I’m trying to catch notification of USB drives being attached and detached
in a minifilter. At first I thought I’d just watch for IRP_MJ_VOLUME_MOUNT
and IRP_MJ_VOLUME_DISMOUNT. For some reason, I get the IRP_MJ_VOLUME_MOUNT
message about once per second (in the Post callback), whether the USB drive
is in or not (this is on Windows 2008 R2, 64-bit). I apparently don’t
understand what that message is supposed to mean. (IRP_MJ_VOLUME_DISMOUNT
works as I expected).
So after looking through the archives, someone pointed out that
PFLT_INSTANCE_SETUP_CALLBACK and PFLT_INSTANCE_TEARDOWN_CALLBACK are a
better way to go. In this case I never get PFLT_INSTANCE_SETUP_CALLBACK
(when the filter starts, or when plugging in a USB drive), while
PFLT_INSTANCE_TEARDOWN_CALLBACK (for the TeardownComplete callback) works
exactly as expected.
Is there a better way to be notified of USB drives being added or removed
from a system? Is there some additional step besides registering callbacks
with FltRegisterFilter that needs to be done?
Well, my understanding of IRP_MJ_MOUNT_VOLUME is that minifilters can fail
it and this way they can fail a volume mount. The instance setup callback is
called after that, when the volume is already mounted and the minifilter can
at that point only decide whether it wants to attach to the volume or not
(and not fail the mount… )…
As far as USB drives are concerned, you should get the instance setup
notification, but it’s not going to be when the USB drive is added to the
system but rather the firs time someone tries to access the volume. If for
whatever reason the usb gets added and it’s never mounted then you won’t get
the notification.
I would start by investigating why you see all those IRP_MJ_VOLUME_MOUNT
callbacks… Perhaps there is someone else actively failing the mounts and so
the IRP_MJ_VOLUME_MOUNT callback sees all the mounts but there is never an
instance setup callback because the volume never gets mounted ? I’m not
saying this is the actual cause,but it’s just something that would generate
the same symptoms… J
I started trying to track down the multiple IRP_MJ_VOLUME_MOUNT callbacks
like you suggested. After a reboot, they aren’t happening any longer. My
only guess is some diagnostic programs I had loaded earlier were causing the
problem. (I hate problems that disappear on their own)
Doug
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Carp
Sent: Thursday, July 01, 2010 5:46 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Detecting USB mount/dismounts
Well, my understanding of IRP_MJ_MOUNT_VOLUME is that minifilters can fail
it and this way they can fail a volume mount. The instance setup callback is
called after that, when the volume is already mounted and the minifilter can
at that point only decide whether it wants to attach to the volume or not
(and not fail the mount… )…
As far as USB drives are concerned, you should get the instance setup
notification, but it’s not going to be when the USB drive is added to the
system but rather the firs time someone tries to access the volume. If for
whatever reason the usb gets added and it’s never mounted then you won’t get
the notification.
I would start by investigating why you see all those IRP_MJ_VOLUME_MOUNT
callbacks… Perhaps there is someone else actively failing the mounts and so
the IRP_MJ_VOLUME_MOUNT callback sees all the mounts but there is never an
instance setup callback because the volume never gets mounted ? I’m not
saying this is the actual cause,but it’s just something that would generate
the same symptoms… J
Thanks,
Alex.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
Can’t you use *WM_DEVICECHANGE Message*s to detect USB device for your
application ?.
On Fri, Jul 2, 2010 at 3:40 AM, Doug wrote:
> I?m trying to catch notification of USB drives being attached and > detached in a minifilter. At first I thought I?d just watch for > IRP_MJ_VOLUME_MOUNT and IRP_MJ_VOLUME_DISMOUNT. For some reason, I get the > IRP_MJ_VOLUME_MOUNT message about once per second (in the Post callback), > whether the USB drive is in or not (this is on Windows 2008 R2, 64-bit). I > apparently don?t understand what that message is supposed to mean. > (IRP_MJ_VOLUME_DISMOUNT works as I expected). > > > > So after looking through the archives, someone pointed out that > PFLT_INSTANCE_SETUP_CALLBACK and PFLT_INSTANCE_TEARDOWN_CALLBACK are a > better way to go. In this case I never get PFLT_INSTANCE_SETUP_CALLBACK > (when the filter starts, or when plugging in a USB drive), while > PFLT_INSTANCE_TEARDOWN_CALLBACK (for the TeardownComplete callback) works > exactly as expected. > > > > Is there a better way to be notified of USB drives being added or removed > from a system? Is there some additional step besides registering callbacks > with FltRegisterFilter that needs to be done? > > Thank you for any ideas. > > > > > > > > — > NTFSD is sponsored by OSR > > For our schedule of debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >