Hello guys,
I have a legacy file system filter drive and I need to implement a way to register events in a log file from an IRP_MJ_CREATE.
I need to write to a log file whenever I receive a Create IRP that my filter handles.
Can you advice me about the techniques and the best way to achieve this?
I know that I can generate a recursive problem trying to do that becausa a write to file operation in kernel mode will generate another Create IRP, right?
Thanks!
FltCreateFile can solve this problem for you. If you’re not using fltmgr:
a. why not?
b. you can use IoCreateFileSpecifyDeviceObjectHint
On Wed, Jul 14, 2010 at 10:04 AM, wrote:
> Hello guys,
>
> I have a legacy file system filter drive and I need to implement a way to register events in a log file from an IRP_MJ_CREATE.
> I need to write to a log file whenever I receive a Create IRP that my filter handles.
> Can you advice me about the techniques and the best way to achieve this?
> I know that I can generate a recursive problem trying to do that becausa a write to file operation in kernel mode will generate another Create IRP, right?
>
> Thanks!
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
On 7/14/2010 8:04 AM, xxxxx@gmail.com wrote:
Hello guys,
I have a legacy file system filter drive and I need to implement a way to register events in a log file from an IRP_MJ_CREATE.
I need to write to a log file whenever I receive a Create IRP that my filter handles.
Can you advice me about the techniques and the best way to achieve this?
I know that I can generate a recursive problem trying to do that becausa a write to file operation in kernel mode will generate another Create IRP, right?
Unless you want to create a new log file for every create you process
then create the log file during some other operation, say the mount
completion. Then in your create handler all you are doing is grabbing
your log file handle, or object, and performing a write to it. This
avoids the recursive open problem.
If you need to open a new log file in every open, not sure why you would
but …, then you can queue it to a worker thread and recognize the
thread ID or you can use the IoCreateFileSpecifyDeviceObjectHint(). Both
of these have their own problems since some other thread can queue your
open in the worker to another worker and then use lose context or the
IoCreateFilexxx() call will fail under the case where the file is
reparsed to another location.
I recommend just opening the log file during mount completion, be sure
the volume has fully mounted before doing this. You can handle this
situation by queuing the create of the log file to a worker thread and
blocking in the create handler until the log file has been created.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Also, if you decide to implement this approach of keeping a file opened on
the volume and writing to it then there is a sample in the WDK that shows
what a minifilter needs to do to not get in the way of operations on that
volume. The sample I’m talking about is MetadataManager.
Thanks,
Alex.
IoAllocateErrorLogEntry/IoWriteErrorLogEntry
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Hello guys,
>
> I have a legacy file system filter drive and I need to implement a way to register events in a log file from an IRP_MJ_CREATE.
> I need to write to a log file whenever I receive a Create IRP that my filter handles.
> Can you advice me about the techniques and the best way to achieve this?
> I know that I can generate a recursive problem trying to do that becausa a write to file operation in kernel mode will generate another Create IRP, right?
>
> Thanks!
>
>
>
Hello Guys!
Thanks for all suggestions. I will investigate each one.
About the question why I didn?t implement the filter in a mini-filter model
is that the filter is part of a legacy system and there is no plan to
migrate it now unfortunately.
Thanks once again,
Ismael Rocha
On Thu, Jul 15, 2010 at 8:50 PM, Maxim S. Shatskih
wrote:
> IoAllocateErrorLogEntry/IoWriteErrorLogEntry
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> wrote in message news:xxxxx@ntfsd…
> > Hello guys,
> >
> > I have a legacy file system filter drive and I need to implement a way to
> register events in a log file from an IRP_MJ_CREATE.
> > I need to write to a log file whenever I receive a Create IRP that my
> filter handles.
> > Can you advice me about the techniques and the best way to achieve this?
> > I know that I can generate a recursive problem trying to do that becausa
> a write to file operation in kernel mode will generate another Create IRP,
> right?
> >
> > Thanks!
> >
> >
> >
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Oh, I missed the part where you said this was a legacy filter. However, if
you plan to maintain a log file on the volume then you should still take a
look at the metadata manager sample, most things in there are not specific
to minifilters.
Thanks,
Alex.
Hello,
I tried IoCreateFileSpecifyDeviceObjectHint() to avoid the recursion and It
seems it works with success!
I will also look the suggestion of the buddy Shatskih:
IoAllocateErrorLogEntry/IoWriteErrorLogEntry and Peter Scott’s
recommendations.
Thanks,
Ismael Rocha
On Fri, Jul 16, 2010 at 6:51 PM, Alex Carp wrote:
> Oh, I missed the part where you said this was a legacy filter. However,
> if you plan to maintain a log file on the volume then you should still take
> a look at the metadata manager sample, most things in there are not specific
> to minifilters.
>
>
>
> Thanks,
>
> Alex.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
You could also use ETW and WPP in your driver. Very nice performance.
OSR has some articles on that and check out in your WDK directory \src\general\tracing\tracedrv
Lookup ETW and WPP on Microsoft website and OSR.
This could be a very nice way to log your data, because is so low processor, and if you make the right trace messages it is low storage space consuming too.
I logged a few days ago 3.1 million events from a minifilter, with full information about the operation, in 25 minutes, and in 650 MB of space with an average 1-2% of processor usage. You may want to take this into consideration too.