Hi,
I’m a newbie working on a file system filter driver that logs specific IRPs
to a file. I’m modifying the filespy example from the XP DDK to suit my
needs. I do not need the command line functionality filespy offers and am
getting rid of that. The problem is that the command line application
spawns the thread that continually retrieves the information to log from the
driver via IOCTLs and writes it to a file, so I need to come up with a new
way to spawn that thread.
My question is, should I keep this thread in user mode and find some other
way to start it (if so, what would the best way be?) or should I start it in
kernel mode via PsCreateSystemThread from my driver? If I do start the
thread from the driver, is it enough to just port the existing callback
function from Win32 methods to the corresponding ExXxx, ZwXxx, etc. methods?
Or is a full redesign in order since there are other problems, like the fact
that it currently sleeps for 500 ms after every write and this is not
appropriate in a system thread and perhaps I should switch to relying on
kernel events or some other synchronization method?
Thank you in advance,
- J.
–
J. McConnell
http://www.j-dotonline.com