I want to monitor any I/O and transaction activity that occurs in the system. I am using minispy as example. Can I use minispy such a way that I don’t need to explicitly attach Drive Letter to minispy .?
I want to monitor on the whole file system.
In user mode application: we attach drive letter to minispy using following command to start monitor on that drive:
/a DriveLetter
so any way to do this without explicitly attaching drive letter.?
Well all “/a” does it to simply call FilterAttach. You can modify the user side of minispy to call to FilterAttach yourself during initialization if you want too… Also you can enumerate and attach to all volumes with FilterVolumeFindFirst