Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

tracking changes made to a file

OSR_Community_UserOSR_Community_User Member Posts: 110,217
I'm writing a minifilter driver for the purpose of tracking changes made to files.

What I have tried to do is:

I've registered for IRP_MJ_WRITE and trying to read the file content in pre-operation callback and post-operation callback. There are two main problems:
1. I'm reading the content of the file with FltReadFile(), and if I'm not mistaken nothing promises me that the function will not cause a pagefault. Since the pre\post-operation callback runs in DPC I have a good chance of getting a BSOD.
2. Even if I'll not get a blue screen the above will likely cause very significant penalty to the performance of the system.

Can anyone suggest me a way to deal with the above problems?

Comments

  • Peter_ScottPeter_Scott Member - All Emails Posts: 749
    Your pre-write handled better not be called at DISPATCH though
    post-write may be called at DISPATCH. You can perform a read, ensuring
    you are correctly doing the cached/non-cached/paging, etc. within your
    FltReadFile() call but yes, it will incur an overhead. You are
    converting 1 IO into 2 if you only do the read in pre-write. For
    post-write you can return SYNCHRONIZE to ensure your completion is not
    called at DISPATCH. But if you perform a read in pre-write and you know
    the content of the write buffer, then what do you need to read in
    post-write?

    Pete
    --
    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    ------ Original Message ------
    From: "xxxxx@gmail.com" <xxxxx@lists.osr.com>
    To: "Windows File Systems Devs Interest List" <xxxxx@lists.osr.com>
    Sent: 11/21/2017 5:16:12 AM
    Subject: [ntfsd] tracking changes made to a file

    >I'm writing a minifilter driver for the purpose of tracking changes
    >made to files.
    >
    >What I have tried to do is:
    >
    >I've registered for IRP_MJ_WRITE and trying to read the file content in
    >pre-operation callback and post-operation callback. There are two main
    >problems:
    >1. I'm reading the content of the file with FltReadFile(), and if I'm
    >not mistaken nothing promises me that the function will not cause a
    >pagefault. Since the pre\post-operation callback runs in DPC I have a
    >good chance of getting a BSOD.
    >2. Even if I'll not get a blue screen the above will likely cause very
    >significant penalty to the performance of the system.
    >
    >Can anyone suggest me a way to deal with the above problems?
    >
    >
    >---
    >NTFSD is sponsored by OSR
    >
    >
    >MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    >software drivers!
    >Details at <http://www.osr.com/seminars>;
    >
    >To unsubscribe, visit the List Server section of OSR Online at
    ><http://www.osronline.com/page.cfm?name=ListServer>;

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

  • Jamey_KirbyJamey_Kirby Member - All Emails Posts: 433
    On your IRP_MJ_WRITE, change the IRP to IRP_MJ_READ and set a completion
    handler. In that completion handler, change the IRP_MJ_READ back to an
    IRP_MJ_WRITE and send it down again. Tweaking your buffers as you need on
    the way down (i.e. swap out write buffer with new read buffer, and then
    swap back in the write buffer). This is about as fast as you can get. You
    can compare the the two buffers to see if anything actually changed.
    Windows will do lots of writes of data that does not change. One
    optimization is that if the data does not change (compare read buffer to
    write buffer in read completion handler), you can skip the write all
    together for added performance. I've used this trick in a volume filter to
    reduce writes to SSD; at a small performance penalty.



    On Tue, Nov 21, 2017 at 2:50 PM PScott <
    xxxxx@lists.osr.com> wrote:

    >
    > Your pre-write handled better not be called at DISPATCH though
    > post-write may be called at DISPATCH. You can perform a read, ensuring
    > you are correctly doing the cached/non-cached/paging, etc. within your
    > FltReadFile() call but yes, it will incur an overhead. You are
    > converting 1 IO into 2 if you only do the read in pre-write. For
    > post-write you can return SYNCHRONIZE to ensure your completion is not
    > called at DISPATCH. But if you perform a read in pre-write and you know
    > the content of the write buffer, then what do you need to read in
    > post-write?
    >
    > Pete
    > --
    > Kernel Drivers
    > Windows File System and Device Driver Consulting
    > www.KernelDrivers.com
    > 866.263.9295 <(866)%20263-9295>
    >
    > ------ Original Message ------
    > From: "xxxxx@gmail.com"
    > To: "Windows File Systems Devs Interest List"
    > Sent: 11/21/2017 5:16:12 AM
    > Subject: [ntfsd] tracking changes made to a file
    >
    > >I'm writing a minifilter driver for the purpose of tracking changes
    > >made to files.
    > >
    > >What I have tried to do is:
    > >
    > >I've registered for IRP_MJ_WRITE and trying to read the file content in
    > >pre-operation callback and post-operation callback. There are two main
    > >problems:
    > >1. I'm reading the content of the file with FltReadFile(), and if I'm
    > >not mistaken nothing promises me that the function will not cause a
    > >pagefault. Since the pre\post-operation callback runs in DPC I have a
    > >good chance of getting a BSOD.
    > >2. Even if I'll not get a blue screen the above will likely cause very
    > >significant penalty to the performance of the system.
    > >
    > >Can anyone suggest me a way to deal with the above problems?
    > >
    > >
    > >---
    > >NTFSD is sponsored by OSR
    > >
    > >
    > >MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > >software drivers!
    > >Details at
    > >
    > >To unsubscribe, visit the List Server section of OSR Online at
    > >
    >
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA