I’m trying to get information about reads/writes in the system and almost finished a minifilter. But it doesn’t look so good.
minifilter doesn’t receive operations with pagefile and few other system files.
Procmon (by sysinternals) can see this operations and it uses Event Tracing. But how it works? Looks like operation system
already have file/io provider and driver isn’t required, only usermode app. But as I see in traceview WDK sample, there is no
filenames, only FileObj pointers -how to resolve them to filenames in usermode?
Is there any good documentation about event tracing? Msdn (in this part) isn’t easy to understand.
–
Pavel Sokolov