I would like to implement a filter driver that monitors the cd/dvd burn events coming from mostly roxio and nero software and pass them to an application. I do not want to block or make the cd/dvd read only.
This particular question has come up a lot of time on this mailing list and I have spent 2 complete days going over each one of them. I realize that it is not easy to implement such thing also I realize different softwares perform burn differently that is why I want to limit my implementation to roxio and nero. Let me explain what I have done so far and then I’ll post the question.
I wrote a simple filter driver and installed it as a lower class filter for CDROM class (4D36E965-E325-11CE-BFC1-08002BE10318). I see when I burn something on cd I get a lot of IRP_MJ_INTERNAL_DEVICE_IO_CONTROL. I am looking for IOCTL_SCSI_PASS_THROUGH/DIRECT through IRP_MJ_DEVICE_IO_CONTROL but I never get this. I added the checks for above IRPs/IOCTLs by looking at the several post to similar issues. I really don’t know what I’ll do when I get them.
Questions:
Am i on the right path? I am not sure whether I should be writing a class driver or miniport driver or something else.
If I am on the right path then:
Which event will inform me about the write events?
What do I do when I get PASS_THROUGH and DIRECT ioctls? e.g. when i get IRP_MJ_WRITE I know what I can do with the parameters.
You would be best served by asking low level storage questions in NTDEV.
We’re the high level storage folks (FSDs) and thus have less expertise
in this specific area.
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc. http://www.osr.com
You will need to filter the INTERNAL_DEVICE requests which are SCSI control
requests with the SRB in the stack parameters. From the SRB and CDB you can
see the SCSIOP_WRITE messages being sent down
The problem you will encounter is that several applications out there
install their own class filter drivers. The application sends IOCtls
directly to these and sometimes these class filters then call the underlying
bus driver directly, bypassing any class filters in the stack. Specifically
I have seen this with Sonic’s product.
As you pointed out, each one is different and it is difficult to handle all
of them with a generic solution.
Hope this helps,
Pete
Kernel Drivers
Windows Filesystem and Device Driver Consulting www.KernelDrivers.com
(303)546-0300
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, November 30, 2006 7:53 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] filtering cd/dvd burn events
Hi Folks,
I would like to implement a filter driver that monitors the cd/dvd burn
events coming from mostly roxio and nero software and pass them to an
application. I do not want to block or make the cd/dvd read only.
This particular question has come up a lot of time on this mailing list and
I have spent 2 complete days going over each one of them. I realize that it
is not easy to implement such thing also I realize different softwares
perform burn differently that is why I want to limit my implementation to
roxio and nero. Let me explain what I have done so far and then I’ll post
the question.
I wrote a simple filter driver and installed it as a lower class filter for
CDROM class (4D36E965-E325-11CE-BFC1-08002BE10318). I see when I burn
something on cd I get a lot of IRP_MJ_INTERNAL_DEVICE_IO_CONTROL. I am
looking for IOCTL_SCSI_PASS_THROUGH/DIRECT through IRP_MJ_DEVICE_IO_CONTROL
but I never get this. I added the checks for above IRPs/IOCTLs by looking at
the several post to similar issues. I really don’t know what I’ll do when I
get them.
Questions:
Am i on the right path? I am not sure whether I should be writing a class
driver or miniport driver or something else.
If I am on the right path then:
Which event will inform me about the write events?
What do I do when I get PASS_THROUGH and DIRECT ioctls? e.g. when i get
IRP_MJ_WRITE I know what I can do with the parameters.
IMAPI has its own Imapi filter which is a device LowerFilter and is below
any class LowerFilters, so you cannot see any SRB traffic generated by IMAPI
from a class LowerFilter.
Dunno on Roxio, I only know that IMAPI was licensed by MS from Roxio.
----- Original Message -----
From: To: “Windows File Systems Devs Interest List” Sent: Friday, December 01, 2006 5:52 AM Subject: [ntfsd] filtering cd/dvd burn events
> Hi Folks, > > I would like to implement a filter driver that monitors the cd/dvd burn events coming from mostly roxio and nero software and pass them to an application. I do not want to block or make the cd/dvd read only. > > This particular question has come up a lot of time on this mailing list and I have spent 2 complete days going over each one of them. I realize that it is not easy to implement such thing also I realize different softwares perform burn differently that is why I want to limit my implementation to roxio and nero. Let me explain what I have done so far and then I’ll post the question. > > I wrote a simple filter driver and installed it as a lower class filter for CDROM class (4D36E965-E325-11CE-BFC1-08002BE10318). I see when I burn something on cd I get a lot of IRP_MJ_INTERNAL_DEVICE_IO_CONTROL. I am looking for IOCTL_SCSI_PASS_THROUGH/DIRECT through IRP_MJ_DEVICE_IO_CONTROL but I never get this. I added the checks for above IRPs/IOCTLs by looking at the several post to similar issues. I really don’t know what I’ll do when I get them. > > Questions: > 1. Am i on the right path? I am not sure whether I should be writing a class driver or miniport driver or something else. > If I am on the right path then: > 2. Which event will inform me about the write events? > 2. What do I do when I get PASS_THROUGH and DIRECT ioctls? e.g. when i get IRP_MJ_WRITE I know what I can do with the parameters. > 3. What are SRBs and CDBs? when will I get them? > > Any help is much appreciated. > > Thanks, > /R > > > — > Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com > To unsubscribe send a blank email to xxxxx@lists.osr.com
So are you saying that if I install a device lower filter then I should be able to intercept most commands? Even for drivers that installs their own class filters (upper/lower)?
Also when will I see the filename of the file being written? Is this defined in the MMC-5 spec?
hmmm. Well, here’s a basic question then…
If I have to intercept file system commands, I know I can write a filter driver, sit above file system and intercept IRP_MJ_CREATE/CLOSE/READ/WRITE etc. I also know that IRP_MJ_CREATE (forget pre and post for now) is the place where the file will be opened, followed by READ/WRITE Irps and then ultimately a CLOSE. Pretty much this is the sequence in which the filter driver will get notified, what is the sequence in which cd read/write events occur in terms of the SCSI commands or whatever the equivalent is? Is there an article or website that can give me this information?
Have you ever burned a CD or DVD from and ISO image such as XP from the MSDN
download site? If so, where does a file system come into play with that
activity? Answer: reading the file from its location on mass storage and
not on the write side to the optical drive. If you look at the WDK you can
find the source to CDFS. There is one module called write.c which may have
some relevance to your question.
Most burning software creates an ISO image dynamically or on mass storage
before that image is written to the optical media. Windows does not support
file system type writes to optical media, but it appears that Vista and
maybe others do support volume writes. I suspect that change was for the
optical media burning introduced in XP.
If you want to know what commands are sent to optical media why don’t you
get a bus analyzer for SCSI, IDE, or SATA as appropriate for your optical
drive?
wrote in message news:xxxxx@ntfsd… > hmmm. Well, here’s a basic question then… > If I have to intercept file system commands, I know I can write a filter > driver, sit above file system and intercept IRP_MJ_CREATE/CLOSE/READ/WRITE > etc. I also know that IRP_MJ_CREATE (forget pre and post for now) is the > place where the file will be opened, followed by READ/WRITE Irps and then > ultimately a CLOSE. Pretty much this is the sequence in which the filter > driver will get notified, what is the sequence in which cd read/write > events occur in terms of the SCSI commands or whatever the equivalent is? > Is there an article or website that can give me this information? > > Thanks, > /R >