How to track a specific file?

OSR_Community_User · November 13, 2002, 2:27am

hi,

I want to track all the read/write operation on a file(a *.DOC file) in
FS filter driver. How can I achieve this? Shall I remember the fileObject
in its IRP_MJ_CREATE completion routine and check for this fileObject in
IRP_MJ_READ/IRP_MJ_WRITE?

Thanks!

OSR_Community_User-148 · November 13, 2002, 5:59am

Hi,
You should track the File Object and FsContext after IRP_MJ_CREATE and you should check for FsContext during Read and Write Operations.
Also you should keep the track of all your FsContext incrementing the counter after successful IRP_MJ_CREATE’s and decrementing the counter on IRP_MJ_CLOSE when File Object is not FO_STREAM_FILE and both FileObject->SectionObjectPointer->ImageSectionObject and FileObject->SectionObjectPointer->DataSectionObject are NULL!
Hope this help,
Stefan

-----Original Message-----
From: zhangbo [mailto:xxxxx@gmx.net]
Sent: Wednesday, November 13, 2002 9:34 AM
To: File Systems Developers
Subject: [ntfsd] How to track a specific file?

hi,

I want to track all the read/write operation on a file(a *.DOC file) in
FS filter driver. How can I achieve this? Shall I remember the fileObject
in its IRP_MJ_CREATE completion routine and check for this fileObject in
IRP_MJ_READ/IRP_MJ_WRITE?

Thanks!

You are currently subscribed to ntfsd as: sboboc@ps.ro
To unsubscribe send a blank email to %%email.unsub%%

Dan_Partelly · November 13, 2002, 6:35am

>> decrementing the counter on IRP_MJ_CLOSE when File Object is not
FO_STREAM_FILE and both FileObject->SectionObjectPointer-

> ImageSectionObject and
FileObject->SectionObjectPointer->DataSectionObject are NULL!

This statement is wrong. The trick with
FileObject->SectionObjectPointer->ImageSectionObject is used to determine
when to safelydelete an element from your tracking structures (ref cnt == 0
&& ImageSectionObject == NULL && DataSectionObject == NULL), and not for
reference decrementing.

Regards, Dan

----- Original Message -----
From: “Stefan Boboc”
To: “File Systems Developers”
Sent: Wednesday, November 13, 2002 12:59 PM
Subject: [ntfsd] RE: How to track a specific file?

Hi,
You should track the File Object and FsContext after IRP_MJ_CREATE and you
should check for FsContext during Read and Write Operations.
Also you should keep the track of all your FsContext incrementing the
counter after successful IRP_MJ_CREATE’s and decrementing the counter on
IRP_MJ_CLOSE when File Object is not FO_STREAM_FILE and both
FileObject->SectionObjectPointer->ImageSectionObject and
FileObject->SectionObjectPointer->DataSectionObject are NULL!
Hope this help,
Stefan

-----Original Message-----
From: zhangbo [mailto:xxxxx@gmx.net]
Sent: Wednesday, November 13, 2002 9:34 AM
To: File Systems Developers
Subject: [ntfsd] How to track a specific file?

hi,

I want to track all the read/write operation on a file(a *.DOC file) in
FS filter driver. How can I achieve this? Shall I remember the fileObject
in its IRP_MJ_CREATE completion routine and check for this fileObject in
IRP_MJ_READ/IRP_MJ_WRITE?

Thanks!

—
You are currently subscribed to ntfsd as: sboboc@ps.ro
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
To unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User-148 · November 13, 2002, 6:47am

you are right Dan,
my mistake!
Stefan

-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: Wednesday, November 13, 2002 1:36 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to track a specific file?

> decrementing the counter on IRP_MJ_CLOSE when File Object is not
FO_STREAM_FILE and both FileObject->SectionObjectPointer-
> ImageSectionObject and
FileObject->SectionObjectPointer->DataSectionObject are NULL!

This statement is wrong. The trick with
FileObject->SectionObjectPointer->ImageSectionObject is used to determine
when to safelydelete an element from your tracking structures (ref cnt == 0
&& ImageSectionObject == NULL && DataSectionObject == NULL), and not for
reference decrementing.

Regards, Dan

----- Original Message -----
From: “Stefan Boboc”
To: “File Systems Developers”
Sent: Wednesday, November 13, 2002 12:59 PM
Subject: [ntfsd] RE: How to track a specific file?

Hi,
You should track the File Object and FsContext after IRP_MJ_CREATE and you
should check for FsContext during Read and Write Operations.
Also you should keep the track of all your FsContext incrementing the
counter after successful IRP_MJ_CREATE’s and decrementing the counter on
IRP_MJ_CLOSE when File Object is not FO_STREAM_FILE and both
FileObject->SectionObjectPointer->ImageSectionObject and
FileObject->SectionObjectPointer->DataSectionObject are NULL!
Hope this help,
Stefan

-----Original Message-----
From: zhangbo [mailto:xxxxx@gmx.net]
Sent: Wednesday, November 13, 2002 9:34 AM
To: File Systems Developers
Subject: [ntfsd] How to track a specific file?

hi,

I want to track all the read/write operation on a file(a *.DOC file) in
FS filter driver. How can I achieve this? Shall I remember the fileObject
in its IRP_MJ_CREATE completion routine and check for this fileObject in
IRP_MJ_READ/IRP_MJ_WRITE?

Thanks!

—
You are currently subscribed to ntfsd as: sboboc@ps.ro
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntfsd as: sboboc@ps.ro
To unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User · November 14, 2002, 9:47pm

Thank you for reply! I will try to understandard and test it.