File Change Detection

Hi all,

I am sure this has been asked before, but I couldn’t find anything in the FAQ or the NTFSD list:

I am trying to capture file changes and would like to modify filespy from the IFS kit for that purpose. I am looking at the IRPs being logged using filespy. I opened a Word doc and started logging (using filespy.exe) I then wrote one char to the Word doc and saved the file via Ctrl-S. I then immediately stopped logging.

The log file shows something like 50+ entries related to that file. A lot of times there was a sequence of:

IRP_MJ_CREATE d:\WordTest.doc

QUERY_BASIC_INFO d:\WordTest.doc

IRP_MJ_CLEANUP d:\WordTest.doc

IRP_MJ_CLOSE d:\WordTest.doc

As for writes, I only see these:

IRP_MJ_WRITE IRP_MN_NORMAL d:$LogFile

There are also a lot of entries like these:

IRP_MJ_CREATE d:\

So my questions are:

  • Are the many similar IRPs related to reentrancy?

  • Can I capture a file change by just looking at one particular IRP? Or how else can I distinguish that IRPs are for the same operation on the same file?

  • How can I ignore all the creates and other operations that are for d:\ (as well as the recycler and desktop.ini)? Since I didn’t change that directory per se that is not a change I am interested in.

  • Why do I sometimes see a file called d:~$otherWordTest.doc (in the filespy log) and sometimes I don’t when I save? Is that a timing issue (e.g. does this file take several seconds to get created and when the original file is saved before the creation of the temporary file the latter won’t be used?)

Thanks a lot, bjorn


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

> The log file shows something like 50+ entries related to that file.

Well, starting with MS Word as test subject might be problematic
for a beginner. Word (and all another “big” applicatins)
usually do much steps when saving file. They test
whether the file exists multiple times, create temporary
files for saving and even read the file back to verify
written data.

A lot of times there was a sequence of:
IRP_MJ_CREATE d:\WordTest.doc
QUERY_BASIC_INFO d:\WordTest.doc
IRP_MJ_CLEANUP d:\WordTest.doc
IRP_MJ_CLOSE d:\WordTest.doc

This is either test if the file exists (using GetFileAttributes)
or real query for file attributes or file size.

  • Are the many similar IRPs related to reentrancy?

No. So much IRPs is there due to much operations
(see above)

  • Can I capture a file change by just looking at one particular IRP?

Yes. Watch for IRP_MJ_CREATE with FILE_WRITE_DATA | DELETE
access.

  • How can I ignore all the creates and other operations that are for
    d:\ (as well as the recycler and desktop.ini)?

By name. YOu cn get the name in IRP_MJ_CREATE.
FileSpy sources tell you how to do it.

  • Why do I sometimes see a file called d:~$otherWordTest.doc

This is a temporary file. Word keeps it for something related to
file restoraion in the case of crash.

L.