I want to monitor any I/O and transaction activity that occurs in the system. I am using minispy as example. Can I use minispy such a way that I don’t need to explicitly attach Drive Letter to minispy .?
I want to monitor on the whole file system.
In user mode application: we attach drive letter to minispy using following command to start monitor on that drive:
/a DriveLetter
so any way to do this without explicitly attaching drive letter.?
Thanks. Any help will be much appreciated.
Well all “/a” does it to simply call FilterAttach. You can modify the user side of minispy to call to FilterAttach yourself during initialization if you want too… Also you can enumerate and attach to all volumes with FilterVolumeFindFirst
You can also modify the minispy minifilter to attach in kernel mode… (FltEnumerateVolumes + FltAttachVolume)
Minispy sets the “suppress automatic attachment” bit in the instance flags:
;Instances specific information.
DefaultInstance = "Minispy - Top Instance"
Instance1.Name = "Minispy - Middle Instance"
Instance1.Altitude = "370000"
Instance1.Flags = 0x1 ; Suppress automatic attachments
Instance2.Name = "Minispy - Bottom Instance"
Instance2.Altitude = "361000"
Instance2.Flags = 0x1 ; Suppress automatic attachments
Instance3.Name = "Minispy - Top Instance"
Instance3.Altitude = "385100"
Instance3.Flags = 0x1 ; Suppress automatic attachments
Set Flags to zero and you’ll automatically attach.
@“Scott_Noone_(OSR)” Thank You very much for the info.