Hi all,
I am sure this has been asked before, but I couldn’t find anything in the FAQ or the NTFSD list:
I am trying to capture file changes and would like to modify filespy from the IFS kit for that purpose. I am looking at the IRPs being logged using filespy. I opened a Word doc and started logging (using filespy.exe) I then wrote one char to the Word doc and saved the file via Ctrl-S. I then immediately stopped logging.
The log file shows something like 50+ entries related to that file. A lot of times there was a sequence of:
IRP_MJ_CREATE d:\WordTest.doc
QUERY_BASIC_INFO d:\WordTest.doc
IRP_MJ_CLEANUP d:\WordTest.doc
IRP_MJ_CLOSE d:\WordTest.doc
As for writes, I only see these:
IRP_MJ_WRITE IRP_MN_NORMAL d:$LogFile
There are also a lot of entries like these:
IRP_MJ_CREATE d:\
So my questions are:
-
Are the many similar IRPs related to reentrancy?
-
Can I capture a file change by just looking at one particular IRP? Or how else can I distinguish that IRPs are for the same operation on the same file?
-
How can I ignore all the creates and other operations that are for d:\ (as well as the recycler and desktop.ini)? Since I didn’t change that directory per se that is not a change I am interested in.
-
Why do I sometimes see a file called d:~$otherWordTest.doc (in the filespy log) and sometimes I don’t when I save? Is that a timing issue (e.g. does this file take several seconds to get created and when the original file is saved before the creation of the temporary file the latter won’t be used?)
Thanks a lot, bjorn
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com