_SHARE_WRITE

The file can be opened for write access by other threads’ calls to ZwCreateFile.

FILE_SHARE_DELETE

The file can be opened for delete access by other threads’ calls to ZwCreateFile.

Device and intermediate drivers usually set ShareAccess to zero, which gives the caller exclusive access to the open file.

CreateDisposition
Specifies what to do, depending on whether the file already exists, as one of the following:

CreateDispostion Values

Meaning

FILE_SUPERSEDE

If the file already exists, replace it with the given file. If it does not, create the given file.

FILE_CREATE

If the file already exists, fail the request and do not create or open the given file. If it does not, create the given file.

FILE_OPEN

If the file already exists, open it instead of creating a new file. If it does not, fail the request and do not create a new file.

FILE_OPEN_IF

If the file already exists, open it. If it does not, create the given file.

FILE_OVERWRITE

If the file already exists, open it and overwrite it. If it does not, fail the request.

FILE_OVERWRITE_IF

If the file already exists, open it and overwrite it. If it does not, create the given file.

CreateOptions
Specifies the options to be applied when creating or opening the file, as a compatible combination of the following flags:

CreateOptions Flags

Meaning

FILE_DIRECTORY_FILE

The file being created or opened is a directory file. With this flag, the CreateDisposition parameter must be set to one of FILE_CREATE, FILE_OPEN, or FILE_OPEN_IF. With this flag, other compatible CreateOptions flags include only the following: FILE_SYNCHRONOUS_IO_ALERT, FILE_SYNCHRONOUS_IO
_NONALERT, FILE_WRITE_THROUGH, FILE_OPEN_FOR_BACKUP_INTENT, and FILE_OPEN_BY_FILE_ID.

FILE_NON_DIRECTORY_FILE

The file being opened must not be a directory file or this call will fail. The file object being opened can represent a data file, a logical, virtual, or physical device, or a volume.

FILE_WRITE_THROUGH

System services, FSDs, and drivers that write data to the file must actually transfer the data into the file before any requested write operation is considered complete. This flag is automatically set if the CreateOptions flag FILE_NO_INTERMEDIATE
_BUFFERING is set.

FILE_SEQUENTIAL_ONLY

All accesses to the file will be sequential.

FILE_RANDOM_ACCESS

Accesses to the file can be random, so no sequential read-ahead operations should be performed on the file by FSDs or the system.

FILE_NO_INTERMEDIATE
_BUFFERING

The file cannot be cached or buffered in a driver’s internal buffers. This flag is incompatible with the DesiredAccess FILE_APPEND_DATA flag.

FILE_SYNCHRONOUS_IO_ALERT

All operations on the file are performed synchronously. Any wait on behalf of the caller is subject to premature termination from alerts. This flag also causes the I/O system to maintain the file position context. If this flag is set, the DesiredAccess SYNCHRONIZE flag also must be set.

FILE_SYNCHRONOUS_IO
_NONALERT

All operations on the file are performed synchronously. Waits in the system to synchronize I/O queueing and completion are not subject to alerts. This flag also causes the I/O system to maintain the file position context. If this flag is set, the DesiredAccess SYNCHRONIZE flag also must be set.

FILE_CREATE_TREE_CONNECTION

Create a tree connection for this file in order to open it over the network. This flag is irrelevant to device and intermediate drivers.

FILE_COMPLETE_IF_OPLOCKED

Complete this operation immediately with an alternate success code if the target file is oplocked, rather than blocking the caller's thread. If the file is oplocked, another caller already has access to the file over the network. This flag is irrelevant to device and intermediate drivers.

FILE_NO_EA_KNOWLEDGE

If the extended attributes on an existing file being opened indicate that the caller must understand EAs to properly interpret the file, fail this request because the caller does not understand how to deal with EAs. Device and intermediate drivers can ignore this flag.

FILE_DELETE_ON_CLOSE

Delete the file when the last handle to it is is passed to ZwClose.

FILE_OPEN_BY_FILE_ID

The file name contains the name of a device and a 64-bit ID to be used to open the file. This flag is irrelevant to device and intermediate drivers.

FILE_OPEN_FOR_BACKUP_INTENT

The file is being opened for backup intent, hence, the system should check for certain access rights and grant the caller the appropriate accesses to the file before checking the input DesiredAccess against the file's security descriptor. This flag is irrelevant to device and intermediate drivers.

EaBuffer
For device and intermediate drivers, this parameter must be a NULL pointer.
EaLength
For device and intermediate drivers, this parameter must be zero.

Return Value

ZwCreateFile either returns STATUS_SUCCESS or an appropriate error status. If it returns an error status, the caller can find more information about the cause of the failure by checking the IoStatusBlock.

Comments

There are two alternate ways to specify the name of the file to be created or opened with ZwCreateFile:

  1. As a fully qualified pathname, supplied in the ObjectName member of the input ObjectAttributes

  2. As pathname relative to the directory file represented by the handle in the RootDirectory member of the input ObjectAttributes

Certain DesiredAccess flags and combinations of flags have the following effects:

The ShareAccess parameter determines whether separate threads can access the same file, possibly simultaneously. Provided that both file openers have the privilege to access a file in the specified manner, the file can be successfully opened and shared. If the original caller of ZwCreateFile does not specify FILE_SHARE_READ, FILE_SHARE_WRITE, or FILE_SHARE_DELETE, no other open operations can be performed on the file: that is, the original caller is given exclusive access to the file.

In order for a shared file to be successfully opened, the requested DesiredAccess to the file must be compatible with both the DesiredAccess and ShareAccess specifications of all preceding opens that have not yet been released with ZwClose. That is, the DesiredAccess specified to ZwCreateFile for a given file must not conflict with the accesses that other openers of the file have disallowed.

The CreateDispostion value FILE_SUPERSEDE requires that the caller have DELETE access to a existing file object. If so, a successful call to ZwCreateFile with FILE_SUPERSEDE on an existing file effectively deletes that file, and then recreates it. This implies that, if the file has already been opened by another thread, it opened the file by specifying a ShareAccess parameter with the FILE_SHARE_DELETE flag set. Note that this type of disposition is consistent with the POSIX style of overwriting files.

The CreateDisposition values FILE_OVERWRITE_IF and FILE_SUPERSEDE are similar. If ZwCreateFile is called with a existing file and either of these CreateDisposition values, the file will be replaced.

Overwriting a file is semantically equivalent to a supersede operation, except for the following:

The CreateOptions FILE_DIRECTORY_FILE value specifies that the file to be created or opened is a directory file. When a directory file is created, the file system creates an appropriate structure on the disk to represent an empty directory for that particular file system's on-disk structure. If this option was specified and the given file to be opened is not a directory file, or if the caller specified an inconsistent CreateOptions or CreateDispostion value, the call to ZwCreateFile will fail.

The CreateOptions FILE_NO_INTERMEDIATE_BUFFERING flag prevents the file system from performing any intermediate buffering on behalf of the caller. Specifying this value places certain restrictions on the caller's parameters to other Zw..File routines, including the following:

The CreateOptions FILE_SYNCHRONOUS_IO_ALERT and FILE_SYNCHRONOUS_IO_NONALERT, which are mutually exclusive as their names suggest, specify that all I/O operations on the file are to be synchronous as long as they occur through the file object referred to by the returned FileHandle. All I/O on such a file is serialized across all threads using the returned handle. With either of these CreateOptions, the DesiredAccess SYNCHRONIZE flag must be set so that the I/O Manager will use the file object as a synchronization object. With either of these CreateOptions set, the I/O Manager maintains the “file position context” for the file object, an internal, current file position offset. This offset can be used in calls to ZwReadFile and ZwWriteFile. Its position also can be queried or set with ZwQueryInformationFile and ZwSetInformationFile.

Callers of ZwCreateFile must be running at IRQL PASSIVE_LEVEL.

See Also

InitializeObjectAttributes, DEVICE_OBJECT, IO_STATUS_BLOCK, ZwClose, ZwReadFile, ZwQueryInformationFile, ZwSetInformationFile, ZwWriteFile