Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Help on Minispy File System Minifilter Driver.

jay96612jay96612 Member Posts: 16
edited September 11 in NTFSD

I want to monitor any I/O and transaction activity that occurs in the system. I am using minispy as example. Can I use minispy such a way that I don't need to explicitly attach Drive Letter to minispy .?
I want to monitor on the whole file system.
In user mode application: we attach drive letter to minispy using following command to start monitor on that drive:

/a DriveLetter

so any way to do this without explicitly attaching drive letter.?

Thanks. Any help will be much appreciated.

· Share on Facebook

Comments

  • 0xrepnz0xrepnz Member Posts: 41

    Well all "/a" does it to simply call FilterAttach. You can modify the user side of minispy to call to FilterAttach yourself during initialization if you want too.. Also you can enumerate and attach to all volumes with FilterVolumeFindFirst

    You can also modify the minispy minifilter to attach in kernel mode.. (FltEnumerateVolumes + FltAttachVolume)

    - Ori Damari
    · Share on Facebook
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,352

    Minispy sets the "suppress automatic attachment" bit in the instance flags:

    ;Instances specific information.
DefaultInstance         = "Minispy - Top Instance"
Instance1.Name          = "Minispy - Middle Instance"
Instance1.Altitude      = "370000"
Instance1.Flags         = 0x1          ; Suppress automatic attachments
Instance2.Name          = "Minispy - Bottom Instance"
Instance2.Altitude      = "361000"
Instance2.Flags         = 0x1          ; Suppress automatic attachments
Instance3.Name          = "Minispy - Top Instance"
Instance3.Altitude      = "385100"
Instance3.Flags         = 0x1          ; Suppress automatic attachments

    Set Flags to zero and you'll automatically attach.

    -scott
    OSR

    · Share on Facebook
  • jay96612jay96612 Member Posts: 16

    @Scott_Noone_(OSR) Thank You very much for the info.

    · Share on Facebook
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register
Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE

Categories