I need to start tracking the write IRPs happening on the volume. To do that I thought of starting my tracking once I receive IOCTL_VOLUME_ONLINE to that volume.
Can Read and Write IRPs come before IOCTL_VOLUME_ONLINE to a volume.
or should I rely on IRP_MN_MOUNT_VOLUME.
Basically should I start tracking once I receive IRP_MN_MOUNT_VOLUME.
which one is more reliable.
I remember I saw somewhere where people have mentioned that they have seen Read IRPs before IOCTL_VOLUME_ONLINE.
You do not need to filter ONLINE, and you surely do not need to filter any
sort of MOUNT IRPS in the file system. You can do everything you need in
the volume filter. Your tracking should start when you receive the first
write to the volume.
On Fri, Aug 3, 2018 at 7:07 AM xxxxx@yahoo.co.in < xxxxx@lists.osr.com> wrote:
I need to start tracking the write IRPs happening on the volume. To do
that I thought of starting my tracking once I receive IOCTL_VOLUME_ONLINE
to that volume.
Can Read and Write IRPs come before IOCTL_VOLUME_ONLINE to a volume.
or should I rely on IRP_MN_MOUNT_VOLUME.
Basically should I start tracking once I receive IRP_MN_MOUNT_VOLUME.
which one is more reliable.
I remember I saw somewhere where people have mentioned that they have seen
Read IRPs before IOCTL_VOLUME_ONLINE.