FS mini filter - Detect change in file to recalculate SHA256 hash?

Chepuri · December 11, 2024, 2:56am

Hi,

I'm calculating SHA-256 using CNG API in Mini filter driver. Now I'm planning to implement a cache for existing file-hash combination and avoid next time if there is no change in the file.

I'm looking for unique attribute which will find out is there any change in file contents. It seems LastWriteTime is not reliable, and I can register for pre and post operations to detect either write or change in size of file. It seems bit overhead.

Is there any alternative where I can detect there is a change in content or size of file, so that either pick the hash from cache or invalidate and recalculation hash.

Thanks,
Suresh

DymOK93 · December 24, 2024, 11:21pm

Hi. You can:

store hash in Kernel EAs "$Kernel.Purge." in Windows 8+ on NTFS (I'm not sure about ReFS)
store hash in FLT_STREAM_CONTEXT and implement your own logic with tracking of all changes (IRP_MJ_WRITE, IOCTLs and FSCTLs, etc.)

system · January 23, 2025, 11:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.