Fetch Volume Offset (LCN ) of I/O During or After Post Op callBacks

I am building a file system Minifilter driver to track all I/Os to a volumes which becomes the foundation for our incremental backups for our disk image Backups .

I have taken the minispy sample driver . We have registered IRP_MJ_Write alone .

On analyzing the argument received during Pre op and Post op callbacks

PFLT_CALLBACK_DATA Data
Data->Iopb->Parameters.Write.ByteOffset; The File Offset of the I/O
Data->Iopb->Parameters.Legnth; Total I/O Legnth

The File Offset of the I/O is received . Is there any argument which directly gives me the volume offset like legacy filters .

To map the file Offset to volume offset I have used this API call
FltFsControlFile(Data->Iopb->TargetInstance, FltObjects->FileObject, …)

With FSCTL_GET_RETRIEVAL_POINTERS IOCTL

Which fetches the Cluster Extents or runs of the Entire File .

But the API returns STATUS_END_OF_FILE for small Files (less than Cluster Size , Data Written in MFT record itself )
and INVALID_PARAMETER for System Files such as $MFT ,$ Logfile .etc .

Any inputs would be highly valuable . Is my approach correct or should I go for another approach .

You will have no luck mapping a file offset to a volume offset in the I/O path. There are cases where this just won’t work at all (e.g. you can’t send that FSCTL during a paging I/O).

A file system filter gets you change block tracking at the file level. if you want change block tracking at the volume level then you need a volume filter.

Thanks Scott .
So you mean that legacy filter driver is the only option I have .
Since microsoft suggests porting legacy filters to minifilter model , I was hoping a way around .

@shafi747 said:
Thanks Scott .
So you mean that legacy filter driver is the only option I have .

No, that’s not what I mean. I think there’s a terminology issue…Legacy file system filters are deprecated in favor of file system minifilters. If you are going to write a file system filter you need to use the minifilter model.

If you’re going to write a volume filter you write Class Filter using WDF.

@“Scott_Noone_(OSR)” Can you suggest any Sample driver that would help me with ? And I suppose a system reboot is required to load such drivers ?

I don’t know of any samples that will be close to what you need. The Toaster Filter is a barebones filter to give you an idea on how to get started:

https://github.com/microsoft/Windows-driver-samples/tree/master/general/toaster/toastDrv/kmdf/filter/generic

You’ll need to at least add an EvtIoWrite event processing callback if you want to track write operations (see the initialization of the ioQueueConfig variable).

Installation requires two steps:

  1. Install the driver as a service (as you would any other driver)
  2. Add your service name to the UpperFilters value under the Volume Class Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{71a27cdd-812a-11d0-bec7-08002be2092f}

There’s quite a bit of work to go from here to a working CBT volume filter. I don’t say this to discourage you but just to set your expectations properly.

Good luck!