Hi,
I am trying to write a FSFD for journaling the Writes on set of files. This
is mainly to log all the writes on the file including data.
I am facing few issues with this.
NOTE: I am intercepting the writes with IRP_IO_NOCACHE.
-
When I copy the files through explorer, I get all the writes properly.
but If I recopy the files writes happen on the file using some cache mgr
file. So the FsContext is different that the the one I got during create.
FileObject-> FileName.Buffer is NULL and Related file object is NULL. So I
try to query the file name for such file object which is not MetaData file.
Sometimes I see a deadlock where NTFS is trying to flush the volume for
previous open/create and when I try to query file name it is stuck for the
lock which is held by flush volume. Any ideas? -
Another thing is when I open a file with FILE_ATTRIBUTE_NORMAL the write
happens on the file named "$ConvertToNonresident <*
file://\$ConvertToNonresident* <file:></file:>> " so when I
see writes on this file i query the underlying file system for the actual
name of the file and then log it if it happens to be the file which I am
monitoring. Is this safe?
Thanks in advance.
Regards,
Vijay