I/O calls in Create/Open

NTFSD
2

It is not always safe to call read operations inside the IRP_MJ_CREATE
handler. This was discussed quite some time ago and I posted an article
about the issue on OSRONLINE (the file object is not “real” in that it
is only storage on the stack of the caller).

In the case where it crashes, is your IRP_MJ_CREATE handler being called
with a file object that is inside the limits of the stack (use
IoGetStackLimits to figure this out.) If so, you have the specific
problem/issue I suspect. In that case, you should look at implementing
the solution we discuss in that article. If not, you’ll need to provide
just a bit more informaiton - like the output from “!analyze -v” in the
system where you have crashed.

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of vartika singh
Sent: Monday, April 19, 2004 2:58 AM
To: ntfsd redirect
Subject: [ntfsd] I/O calls in Create/Open

hi all,
some time back i asked a question as to why do i get a bsod whenever i
create a new folder/file in a volume to which my filter driver is
attached to.
but i didn’t get any answers.
i will reformat my question.
please do help me out.
i have written a simple filesystem filter driver which replaces the
buffer in the completion routine of IRP_MJ_READ.
everything works fine till i try to create smthing new in that
particular driver to which the filter is attached.
It seems to me that,during the create call,the read dispatch routine is
also called.
can somebody list out the no. of I/O calls when the create/open is
called and what specifically are those I/O calls.

Please help me out.

Thanx in advance

Vartika

3

PFN_LIST_CORRUPT indicates that you have an MDL handling error - my
guess is that you are building the MDL incorrectly, or you are using
non-paged pool memory and then unlocking it or some other issue, but
that’s the primary reason one would normally see PFN_LIST_CORRUPT. This
might also occur if you manipulate MDLs that are not yours, such as
those built by the memory manager to satisfy paging operations.

Of course, I also cannot fathom why creating a new file would be doing
an IRP_MJ_READ - are you memory mapping the on disk directory? Again, I
cannot recall ever seeing I/O to a file or directory as a result of a
newly created file. Perhaps this is related to your test application
(I’m assuming you just call Win32 CreateFile to create this new file or
directory, right?) Indeed, perhaps you can post the code sequence from
your test application so we have a better idea of how you are creating
this new file.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com http:



From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of vartika singh
Sent: Monday, April 19, 2004 9:05 AM
To: ntfsd redirect
Subject: Re: RE: [ntfsd] I/O calls in Create/Open

hello Mr Mason,

I guess i was not very clear in my query.
Actually im not calling the read operation inside the IRP_MJ_CREATE.
I have implemented the read routine and im replacing the data in the
memory with my own data.I do this by locking the MDL in the read
dispatch routine and do the substitution in the completion routine.After
this i unlock and free the MDL.
The problem of crash arises whenever i create a new file/folder in the
drive to which my filter is attached to.
What i want to know is some read instruction executed in the course of
create routine execution.
cause im getting a bug check of 0x4E (0x7,)
PFN_LIST_CORRUPT
and im locking and unlocking the MDL only in my read dispatch routine.

Vartika

On Mon, 19 Apr 2004 Tony Mason wrote :
>It is not always safe to call read operations inside the IRP_MJ_CREATE
>handler. This was discussed quite some time ago and I posted an
article
>about the issue on OSRONLINE (the file object is not “real” in that it
>is only storage on the stack of the caller).
>
>In the case where it crashes, is your IRP_MJ_CREATE handler being
called
>with a file object that is inside the limits of the stack (use
>IoGetStackLimits to figure this out.) If so, you have the specific
>problem/issue I suspect. In that case, you should look at implementing
>the solution we discuss in that article. If not, you’ll need to
provide
>just a bit more informaiton - like the output from “!analyze -v” in the
>system where you have crashed.
>
>Regards,
>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>
>
> From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of vartika singh
>Sent: Monday, April 19, 2004 2:58 AM
>To: ntfsd redirect
>Subject: [ntfsd] I/O calls in Create/Open
>
>
>
>hi all,
>some time back i asked a question as to why do i get a bsod whenever i
>create a new folder/file in a volume to which my filter driver is
>attached to.
>but i didn’t get any answers.
>i will reformat my question.
>please do help me out.
>i have written a simple filesystem filter driver which replaces the
>buffer in the completion routine of IRP_MJ_READ.
>everything works fine till i try to create smthing new in that
>particular driver to which the filter is attached.
>It seems to me that,during the create call,the read dispatch routine is
>also called.
>can somebody list out the no. of I/O calls when the create/open is
>called and what specifically are those I/O calls.
>
>Please help me out.
>
>Thanx in advance
>
>Vartika
>
>
>
>
>—
>Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as:
xxxxx@rediffmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

http: — Questions?
First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com</http:></http:>

4

Using IoBuildPartialMdl, and then deallocating the main MDL before the partial one is the common source of this bugcheck.

Mismatched MmLock/UnlockPages is another.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Tony Mason
To: Windows File Systems Devs Interest List
Sent: Monday, April 19, 2004 5:29 PM
Subject: RE: RE: [ntfsd] I/O calls in Create/Open

PFN_LIST_CORRUPT indicates that you have an MDL handling error - my guess is that you are building the MDL incorrectly, or you are using non-paged pool memory and then unlocking it or some other issue, but that’s the primary reason one would normally see PFN_LIST_CORRUPT. This might also occur if you manipulate MDLs that are not yours, such as those built by the memory manager to satisfy paging operations.

Of course, I also cannot fathom why creating a new file would be doing an IRP_MJ_READ - are you memory mapping the on disk directory? Again, I cannot recall ever seeing I/O to a file or directory as a result of a newly created file. Perhaps this is related to your test application (I’m assuming you just call Win32 CreateFile to create this new file or directory, right?) Indeed, perhaps you can post the code sequence from your test application so we have a better idea of how you are creating this new file.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of vartika singh
Sent: Monday, April 19, 2004 9:05 AM
To: ntfsd redirect
Subject: Re: RE: [ntfsd] I/O calls in Create/Open

hello Mr Mason,

I guess i was not very clear in my query.
Actually im not calling the read operation inside the IRP_MJ_CREATE.
I have implemented the read routine and im replacing the data in the memory with my own data.I do this by locking the MDL in the read dispatch routine and do the substitution in the completion routine.After this i unlock and free the MDL.
The problem of crash arises whenever i create a new file/folder in the drive to which my filter is attached to.
What i want to know is some read instruction executed in the course of create routine execution.
cause im getting a bug check of 0x4E (0x7,)
PFN_LIST_CORRUPT
and im locking and unlocking the MDL only in my read dispatch routine.

Vartika

On Mon, 19 Apr 2004 Tony Mason wrote :
>It is not always safe to call read operations inside the IRP_MJ_CREATE
>handler. This was discussed quite some time ago and I posted an article
>about the issue on OSRONLINE (the file object is not “real” in that it
>is only storage on the stack of the caller).
>
>In the case where it crashes, is your IRP_MJ_CREATE handler being called
>with a file object that is inside the limits of the stack (use
>IoGetStackLimits to figure this out.) If so, you have the specific
>problem/issue I suspect. In that case, you should look at implementing
>the solution we discuss in that article. If not, you’ll need to provide
>just a bit more informaiton - like the output from “!analyze -v” in the
>system where you have crashed.
>
>Regards,
>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>________________________________
>
> From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of vartika singh
>Sent: Monday, April 19, 2004 2:58 AM
>To: ntfsd redirect
>Subject: [ntfsd] I/O calls in Create/Open
>
>
>
>hi all,
>some time back i asked a question as to why do i get a bsod whenever i
>create a new folder/file in a volume to which my filter driver is
>attached to.
>but i didn’t get any answers.
>i will reformat my question.
>please do help me out.
>i have written a simple filesystem filter driver which replaces the
>buffer in the completion routine of IRP_MJ_READ.
>everything works fine till i try to create smthing new in that
>particular driver to which the filter is attached.
>It seems to me that,during the create call,the read dispatch routine is
>also called.
>can somebody list out the no. of I/O calls when the create/open is
>called and what specifically are those I/O calls.
>
>Please help me out.
>
>Thanx in advance
>
>Vartika
>
>
>
>
>—
>Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@rediffmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

— Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

5

Without additional information on how you are handling your MDLs (the
source of the problem) there is not much any of us can do to help.
Personally, I suspect that you are freeing an MDL from paging I/O, but
given your reticence to even tell us what application you are using all
I can do is guess as to what you are doing.

I know it may seem obvious to you what you are doing, but I must tell
you that different applications behave very differently and the Win32
API is far removed from what you see at the file system filter level.
So, without a thorough explanation of what you are doing and ALL of what
you are seeing, there is very little we can probably do to help you
overcome your current issue.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of vartika singh
Sent: Tuesday, April 20, 2004 12:52 AM
To: ntfsd redirect
Subject: Re: RE: RE: [ntfsd] I/O calls in Create/Open

hi,

There is no test application as such for creating the file.
This happens whenever i right click in the mounted drive and click on
“create new folder/file” in the menu.
Im building my driver with filespy sample provided with the IFS kit,as
the base.
In it’s create routine,though, it does do logging of i/o calls in a hash
table allocated from the non-paged pool memory.
And no im not using IoBuildPartialMdl.

Vartika

On Mon, 19 Apr 2004 Tony Mason wrote :

PFN_LIST_CORRUPT indicates that you have an MDL handling error - my
guess is that you are building the MDL incorrectly, or you are using
non-paged pool memory and then unlocking it or some other issue, but
that’s the primary reason one would normally see PFN_LIST_CORRUPT.
This
might also occur if you manipulate MDLs that are not yours, such as
those built by the memory manager to satisfy paging operations.

Of course, I also cannot fathom why creating a new file would be doing
an IRP_MJ_READ - are you memory mapping the on disk directory? Again,
I
cannot recall ever seeing I/O to a file or directory as a result of a
newly created file. Perhaps this is related to your test application
(I’m assuming you just call Win32 CreateFile to create this new file or
directory, right?) Indeed, perhaps you can post the code sequence from
your test application so we have a better idea of how you are creating
this new file.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com http:
>
>
>
> From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of vartika singh
>Sent: Monday, April 19, 2004 9:05 AM
>To: ntfsd redirect
>Subject: Re: RE: [ntfsd] I/O calls in Create/Open
>
>
>
>hello Mr Mason,
>
>I guess i was not very clear in my query.
>Actually im not calling the read operation inside the IRP_MJ_CREATE.
>I have implemented the read routine and im replacing the data in the
>memory with my own data.I do this by locking the MDL in the read
>dispatch routine and do the substitution in the completion
routine.After
>this i unlock and free the MDL.
>The problem of crash arises whenever i create a new file/folder in the
>drive to which my filter is attached to.
>What i want to know is some read instruction executed in the course of
>create routine execution.
>cause im getting a bug check of 0x4E (0x7,)
>PFN_LIST_CORRUPT
>and im locking and unlocking the MDL only in my read dispatch routine.
>
>Vartika
>
>
>On Mon, 19 Apr 2004 Tony Mason wrote :
> >It is not always safe to call read operations inside the
IRP_MJ_CREATE
> >handler. This was discussed quite some time ago and I posted an
>article
> >about the issue on OSRONLINE (the file object is not “real” in that
it
> >is only storage on the stack of the caller).
> >
> >In the case where it crashes, is your IRP_MJ_CREATE handler being
>called
> >with a file object that is inside the limits of the stack (use
> >IoGetStackLimits to figure this out.) If so, you have the specific
> >problem/issue I suspect. In that case, you should look at
implementing
> >the solution we discuss in that article. If not, you’ll need to
>provide
> >just a bit more informaiton - like the output from “!analyze -v” in
the
> >system where you have crashed.
> >
> >Regards,
> >
> >Tony Mason
> >Consulting Partner
> >OSR Open Systems Resources, Inc.
> >http://www.osr.com
> >
> >
> >
> > From: xxxxx@lists.osr.com
> >[mailto:xxxxx@lists.osr.com] On Behalf Of vartika singh
> >Sent: Monday, April 19, 2004 2:58 AM
> >To: ntfsd redirect
> >Subject: [ntfsd] I/O calls in Create/Open
> >
> >
> >
> >hi all,
> >some time back i asked a question as to why do i get a bsod whenever
i
> >create a new folder/file in a volume to which my filter driver is
> >attached to.
> >but i didn’t get any answers.
> >i will reformat my question.
> >please do help me out.
> >i have written a simple filesystem filter driver which replaces the
> >buffer in the completion routine of IRP_MJ_READ.
> >everything works fine till i try to create smthing new in that
> >particular driver to which the filter is attached.
> >It seems to me that,during the create call,the read dispatch routine
is
> >also called.
> >can somebody list out the no. of I/O calls when the create/open is
> >called and what specifically are those I/O calls.
> >
> >Please help me out.
> >
> >Thanx in advance
> >
> >Vartika
> >
> >
> >
> >
> >—
> >Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
> >
> >You are currently subscribed to ntfsd as:
>xxxxx@rediffmail.com
> >To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> http: — Questions?
>First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
>send a blank email to xxxxx@lists.osr.com
>
>
>
>—
>Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as:
xxxxx@rediffmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com</http:></http:>

6

He did mention what application he is using - Explorer. When you do
New-> File Type (such as Word document) a file is created and data from
template file is copied to it.

Now, why this happens at the new file creation time - most probably
as others noted… incorrect MDL handling…
Tell us what you do with MDLs - since MDLs can be reused, that’s why
a bugcheck occurs later, from invalid MDLs.

Without additional information on how you are handling your MDLs (the
source of the problem) there is not much any of us can do to help.
Personally, I suspect that you are freeing an MDL from paging I/O, but
given your reticence to even tell us what application you are using
all I can do is guess as to what you are doing.

I know it may seem obvious to you what you are doing, but I must tell
you that different applications behave very differently and the Win32
API is far removed from what you see at the file system filter level.
So, without a thorough explanation of what you are doing and ALL of
what you are seeing, there is very little we can probably do to help
you overcome your current issue.


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

7

Dejan,

Yes, I also believe he is using Explorer, but he never said so. Nor did
he provide us with sample code. He has an MDL handling issue but rather
than providing us with detailed explanations of what is happening, he
gives us a vague and overly broad description of the problem.

Don’t get me wrong - there have been times when a vague description has
been enough for someone on this list to suggest a solution, but I don’t
see that happening from this query.

I still believe the problem is the way he’s handling MDLs. He mentioned
he probes and locks the MDL and then later frees it - but what if the
MDL is from MM, in which case freeing it will wreak havoc later when MM
tries to tear it down?

Details is all I’m asking for - whate version, what service packs, what
underlying file system, what application, what is his code doing with
the MDL…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Tuesday, April 20, 2004 7:30 AM
To: ntfsd redirect
Subject: Re: [ntfsd] I/O calls in Create/Open

He did mention what application he is using - Explorer. When you do
New-> File Type (such as Word document) a file is created and data from
template file is copied to it.

Now, why this happens at the new file creation time - most probably
as others noted… incorrect MDL handling…
Tell us what you do with MDLs - since MDLs can be reused, that’s why
a bugcheck occurs later, from invalid MDLs.

Without additional information on how you are handling your MDLs (the
source of the problem) there is not much any of us can do to help.
Personally, I suspect that you are freeing an MDL from paging I/O, but

given your reticence to even tell us what application you are using
all I can do is guess as to what you are doing.

I know it may seem obvious to you what you are doing, but I must tell
you that different applications behave very differently and the Win32
API is far removed from what you see at the file system filter level.
So, without a thorough explanation of what you are doing and ALL of
what you are seeing, there is very little we can probably do to help
you overcome your current issue.


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com Alfa Transparent File
Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

8

Vartika,

First, my apologies for guessing your gender incorrectly (alas, e-mail
does not give us much in the way of hints).

Some question:

(1) Why do you specify KernelMode for access? I’d instead suggest
using Irp->PreviousMode (so you do user mode probe for user buffers)

(2) What are you doing with the existing contents of
Irp->MdlAddress? It does not appear to be preserved in this case and
that could lead to memory leaks

(3) Where do you clear Irp->MdlAddress after you free the MDL? Not
doing so will lead the I/O Manager to clean up the MDL and that might
lead to PFN_LIST_CORRUPT

I’d suggest chaining the MDL onto the IRP and allowing the I/O Manager
to tear it down - that’s far less error prone than trying to do this
yourself (you should be able to make it work, but PFN_LIST_CORRUPT is
the way MM tells you that you didn’t do it correctly this time around.)

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources Inc.

http://www.osr.com http:</http:>

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of vartika singh
Sent: Tuesday, April 20, 2004 10:18 AM
To: ntfsd redirect
Subject: Re: RE: [ntfsd] I/O calls in Create/Open

Hi all!
First of all im not ‘he’ im ‘she’.
Im sorry i didn’t mention the windows explorer clearly.
Secondly i had sent my code some time back,but as an attachment,and
consequently it got rejected.
Well here is how im manipulating the MDLs…

NTSTATUS
dispatchRead (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{

PFILE_OBJECT fileObject = pThisIrp->FileObject;//defined in ntddk.h
16885

readContext->offset = fileObject->CurrentByteOffset.LowPart;

PAGED_CODE();

**********This is where i allocate the MDL*************

if( ! ( Irp->Flags & IRP_PAGING_IO ) ) {
readContext->pMdl = IoAllocateMdl
(
Irp->UserBuffer,
pThisIrp->Parameters.Read.Length,
FALSE,
FALSE,
NULL
);
__try {
MmProbeAndLockPages( readContext->pMdl, KernelMode,
IoModifyAccess );
}
__except( EXCEPTION_EXECUTE_HANDLER) {
IoFreeMdl( readContext->pMdl );
return GetExceptionCode();
}
}
else {
//cannot Probe and Lock on a PAGING_IO request, just pass the
MDL

readContext->pMdl = Irp->MdlAddress;
}

//setting the completion routine

IoCopyCurrentIrpStackLocationToNext(Irp);

IoSetCompletionRoutine
(
Irp,
ReadCompletion,
readContext,
TRUE,
TRUE,
TRUE
);

lowerStatus = IoCallDriver(

((PFILESPY_DEVICE_EXTENSION)DeviceObject->DeviceExtension)->AttachedToDe
viceObject, Irp );

return lowerStatus;

}

NTSTATUS
ReadCompletion (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{

PCHAR buf;
ULONG i;

PREAD_CONTEXT pReadCtx = (PREAD_CONTEXT)Context;

ULONG len = Irp->IoStatus.Information;

if( Irp->IoStatus.Status == STATUS_SUCCESS ) {
if( len > 0 ) {

buf = (PCHAR)MmGetSystemAddressForMdlSafe(
pReadCtx->pMdl,HighPagePriority );

************************************************************************
****This is where im replacing the data in the test files of mine.Please
note that all these files contain only few words as data.As to begin
with the data with which im replacing it with is also only a
sentence.***************************************************************
********

RtlInitUnicodeString(&readIoBuf,L"This is a test file!")

RtlCopyMemory(MmGetSystemAddressForMdlSafe(pReadCtx->pMdl,HighPagePriori
ty),readIoBuf.Buffer,len);
}
else {
DbgPrint ( “Not reading: non positive length from FSD” );
}
}
else {
DbgPrint ( “Not reading : non-zero rc from FSD: %08x \n”,
Irp->IoStatus.Status );
}

if( Irp->Flags & IRP_PAGING_IO ) {
;
}
else {
MmUnlockPages( pReadCtx->pMdl );
IoFreeMdl( pReadCtx->pMdl);
}

if(Irp->PendingReturned) {
IoMarkIrpPending(Irp);
}
ExFreePoolWithTag( pReadCtx, SPY_READ_TAG );

return STATUS_SUCCESS;
}

Im using the filespy program provided with the IFS kit.Platform is
windows 2k pro.and im using the IFS kit’s Windows 2k checked build
environment for the x86 architecture.
This is my first shot at writing any sort of device driver and im really
confused.

regards

Vartika

9

Tony,

No harm intended!:slight_smile: He did mention he was using Explorer though. That just
explains WHY data gets written - but not why the problem occurs - so I’m also waiting
for some details:-)


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.