How to monitor the open of a hard disk device

OSR_Community_User · July 20, 2010, 5:29pm

Hi,

I want to monitor/filter the open of a hard disk volume and the hard disk device itself, so e.g. \Device\HarddiskVolume5 and \Device\Harddisk3\DR3.

I’m able to monitore the open of a volume, I can use a minifilter and check in the PreCreate for the FO_VOLUME_OPEN.

AFAIK I will not see the open of the harddisk in the minifilter as it’s only attached to the volume - correct?

So I tried it with the diskperf sample from ddk on W2K3 - but I never see the IRP_MJ_CREATE if the hard disk was opend (DiskPerfCreate was not called).
I see other IRPs like READ/WRITE and IOCTL.

Any suggestion how to do it - or hints why I do not see it in diskperf?

Thx
Norbert

OSR_Community_User · July 20, 2010, 11:54pm

> Any suggestion how to do it - or hints why I do not see it in diskperf?

Because this is how the disk stack works. No creates on physical disk (LUN PDO) level.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · July 21, 2010, 5:24am

Maxim, thx for the fast response.

so it seems I need to monitor all other IRPs and react then on those.

Or do you see any other way how I can detect that a process is opening a hard disk device like \Device\Harddisk3\DR3?