Is there any way to check if a certain file’s size has changed while it was open? I’ve checked the FO_FILE_SIZE_CHANGED flag in the Flags member of the FILE_OBJECT when I handle IRP_MJ_CLOSE but it is always missing.
Thanks.
If you mean if there is a flag - no. You can only detect the size at create and compare it.
However, consider this scenario:
- AppA opens the file and appends a page (changes the size)
- AppB opens the file and deletes a page (size reverted)
- AppB closes the file - at this point you would detect a file size change, even though nothing changed, depending on the purpose of course.
- AppA closes the file - no file size change detected. Again, depending on the purpose, that would be incorrect.
I can think of several similar scenarios where simply using the stream vs. handle vs. file context will not work for that scenario. I only mentioned the scenario so you can work out possible cases based on what you
require.
Regards, Dejan.
xxxxx@yahoo.com wrote:
Is there any way to check if a certain file’s size has changed while it was open? I’ve checked the FO_FILE_SIZE_CHANGED flag in the Flags member of the FILE_OBJECT when I handle IRP_MJ_CLOSE but it is always missing.
Thanks.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
Hello,
At this point I call ZwQueryInformationFile at every IRP_MJ_CLOSE to retrieve the new file size.
I just wanted a way to detect if any change has occurred to eliminate any extra overhead (unnecessary ZwQueryInformationFile calls).
Thanks.
may be you should check IRP_MJ_SET_INFORMATION with info type
FileAllocationInformation ?
check if size was changed and save this info in stream context
On Sun, Mar 13, 2011 at 2:54 AM, wrote:
> Hello,
>
> At this point I call ZwQueryInformationFile at every IRP_MJ_CLOSE to
> retrieve the new file size.
> I just wanted a way to detect if any change has occurred to eliminate any
> extra overhead (unnecessary ZwQueryInformationFile calls).
>
> Thanks.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
That will not detect uncached writes from user mode changing the
file size.
Sergey Pisarev wrote:
may be you should check IRP_MJ_SET_INFORMATION with info type
FileAllocationInformation ?
check if size was changed and save this info in stream contextOn Sun, Mar 13, 2011 at 2:54 AM, wrote:
>
> > Hello,
> >
> > At this point I call ZwQueryInformationFile at every IRP_MJ_CLOSE to
>
> > retrieve the new file size.
> > I just wanted a way to detect if any change has occurred to
> eliminate any
> > extra overhead (unnecessary ZwQueryInformationFile calls).
> >
> > Thanks.
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
Could you just watch for IRP_MJ_WRITE and then you would know if any io was made to the file, even if it was just an overwrite instead of a file change?
If you are only interested in file size change, get the size at IRP_MJ_CREATE, and then again at IRP_MJ_CLOSE, and compare the two.