All,
I am writing a filter driver where i have to parse document in pre create. I only reparse the document if an only if the document is modified. The way i try to find if the document is modifed is by sending an irp to query about the last write time, but this theory some times doesn’t work for me, for example when i open an excel file it changes its modified time to current time and restores it back during the close. but for me i think the document is modified and i reparse the document and waste system time. is there a better way to find if a file has been modifed recently in pre create.
Thanks
You can trace IRP_MJ_WRITE operation and consider document is modified if the operation was successful. But this approach works only while the filter driver is running.
Well, you can combine both approaches too.
Gonzalo.
-----Mensaje original-----
De: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] En nombre de xxxxx@yahoo.com
Enviado el: mi?rcoles, 23 de mayo de 2007 21:57
Para: Windows File Systems Devs Interest List
Asunto: [ntfsd] how to find if the document is modified
All,
I am writing a filter driver where i have to parse document in pre create. I only reparse the document if an only if the document is modified. The way i try to find if the document is modifed is by sending an irp to query about the last write time, but this theory some times doesn’t work for me, for example when i open an excel file it changes its modified time to current time and restores it back during the close. but for me i think the document is modified and i reparse the document and waste system time. is there a better way to find if a file has been modifed recently in pre create.
Thanks
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to xxxxx@lists.osr.com
Thanks for the reply, we don’t capture paging IO, therefore we will miss these write