Hi,all,
I got another question for you.
I try to log the file reading or writing time, how could I do that in my
file filter? As we know, read or write operation on the file will trigger
many IRP_MJ_READ or IRP_MJ_WRITE, so basically, we can’t make it in
IRP_MJ_READ/WRITE handling routine.
I think I should log the time when the operation is done, i.e., in the
completing routine of IRP_MJ_CLOSE/IRP_MJ_CLEANUP, should I use
ZwQueryInformationFile() within the completing routine? but still, I am not
sure the timestamp has already been updated by the below file system at
that time.
Is my idea correct, can anybody help me?
Thanks a lot.
Bill Deng