filespy is a filesystem filter correct ? i run the
filespy.exe and attach to f: drive and i see alot of output
from fast io and irp etc…,
i see:
DriverObject->MajorFunction[IRP_MJ_CREATE] = SpyCreate;
so then i set a break point in spycreate()
if (DeviceObject == gControlDeviceObject) {
the problem is sfcreate() never gets called ? i can see
output of fast io irps in dos prompt, am still filtering the
filesystem inrepect to f:\ ?
Yes filespy in ifs kit is a filter driver. Exact where do you set the break
piont in SpyCreate? The clause where DeviceObject == gControlDeviceObject
will run when filespy.exe open a handle for the control device obejct (CDO)
of filespy, for example when filespy.exe is started, but not where files in
general are opened/etc.
Cheers
Lyndon
wrote in message news:xxxxx@ntfsd…
> filespy is a filesystem filter correct ? i run the
> filespy.exe and attach to f: drive and i see alot of output
> from fast io and irp etc…,
>
> i see:
> DriverObject->MajorFunction[IRP_MJ_CREATE] = SpyCreate;
>
> so then i set a break point in spycreate()
>
> if (DeviceObject == gControlDeviceObject) {
>
> the problem is sfcreate() never gets called ? i can see
> output of fast io irps in dos prompt, am still filtering the
> filesystem inrepect to f:\ ?
>