I am building a file system Minifilter driver to track all I/Os to a volumes which becomes the foundation for our incremental backups for our disk image Backups .
I have taken the minispy sample driver . We have registered IRP_MJ_Write alone .
On analyzing the argument received during Pre op and Post op callbacks
PFLT_CALLBACK_DATA Data
Data->Iopb->Parameters.Write.ByteOffset; The File Offset of the I/O
Data->Iopb->Parameters.Legnth; Total I/O Legnth
The File Offset of the I/O is received . Is there any argument which directly gives me the volume offset like legacy filters .
To map the file Offset to volume offset I have used this API call
FltFsControlFile(Data->Iopb->TargetInstance, FltObjects->FileObject, …)
With FSCTL_GET_RETRIEVAL_POINTERS IOCTL
Which fetches the Cluster Extents or runs of the Entire File .
But the API returns STATUS_END_OF_FILE for small Files (less than Cluster Size , Data Written in MFT record itself )
and INVALID_PARAMETER for System Files such as $MFT ,$ Logfile .etc .
Any inputs would be highly valuable . Is my approach correct or should I go for another approach .
You will have no luck mapping a file offset to a volume offset in the I/O path. There are cases where this just won’t work at all (e.g. you can’t send that FSCTL during a paging I/O).
A file system filter gets you change block tracking at the file level. if you want change block tracking at the volume level then you need a volume filter.
Thanks Scott .
So you mean that legacy filter driver is the only option I have .
Since microsoft suggests porting legacy filters to minifilter model , I was hoping a way around .
@shafi747 said:
Thanks Scott .
So you mean that legacy filter driver is the only option I have .
No, that’s not what I mean. I think there’s a terminology issue…Legacy file system filters are deprecated in favor of file system minifilters. If you are going to write a file system filter you need to use the minifilter model.
If you’re going to write a volume filter you write Class Filter using WDF.
@“Scott_Noone_(OSR)” Can you suggest any Sample driver that would help me with ? And I suppose a system reboot is required to load such drivers ?
I don’t know of any samples that will be close to what you need. The Toaster Filter is a barebones filter to give you an idea on how to get started:
https://github.com/microsoft/Windows-driver-samples/tree/master/general/toaster/toastDrv/kmdf/filter/generic
You’ll need to at least add an EvtIoWrite event processing callback if you want to track write operations (see the initialization of the ioQueueConfig variable).
Installation requires two steps:
- Install the driver as a service (as you would any other driver)
- Add your service name to the UpperFilters value under the Volume Class Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{71a27cdd-812a-11d0-bec7-08002be2092f}
There’s quite a bit of work to go from here to a working CBT volume filter. I don’t say this to discourage you but just to set your expectations properly.
Good luck!