Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Isolation Minifilter - after file saved every time, notepad++ noticed file modified by external proc

jgh0721jgh0721 Member Posts: 4

Isolation filters are manufactured using mini filters. After fixing a bug in which the file size changes according to the PageSize when saving, this time, a notification that the file has been changed externally appears every time the file is saved.

File write time changes after IRP_MJ_WRITE and Paging I/O, but there is no trace of additional change in file write time since then. I don't know why the process perceives that it has changed externally.

full IRP list was attched.

my code : https://github.com/jgh0721/Win-IO-Monitor , 0afd16a204ab8bb2e6950f580cd37f3ea9518895

https://pastebin.pl/view/5e82e092

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,362

    Applications usually detect changes using Directory Change Notifications. You can use this utility to see the change notifications during save:

    https://github.com/OSRDrivers/dirchange

    Compare the notifications you see with and without your filter. This won't give you an answer but should give you a place to start looking.

    -scott
    OSR

  • jgh0721jgh0721 Member Posts: 4

    First, Thanks. i will check my driver by dirchange.

    Recently, I fixed a problem with Notepad++.exe. By the way, this time I had the same problem with SynWrite.exe.

    Also, this problem only occurred on Windows XP. It did not happen on Windows 7, Windows 10 x86 I tested.

    SynWrite has its source code publicly available, it opens a file handle to check file changes, calls QueryDirectory(FileBasicInformation), and closes the handle. Repeat this action every second.

    To guess, SynWrite seems to use FileLastWriteTime, etc. acquired through FileBasicInformation, but there was no problem with the return value.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE