Hello there,
In my minifilter I need to detect every Write file operation, not only using the normal I/O, but also the mapped ones. I register a IRP_MJ_WRITE callback, without the IGNORE_PAGING_IO option, but I cannot see any modification to the mapped file.
I have inspected the PAGING_IO Write operations, but no one of those matches the operation that i am tracking for testing these issue.
So, is it correct to say that the writing against mapped files is carried within a PAGING_IO operations? or should I also see “normal” IO writes for mapped files?
What would be the best method to detect the mapped file Write operations?
TIA
You will not see “normal” IO write for the mapped files. Check out
“IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION” and
“IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION” for more information.
You can register you callback before and after file is mapped.
thanks
xxxxx@yahoo.es wrote:
Hello there,
In my minifilter I need to detect every Write file operation, not only using the normal I/O, but also the mapped ones. I register a IRP_MJ_WRITE callback, without the IGNORE_PAGING_IO option, but I cannot see any modification to the mapped file.
I have inspected the PAGING_IO Write operations, but no one of those matches the operation that i am tracking for testing these issue.
So, is it correct to say that the writing against mapped files is carried within a PAGING_IO operations? or should I also see “normal” IO writes for mapped files?
What would be the best method to detect the mapped file Write operations?
TIA
Hi Rajesh,
I am aware of those IRPs, I can register a callback for them, but my problem is about detecting write operations on mapped files, not the mapping itself.
Thanks for your response anyway.
For write operations, You will receive the Paging IO writes for mapped
writes. This is when you can see the data. You will not see any “normal”
write.
xxxxx@yahoo.es wrote:
Hi Rajesh,
I am aware of those IRPs, I can register a callback for them, but my problem is about detecting write operations on mapped files, not the mapping itself.
Thanks for your response anyway.