How to monitor the NTFS Alternate Data Streams (ADS) attached to one file in filter

charles_zhao · July 14, 2009, 6:02am

How to monitor the NTFS Alternate Data Streams (ADS) attached to one file in filter driver?

If set some plain file’s properity,to add some content to summary,there are many irp and the file’s name like below,

file name maybe like below from filespy:
a) 11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
b) 11.txt:|SummaryInformation:$DATA
c) 11.txt:Updt_|SummaryInformation:$DATA

Is there any way to get the stream file name when open the file 11.txt and then monitor the user set the summary information?
Thank you in advance for the reply. Looking forward to hearing from you soon!

The part of information from the filespy below when set summary information for one file
1 10:42:08.087 31 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 85B17860 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000007 Attrib: 0x00000080 Result: FILE_OPENED
2 10:42:08.118 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_QUERY_INFORMATION 00000870 No 85B17860 E1310A00 E16057E8 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS FileStreamInformation
3 10:42:08.118 0 explorer.exe 2152 849CEB68 FASTIO_QUERY_BASIC_INFO 85B17860 E1310A00 E16057E8 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS Attrib: 0x00000020
5 10:42:08.118 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_READ 00000900 No 85B17860 E1310A00 E16057E8 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS Offset 00000000-00000000 ToRead 18 Read 18
4 10:42:08.118 0 System 16 849CEB68 84D0E450 IRP_MJ_CLOSE 00000404 No 8598B738 E1310A00 E1E61AB0 00044042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
6 10:42:08.118 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8598B738 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: Raec25ph4sudbf0hAaq5ehw3Nf:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000007 Attrib: 0x00000080 Result: FILE_SUPERSEDED
7 10:42:08.118 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP 00000404 No 85B17860 E1310A00 E16057E8 000C0042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
8 10:42:08.118 31 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8598B738 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000007 Attrib: 0x00000080 Result: FILE_OPENED
9 10:41:14.556 53593 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
10 10:42:08.149 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 84E1E558 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA STATUS_SUCCESS FILE_OPEN_IF CreOpts: 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result: FILE_CREATED
15 10:42:08.149 15 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
11 10:42:08.149 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_READ 00000900 No 84E1E558 E1604360 E14D11F0 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA STATUS_END_OF_FILE Offset 00000000-00000000 ToRead 18 Read 0
12 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 85997DB8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result: FILE_SUPERSEDED
13 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 85997DB8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Docf_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result: FILE_SUPERSEDED
14 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 85997DB8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Docf_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00100080 Share: 0x00000007 Attrib: 0x00000080 Result: FILE_SUPERSEDED
16 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 85997DB8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_SUCCESS FILE_CREATE CreOpts: 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result: FILE_CREATED
18 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
17 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW
19 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00000000
20 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
21 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_SUCCESS FileAllocationInformation
27 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
22 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_SUCCESS
23 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_QUERY_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW FileAllInformation
24 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 84FCD360 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result: FILE_SUPERSEDED
25 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_SUCCESS
26 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_QUERY_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW FileAllInformation
28 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 84FCD360 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS FILE_OVERWRITE_IF CreOpts: 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result: FILE_CREATED
30 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
29 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW
31 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00000000
32 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
33 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS FileAllocationInformation
34 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
35 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00000058
36 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
37 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS FileAllocationInformation
40 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
38 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_SUCCESS
39 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_QUERY_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW FileAllInformation
41 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00000074
42 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
43 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS FileAllocationInformation
47 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
45 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_WRITE 00000A00 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS Offset 00000000-00000000 ToWrite 74 Written 74
44 10:42:08.165 0 explorer.exe 2152 849CEB68 84D0E450 IRP_MJ_READ 00000043 Yes 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS Offset 00000000-00000000 ToRead 1000 Read 74
48 10:42:08.165 15 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_FLUSH_BUFFERS 00000000 No 84FCD360 E25D0B88 E2723658 00041042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS
46 10:42:08.165 0 explorer.exe 2152 849CEB68 84D0E450 IRP_MJ_WRITE 00000043 Yes 84FCD360 E25D0B88 E2723658 00041042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS Offset 00000000-00000000 ToWrite 1000 Written 74
49 10:42:08.165 15 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
50 10:42:08.181 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00000000
54 10:42:08.181 0 explorer.exe 2160 849CEB68 849F5008 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
51 10:42:08.181 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP 00000404 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_SUCCESS
52 10:42:08.181 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLOSE 00000404 No 85997DB8 E1619740 E2E42C80 00044042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation:$DATA STATUS_SUCCESS
53 10:42:08.181 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_ SummaryInformation:$DATA STATUS_SUCCESS FileRenameInformation FileObject: 00000000 ReplaceIfExists: 1
55 10:42:08.181 15 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP 00000404 No 84FCD360 E25D0B88 E2723658 00041042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation STATUS_SUCCESS
56 10:42:08.196 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP 00000404 No 84E1E558 E1604360 E14D11F0 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA STATUS_SUCCESS
57 10:42:08.196 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLOSE 00000404 No 84E1E558 E1604360 E14D11F0 00044042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA STATUS_SUCCESS
58 10:42:08.196 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP 00000404 No 8598B738 E1310A00 E1E61AB0 00040042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
59 10:42:08.196 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLOSE 00000404 No 8598B738 E1310A00 E1E61AB0 00044042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
60 10:42:09.009 0 System 40 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION 00000042 No 84FCD360 E25D0B88 E2723658 00044042 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt: SummaryInformation STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00000074
61 10:42:09.181 0 explorer.exe 3296 849CEB68 84D0E450 IRP_MJ_CREATE 00000884 No 855C8028 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS FILE_OPEN CreOpts: 0x00000021 Access: 0x00100001 Share: 0x00000007 Attrib: 0 Result: FILE_OPENED
62 10:42:09.181 0 explorer.exe 3296 849CEB68 84D0E450 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 855C8028 E2DE65D8 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS FileBothDirectoryInformation (FileMask = )
63 10:42:09.196 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 855C8028 E2DE65D8 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS FileBothDirectoryInformation (FileMask = )
64 10:42:09.196 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 855C8028 E2DE65D8 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_NO_MORE_FILES FileBothDirectoryInformation (FileMask = )
65 10:42:09.196 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLEANUP 00000404 No 855C8028 E2DE65D8 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
66 10:42:09.196 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLOSE 00000404 No 855C8028 E2DE65D8 E260CED0 00044002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
67 10:42:09.212 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 855C8028 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS FILE_OPEN CreOpts: 0x00000021 Access: 0x00100001 Share: 0x00000007 Attrib: 0 Result: FILE_OPENED
68 10:42:09.212 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 855C8028 E2DE65D8 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS FileBothDirectoryInformation (FileMask = 11.tx)
69 10:42:09.212 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLEANUP 00000404 No 855C8028 E2DE65D8 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
70 10:42:09.212 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLOSE 00000404 No 855C8028 E2DE65D8 E260CED0 00044002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
71 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 850C51E8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS FILE_OPEN CreOpts: 0x00000021 Access: 0x00100001 Share: 0x00000007 Attrib: 0 Result: FILE_OPENED
72 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 850C51E8 E15C1578 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS FileBothDirectoryInformation (FileMask = )
73 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 850C51E8 E15C1578 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS FileBothDirectoryInformation (FileMask = )
74 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 850C51E8 E15C1578 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_NO_MORE_FILES FileBothDirectoryInformation (FileMask = )
75 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLEANUP 00000404 No 850C51E8 E15C1578 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
76 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLOSE 00000404 No 850C51E8 E15C1578 E260CED0 00044002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
77 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 850C51E8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000007 Attrib: 0 Result: FILE_OPENED
78 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_READ 00000900 No 850C51E8 E15C1578 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_INVALID_DEVICE_REQUEST Offset 00000000-00000000 ToRead 18 Read 0
79 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 850C51E8 E15C1578 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
80 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_QUERY_INFORMATION 00000870 No 850C51E8 E15C1578 E260CED0 00040002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_BUFFER_OVERFLOW FileAllInformation
81 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
82 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
83 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
84 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
85 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
86 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
87 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
88 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
89 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
90 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
91 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
92 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
93 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
94 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
95 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_ SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
96 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: DocumentSummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
97 10:46:06.681 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_ DocumentSummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
98 10:46:06.681 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: DocumentSummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
99 10:46:06.681 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_ DocumentSummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
100 10:46:06.681 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32: SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED

OSR_Community_User · July 14, 2009, 11:32am

Take a look at the FileStreamInformation information class and the FILE_STREAM_INFORMATION structure (http://msdn.microsoft.com/en-us/library/ms791551.aspx).

Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no rights.

Lyndon_J_Clarke-2 · July 14, 2009, 6:16pm

Well, you can see operations on the named data stream from a filter driver,
because you can see the stream name. The from a minifilter you have
FltQueryInformationFile FileStreamInformation, and otherwise you have
ZwQueryInformationFile. So up in user mode you’ve got
Find[First|Next]StreamNameW since Vista, and before that it’s NT Native time
which is like a piece of cake and google will be a kind of friend for you
there (wink).

Good luck
Lyndon

wrote in message news:xxxxx@ntfsd…
> How to monitor the NTFS Alternate Data Streams (ADS) attached to one file
> in filter driver?
>
> If set some plain file’s properity,to add some content to summary,there
> are many irp and the file’s name like below,
>
> file name maybe like below from filespy:
> a) 11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
> b) 11.txt:|SummaryInformation:$DATA
> c) 11.txt:Updt_|SummaryInformation:$DATA
>
> Is there any way to get the stream file name when open the file 11.txt and
> then monitor the user set the summary information?
> Thank you in advance for the reply. Looking forward to hearing from you
> soon!
>
> The part of information from the filespy below when set summary
> information for one file
> 1 10:42:08.087 31 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 85B17860 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
> FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000007 Attrib:
> 0x00000080 Result: FILE_OPENED
> 2 10:42:08.118 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_QUERY_INFORMATION 00000870 No 85B17860 E1310A00 E16057E8 00040042
> G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt
> STATUS_SUCCESS FileStreamInformation
> 3 10:42:08.118 0 explorer.exe 2152 849CEB68 FASTIO_QUERY_BASIC_INFO
> 85B17860 E1310A00 E16057E8 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
> Attrib: 0x00000020
> 5 10:42:08.118 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_READ 00000900
> No 85B17860 E1310A00 E16057E8 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
> Offset 00000000-00000000 ToRead 18 Read 18
> 4 10:42:08.118 0 System 16 849CEB68 84D0E450 IRP_MJ_CLOSE 00000404 No
> 8598B738 E1310A00 E1E61AB0 00044042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
> 6 10:42:08.118 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8598B738 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> Raec25ph4sudbf0hAaq5ehw3Nf:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN
> CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000007 Attrib:
> 0x00000080 Result: FILE_SUPERSEDED
> 7 10:42:08.118 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP
> 00000404 No 85B17860 E1310A00 E16057E8 000C0042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
> 8 10:42:08.118 31 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8598B738 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
> FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000007 Attrib:
> 0x00000080 Result: FILE_OPENED
> 9 10:41:14.556 53593 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 10 10:42:08.149 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 84E1E558 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
> STATUS_SUCCESS FILE_OPEN_IF CreOpts: 0x00000020 Access: 0x0013019F Share:
> 0 Attrib: 0x00000080 Result: FILE_CREATED
> 15 10:42:08.149 15 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 11 10:42:08.149 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_READ 00000900
> No 84E1E558 E1604360 E14D11F0 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
> STATUS_END_OF_FILE Offset 00000000-00000000 ToRead 18 Read 0
> 12 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 85997DB8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 13 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 85997DB8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Docf_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 14 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 85997DB8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Docf_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00100080 Share: 0x00000007 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 16 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 85997DB8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_SUCCESS FILE_CREATE CreOpts: 0x00000020
> Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result: FILE_CREATED
> 18 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 17 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80
> 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW
> 19 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 85997DB8 E1619740 E2E42C80 00040042
> G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation
> EndOfFile: 00000000-00000000
> 20 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 21 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 85997DB8 E1619740 E2E42C80 00040042
> G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_SUCCESS FileAllocationInformation
> 27 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 22 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80
> 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_SUCCESS
> 23 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_QUERY_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042
> G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW FileAllInformation
> 24 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 84FCD360 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 25 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80
> 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_SUCCESS
> 26 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_QUERY_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042
> G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW FileAllInformation
> 28 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 84FCD360 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS FILE_OVERWRITE_IF CreOpts:
> 0x00000020 Access: 0x0013019F Share: 0 Attrib: 0x00000080 Result:
> FILE_CREATED
> 30 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 29 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 84FCD360 E25D0B88 E2723658
> 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW
> 31 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042
> G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation
> EndOfFile: 00000000-00000000
> 32 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 33 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042
> G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS FileAllocationInformation
> 34 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 35 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042
> G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation
> EndOfFile: 00000000-00000058
> 36 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 37 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042
> G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS FileAllocationInformation
> 40 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 38 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80
> 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_SUCCESS
> 39 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_QUERY_INFORMATION 00000870 No 85997DB8 E1619740 E2E42C80 00040042
> G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_BUFFER_OVERFLOW FileAllInformation
> 41 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042
> G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation
> EndOfFile: 00000000-00000074
> 42 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 43 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042
> G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS FileAllocationInformation
> 47 10:42:08.165 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 45 10:42:08.165 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_WRITE
> 00000A00 No 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS Offset 00000000-00000000 ToWrite
> 74 Written 74
> 44 10:42:08.165 0 explorer.exe 2152 849CEB68 84D0E450 IRP_MJ_READ 00000043
> Yes 84FCD360 E25D0B88 E2723658 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS Offset 00000000-00000000 ToRead
> 1000 Read 74
> 48 10:42:08.165 15 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_FLUSH_BUFFERS 00000000 No 84FCD360 E25D0B88 E2723658 00041042
> G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS
> 46 10:42:08.165 0 explorer.exe 2152 849CEB68 84D0E450 IRP_MJ_WRITE
> 00000043 Yes 84FCD360 E25D0B88 E2723658 00041042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS Offset 00000000-00000000 ToWrite
> 1000 Written 74
> 49 10:42:08.165 15 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 50 10:42:08.181 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 85997DB8 E1619740 E2E42C80 00040042
> G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_SUCCESS FileEndOfFileInformation
> EndOfFile: 00000000-00000000
> 54 10:42:08.181 0 explorer.exe 2160 849CEB68 849F5008
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY 00000000 No
> 849F3820 E2DE65D8 E2DE6768 00040000 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 51 10:42:08.181 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP
> 00000404 No 85997DB8 E1619740 E2E42C80 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_SUCCESS
> 52 10:42:08.181 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLOSE
> 00000404 No 85997DB8 E1619740 E2E42C80 00044042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation:$DATA STATUS_SUCCESS
> 53 10:42:08.181 0 explorer.exe 2152 849CEB68 84FD7200
> IRP_MJ_SET_INFORMATION 00000830 No 84FCD360 E25D0B88 E2723658 00040042
> G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:Updt_
> SummaryInformation:$DATA STATUS_SUCCESS FileRenameInformation FileObject:
> 00000000 ReplaceIfExists: 1
> 55 10:42:08.181 15 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP
> 00000404 No 84FCD360 E25D0B88 E2723658 00041042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation STATUS_SUCCESS
> 56 10:42:08.196 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP
> 00000404 No 84E1E558 E1604360 E14D11F0 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
> STATUS_SUCCESS
> 57 10:42:08.196 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLOSE
> 00000404 No 84E1E558 E1604360 E14D11F0 00044042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
> STATUS_SUCCESS
> 58 10:42:08.196 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLEANUP
> 00000404 No 8598B738 E1310A00 E1E61AB0 00040042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
> 59 10:42:08.196 0 explorer.exe 2152 849CEB68 84FD7200 IRP_MJ_CLOSE
> 00000404 No 8598B738 E1310A00 E1E61AB0 00044042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt STATUS_SUCCESS
> 60 10:42:09.009 0 System 40 849CEB68 84FD7200 IRP_MJ_SET_INFORMATION
> 00000042 No 84FCD360 E25D0B88 E2723658 00044042 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\11.txt:
> SummaryInformation STATUS_SUCCESS FileEndOfFileInformation EndOfFile:
> 00000000-00000074
> 61 10:42:09.181 0 explorer.exe 3296 849CEB68 84D0E450 IRP_MJ_CREATE
> 00000884 No 855C8028 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS FILE_OPEN
> CreOpts: 0x00000021 Access: 0x00100001 Share: 0x00000007 Attrib: 0 Result:
> FILE_OPENED
> 62 10:42:09.181 0 explorer.exe 3296 849CEB68 84D0E450
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 855C8028
> E2DE65D8 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> FileBothDirectoryInformation (FileMask = )
> 63 10:42:09.196 0 explorer.exe 1876 849CEB68 84FD7200
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 855C8028
> E2DE65D8 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> FileBothDirectoryInformation (FileMask = )
> 64 10:42:09.196 0 explorer.exe 1876 849CEB68 84FD7200
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 855C8028
> E2DE65D8 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_NO_MORE_FILES
> FileBothDirectoryInformation (FileMask = )
> 65 10:42:09.196 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLEANUP
> 00000404 No 855C8028 E2DE65D8 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 66 10:42:09.196 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLOSE
> 00000404 No 855C8028 E2DE65D8 E260CED0 00044002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 67 10:42:09.212 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 855C8028 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS FILE_OPEN
> CreOpts: 0x00000021 Access: 0x00100001 Share: 0x00000007 Attrib: 0 Result:
> FILE_OPENED
> 68 10:42:09.212 0 explorer.exe 1876 849CEB68 84FD7200
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 855C8028
> E2DE65D8 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> FileBothDirectoryInformation (FileMask = 11.tx)
> 69 10:42:09.212 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLEANUP
> 00000404 No 855C8028 E2DE65D8 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 70 10:42:09.212 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLOSE
> 00000404 No 855C8028 E2DE65D8 E260CED0 00044002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite STATUS_SUCCESS
> 71 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 850C51E8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
> FILE_OPEN CreOpts: 0x00000021 Access: 0x00100001 Share: 0x00000007 Attrib:
> 0 Result: FILE_OPENED
> 72 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 850C51E8
> E15C1578 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
> FileBothDirectoryInformation (FileMask = )
> 73 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 850C51E8
> E15C1578 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
> FileBothDirectoryInformation (FileMask = )
> 74 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200
> IRP_MJ_DIRECTORY_CONTROL/IRP_MN_QUERY_DIRECTORY 00000800 No 850C51E8
> E15C1578 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32
> STATUS_NO_MORE_FILES FileBothDirectoryInformation (FileMask = )
> 75 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLEANUP
> 00000404 No 850C51E8 E15C1578 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
> 76 10:46:06.649 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CLOSE
> 00000404 No 850C51E8 E15C1578 E260CED0 00044002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
> 77 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 850C51E8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
> FILE_OPEN CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000007 Attrib:
> 0 Result: FILE_OPENED
> 78 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_READ 00000900
> No 850C51E8 E15C1578 E260CED0 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32
> STATUS_INVALID_DEVICE_REQUEST Offset 00000000-00000000 ToRead 18 Read 0
> 79 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200
> IRP_MJ_QUERY_VOLUME_INFORMATION 00000870 No 850C51E8 E15C1578 E260CED0
> 00040002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32 STATUS_SUCCESS
> 80 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200
> IRP_MJ_QUERY_INFORMATION 00000870 No 850C51E8 E15C1578 E260CED0 00040002
> G:\Documents and Settings\Administrator\Desktop\SysinternalsSuite\Win32
> STATUS_BUFFER_OVERFLOW FileAllInformation
> 81 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
> STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts: 0x00000020 Access:
> 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result: FILE_SUPERSEDED
> 82 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 83 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 84 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 85 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 86 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 87 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 88 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 89 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 90 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 91 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 92 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 93 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 94 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 95 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
> 96 10:46:06.665 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> DocumentSummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN
> CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib:
> 0x00000080 Result: FILE_SUPERSEDED
> 97 10:46:06.681 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_
> DocumentSummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN
> CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib:
> 0x00000080 Result: FILE_SUPERSEDED
> 98 10:46:06.681 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> DocumentSummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN
> CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib:
> 0x00000080 Result: FILE_SUPERSEDED
> 99 10:46:06.681 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:Docf_
> DocumentSummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN
> CreOpts: 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib:
> 0x00000080 Result: FILE_SUPERSEDED
> 100 10:46:06.681 0 explorer.exe 1876 849CEB68 84FD7200 IRP_MJ_CREATE
> 00000884 No 8551DBF8 00000000 00000000 00000002 G:\Documents and
> Settings\Administrator\Desktop\SysinternalsSuite\Win32:
> SummaryInformation:$DATA STATUS_OBJECT_NAME_NOT_FOUND FILE_OPEN CreOpts:
> 0x00000020 Access: 0x00120089 Share: 0x00000001 Attrib: 0x00000080 Result:
> FILE_SUPERSEDED
>
>

charles_zhao · July 15, 2009, 3:59am

Thank you very much!

Is there any way to detect that one file whether has been attach data stream when open(IRP_MJ_CREATE) the file?

If build one irp to query the file’s information to check if the file has been attacthed some data stream when opening the file, do that can take effect?

Aditya_Shrivastava · July 15, 2009, 4:27am

from what I understand from your post, you asked “Is it possible to check whether the file has some alternate data stream attached with it in pre create or create dispatch handler”

The answer to above is yes, for reference check the WDK for FILE_STREAM_INFORMATION.

Thanks
Aditya