file system monitoring utility

siddharth · December 5, 2002, 4:35am

Hi,

I am working towards a solution for monitoring file system usage on a
real-time basis. I have explored the usage of storage filter drivers and
approaches taken by utilities such as FileMon by sysinternals.

However, I am concerned that a storage filter driver is an overhead to all
kinds of disk I/O and hence cannot be left running all the time. Also,
people may be concerned from a security perspective about using such a
filter driver.

Is there any other way of achieving this functionality on Windows or Unix?

Regards,
Siddharth.

OSR_Community_User · December 5, 2002, 12:17pm

You shouldn’t be greatly concerned. Every XP system by default is
running a file system filter called sr.sys that is responsible for
implemented Microsoft’s System Restore feature. The overhead for a
filter is basically just CPU cycles to pass down the IRP and perform
tracking (if you need to), plus whatever specific functionality your
filter provides (which you can easily time). If you need to generate
additional disk I/O, that’s where the biggest slowdown will occur, but
exactly how much depends on what you’re doing. From a stability
standpoint, stack space usage caused by an additional filter driver is
the biggest problem, so try to minimize it.

Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
Siddharth Aggarwal
Sent: Thursday, December 05, 2002 1:46 AM
To: NT Developers Interest List
Subject: [ntdev] file system monitoring utility

Hi,

I am working towards a solution for monitoring file system
usage on a real-time basis. I have explored the usage of
storage filter drivers and approaches taken by utilities such
as FileMon by sysinternals.

However, I am concerned that a storage filter driver is an
overhead to all kinds of disk I/O and hence cannot be left
running all the time. Also, people may be concerned from a
security perspective about using such a filter driver.

Is there any other way of achieving this functionality on
Windows or Unix?

Regards,
Siddharth.

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User · December 5, 2002, 12:59pm

Properly written filesystem filter is loaded on boot and always
attached to all mounted volumes. It does not incur any significant
overhead.

On UNIX with its VFS layer, it is much easier to hook the syscalls and
not to hook the FSD calls.

Max

“Siddharth Aggarwal” wrote in
message
news:LYRIS-542-86898-2002.12.05-04.34.59–maxim#xxxxx@lists
.osr.com…
> Hi,
>
> I am working towards a solution for monitoring file system usage on
a
> real-time basis. I have explored the usage of storage filter drivers
and
> approaches taken by utilities such as FileMon by sysinternals.
>
> However, I am concerned that a storage filter driver is an overhead
to all
> kinds of disk I/O and hence cannot be left running all the time.
Also,
> people may be concerned from a security perspective about using such
a
> filter driver.
>
> Is there any other way of achieving this functionality on Windows or
Unix?
>
> Regards,
> Siddharth.
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>

OSR_Community_User · December 5, 2002, 2:56pm

Except Linux which no longer export the sys_call_table.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Thursday, December 05, 2002 12:53 PM
To: NT Developers Interest List
Subject: [ntdev] Re: file system monitoring utility

Properly written filesystem filter is loaded on boot and always
attached to all mounted volumes. It does not incur any significant
overhead.

On UNIX with its VFS layer, it is much easier to hook the syscalls and
not to hook the FSD calls.

Max

“Siddharth Aggarwal” wrote in
message
news:LYRIS-542-86898-2002.12.05-04.34.59–maxim#xxxxx@lists
.osr.com…
> Hi,
>
> I am working towards a solution for monitoring file system usage on
a
> real-time basis. I have explored the usage of storage filter drivers
and
> approaches taken by utilities such as FileMon by sysinternals.
>
> However, I am concerned that a storage filter driver is an overhead
to all
> kinds of disk I/O and hence cannot be left running all the time.
Also,
> people may be concerned from a security perspective about using such
a
> filter driver.
>
> Is there any other way of achieving this functionality on Windows or
Unix?
>
> Regards,
> Siddharth.
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>

—
You are currently subscribed to ntdev as: xxxxx@relicore.com
To unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User · December 5, 2002, 6:22pm

For Unix OS(s) lookup on implementing a VFS…

Hope this helps.

-----Original Message-----
From: Siddharth Aggarwal [mailto:xxxxx@persistent.co.in]
Sent: Thursday, December 05, 2002 1:46 AM
To: NT Developers Interest List
Subject: [ntdev] file system monitoring utility

Hi,

I am working towards a solution for monitoring file system usage on a
real-time basis. I have explored the usage of storage filter drivers and
approaches taken by utilities such as FileMon by sysinternals.

However, I am concerned that a storage filter driver is an overhead to all
kinds of disk I/O and hence cannot be left running all the time. Also,
people may be concerned from a security perspective about using such a
filter driver.

Is there any other way of achieving this functionality on Windows or Unix?

Regards,
Siddharth.

You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User · December 6, 2002, 8:24pm

Then an FS filter for Linux is a much, much larger nightmare then for
NT.
VFS is great for writing filesystems, but not filters.

Max

----- Original Message -----
From: “Stanislaw Kowalczyk”
To: “NT Developers Interest List”
Sent: Thursday, December 05, 2002 10:56 PM
Subject: [ntdev] Re: file system monitoring utility

> Except Linux which no longer export the sys_call_table.
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S.
Shatskih
> Sent: Thursday, December 05, 2002 12:53 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: file system monitoring utility
>
>
> Properly written filesystem filter is loaded on boot and always
> attached to all mounted volumes. It does not incur any significant
> overhead.
>
> On UNIX with its VFS layer, it is much easier to hook the syscalls
and
> not to hook the FSD calls.
>
> Max
>
> “Siddharth Aggarwal” wrote in
> message
>
news:LYRIS-542-86898-2002.12.05-04.34.59–maxim#xxxxx@lists
> .osr.com…
> > Hi,
> >
> > I am working towards a solution for monitoring file system usage
on
> a
> > real-time basis. I have explored the usage of storage filter
drivers
> and
> > approaches taken by utilities such as FileMon by sysinternals.
> >
> > However, I am concerned that a storage filter driver is an
overhead
> to all
> > kinds of disk I/O and hence cannot be left running all the time.
> Also,
> > people may be concerned from a security perspective about using
such
> a
> > filter driver.
> >
> > Is there any other way of achieving this functionality on Windows
or
> Unix?
> >
> > Regards,
> > Siddharth.
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@relicore.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>