Hi all:
I want to monitor File read and write in my Mass Storage
So, I wrote a filter driver and Handle IRP_MJ_READ IRP_MJ_WRITE
IRP_MJ_CREATE request.
and I installed this filter driver by an INF file which indicate two sys
files
one for my filter driver named filter.sys, and one named disk.sys copied
from o.s, is that correct ?
beacuse now I have some problem about geting the file name while has
been
read or write.
I can only get the IRP_MJ_READ and IRP_MJ_WRITE when file is read and
wrote,
and I always get NULL pointer of FILE_OBJECT from IO_STACK_LOCATION
so I still can not get file name now. can any one help me ?
there is another question, I read some document about filter driver,
which saied FileName
is not avalible when IRP_MJ_READ and IRP_MJ_WRITE appear, document saied
I should
get FileName in IRP_MJ_CREATE request, but I can see IRP_MJ_CREATE when
my
usb mass stroage device insert into my PC , I can not see it when I read
or write some file in my
usb mass stroage,why???
Write your own FSD if you want to control the file data place where to be
written.
Best regards,
lu0
TTC Senior Engineer
http://ttcone.com
Inside Programming
http://lu0.126.com
----- Original Message -----
From: “Shuo-Da Huang(¶ÀºÓ¹F)”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Friday, September 03, 2004 2:58 PM
Subject: [ntfsd] Install a filter driver of usb Mass Storage driver
> Hi all:
>
> I want to monitor File read and write in my Mass Storage
> So, I wrote a filter driver and Handle IRP_MJ_READ IRP_MJ_WRITE
> IRP_MJ_CREATE request.
>
> and I installed this filter driver by an INF file which indicate two
> sys
> files
> one for my filter driver named filter.sys, and one named disk.sys
> copied
> from o.s, is that correct ?
>
> beacuse now I have some problem about geting the file name while has
> been
> read or write.
I just want to log the file name which is being read and write, should I
Implement a FSD !!
I can get IRP_MJ_READ and IRP_MJWRITE already but IRP_MJ_CREATE
so I cant not get FULE_OBJECT since IRP_MJ_CREATE request…
is there something wrong ??
“lu0” ÔÚà]¼þ news:xxxxx@ntfsd ÖÐ׫Œ‘…
> Write your own FSD if you want to control the file data place where to be
> written.
>
> Best regards,
> lu0
> TTC Senior Engineer
> http://ttcone.com
> Inside Programming
> http://lu0.126.com
> ----- Original Message -----
> From: “Shuo-Da Huang(¶ÀºÓ¹F)”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Friday, September 03, 2004 2:58 PM
> Subject: [ntfsd] Install a filter driver of usb Mass Storage driver
>
>
> > Hi all:
> >
> > I want to monitor File read and write in my Mass Storage
> > So, I wrote a filter driver and Handle IRP_MJ_READ IRP_MJ_WRITE
> > IRP_MJ_CREATE request.
> >
> > and I installed this filter driver by an INF file which indicate two
> > sys
> > files
> > one for my filter driver named filter.sys, and one named disk.sys
> > copied
> > from o.s, is that correct ?
> >
> > beacuse now I have some problem about geting the file name while has
> > been
> > read or write.
>
>
>
>
You can do this is FSF only. In a Mass Storage driver, you can only monitor
block reads/writes.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Shuo-Da Huang(¶ÀºÓ¹F)”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Friday, September 03, 2004 10:58 AM
Subject: [ntfsd] Install a filter driver of usb Mass Storage driver
> Hi all:
>
> I want to monitor File read and write in my Mass Storage
> So, I wrote a filter driver and Handle IRP_MJ_READ IRP_MJ_WRITE
> IRP_MJ_CREATE request.
>
> and I installed this filter driver by an INF file which indicate two sys
> files
> one for my filter driver named filter.sys, and one named disk.sys copied
> from o.s, is that correct ?
>
> beacuse now I have some problem about geting the file name while has
> been
> read or write.
>
> I can only get the IRP_MJ_READ and IRP_MJ_WRITE when file is read and
> wrote,
> and I always get NULL pointer of FILE_OBJECT from IO_STACK_LOCATION
> so I still can not get file name now. can any one help me ?
>
> there is another question, I read some document about filter driver,
> which saied FileName
> is not avalible when IRP_MJ_READ and IRP_MJ_WRITE appear, document saied
> I should
> get FileName in IRP_MJ_CREATE request, but I can see IRP_MJ_CREATE when
> my
> usb mass stroage device insert into my PC , I can not see it when I read
> or write some file in my
> usb mass stroage,why???
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Is it not in FSF in my way ?
I install my filter driver with an INF file and indicate two sys
files(filter.sys disk.sys),to make my filter
driver be a upper filter driver of disk.sys,If in this way it is not being a
upper filter driver of file system
what should I do?
which sys file should I use ???
“Maxim S. Shatskih” ??? news:xxxxx@ntfsd ???..
> You can do this is FSF only. In a Mass Storage driver, you can only
monitor
> block reads/writes.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Shuo-Da Huang(¶ÀºÓ¹F)”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Friday, September 03, 2004 10:58 AM
> Subject: [ntfsd] Install a filter driver of usb Mass Storage driver
>
>
> > Hi all:
> >
> > I want to monitor File read and write in my Mass Storage
> > So, I wrote a filter driver and Handle IRP_MJ_READ IRP_MJ_WRITE
> > IRP_MJ_CREATE request.
> >
> > and I installed this filter driver by an INF file which indicate two
sys
> > files
> > one for my filter driver named filter.sys, and one named disk.sys
copied
> > from o.s, is that correct ?
> >
> > beacuse now I have some problem about geting the file name while has
> > been
> > read or write.
> >
> > I can only get the IRP_MJ_READ and IRP_MJ_WRITE when file is read
and
> > wrote,
> > and I always get NULL pointer of FILE_OBJECT from IO_STACK_LOCATION
> > so I still can not get file name now. can any one help me ?
> >
> > there is another question, I read some document about filter driver,
> > which saied FileName
> > is not avalible when IRP_MJ_READ and IRP_MJ_WRITE appear, document
saied
> > I should
> > get FileName in IRP_MJ_CREATE request, but I can see IRP_MJ_CREATE
when
> > my
> > usb mass stroage device insert into my PC , I can not see it when I
read
> > or write some file in my
> > usb mass stroage,why???
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
A FSF will filter the file system, not the storage stack.
On 6-Sep-04, at 7:52 PM, Shuo-Da Huang((???)) wrote:
Is it not in FSF in my way ?
I install my filter driver with an INF file and indicate two sys
files(filter.sys disk.sys),to make my filter
driver be a upper filter driver of disk.sys,If in this way it is not
being a
upper filter driver of file system
what should I do?
which sys file should I use ???
“Maxim S. Shatskih” ??? news:xxxxx@ntfsd
> ???..
>> You can do this is FSF only. In a Mass Storage driver, you can
>> only
> monitor
>> block reads/writes.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> ----- Original Message -----
>> From: “Shuo-Da Huang(???ӹF)”
>> Newsgroups: ntfsd
>> To: “Windows File Systems Devs Interest List”
>> Sent: Friday, September 03, 2004 10:58 AM
>> Subject: [ntfsd] Install a filter driver of usb Mass Storage driver
>>
>>
>>> Hi all:
>>>
>>> I want to monitor File read and write in my Mass Storage
>>> So, I wrote a filter driver and Handle IRP_MJ_READ IRP_MJ_WRITE
>>> IRP_MJ_CREATE request.
>>>
>>> and I installed this filter driver by an INF file which indicate
>>> two
> sys
>>> files
>>> one for my filter driver named filter.sys, and one named disk.sys
> copied
>>> from o.s, is that correct ?
>>>
>>> beacuse now I have some problem about geting the file name while
>>> has
>>> been
>>> read or write.
>>>
>>> I can only get the IRP_MJ_READ and IRP_MJ_WRITE when file is read
> and
>>> wrote,
>>> and I always get NULL pointer of FILE_OBJECT from
>>> IO_STACK_LOCATION
>>> so I still can not get file name now. can any one help me ?
>>>
>>> there is another question, I read some document about filter
>>> driver,
>>> which saied FileName
>>> is not avalible when IRP_MJ_READ and IRP_MJ_WRITE appear,
>>> document
> saied
>>> I should
>>> get FileName in IRP_MJ_CREATE request, but I can see
>>> IRP_MJ_CREATE
> when
>>> my
>>> usb mass stroage device insert into my PC , I can not see it
>>> when I
> read
>>> or write some file in my
>>> usb mass stroage,why???
>>>
>>>
>>>
>>> —
>>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>>
>>> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@telus.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
–
Cliff Russell
Software Engineer
e-mail: xxxxx@atimi.com
ichat: xxxxx@mac.com
phone: 250 818 5711
Atimi Software: Software Development - On Time.
http://www.atimi.com
How could I know my filter driver is a file system filter driver or a
storage stack filter driver?
I think that, when my filter driver be on top of file system it is a file
system filter driver
when my filter driver be on top of storage it is a filter driver is not it ?
my question is that how can I make my filter driver be on top of file system
?
I install my filter driver by an INF file and there are two sys files wrote
in that
INF disk.sys(is this file system driver `???) and filter.sys(my
driver)
“Cliff Russell” ??? news:xxxxx@ntfsd ???..
A FSF will filter the file system, not the storage stack.
On 6-Sep-04, at 7:52 PM, Shuo-Da Huang((???)) wrote:
> Is it not in FSF in my way ?
> I install my filter driver with an INF file and indicate two sys
> files(filter.sys disk.sys),to make my filter
> driver be a upper filter driver of disk.sys,If in this way it is not
> being a
> upper filter driver of file system
> what should I do?
> which sys file should I use ???
> “Maxim S. Shatskih” ??? news:xxxxx@ntfsd
> ???..
>> You can do this is FSF only. In a Mass Storage driver, you can
>> only
> monitor
>> block reads/writes.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> ----- Original Message -----
>> From: “Shuo-Da Huang(¶ÀºÓ¹F)”
>> Newsgroups: ntfsd
>> To: “Windows File Systems Devs Interest List”
>> Sent: Friday, September 03, 2004 10:58 AM
>> Subject: [ntfsd] Install a filter driver of usb Mass Storage driver
>>
>>
>>> Hi all:
>>>
>>> I want to monitor File read and write in my Mass Storage
>>> So, I wrote a filter driver and Handle IRP_MJ_READ IRP_MJ_WRITE
>>> IRP_MJ_CREATE request.
>>>
>>> and I installed this filter driver by an INF file which indicate
>>> two
> sys
>>> files
>>> one for my filter driver named filter.sys, and one named disk.sys
> copied
>>> from o.s, is that correct ?
>>>
>>> beacuse now I have some problem about geting the file name while
>>> has
>>> been
>>> read or write.
>>>
>>> I can only get the IRP_MJ_READ and IRP_MJ_WRITE when file is read
> and
>>> wrote,
>>> and I always get NULL pointer of FILE_OBJECT from
>>> IO_STACK_LOCATION
>>> so I still can not get file name now. can any one help me ?
>>>
>>> there is another question, I read some document about filter
>>> driver,
>>> which saied FileName
>>> is not avalible when IRP_MJ_READ and IRP_MJ_WRITE appear,
>>> document
> saied
>>> I should
>>> get FileName in IRP_MJ_CREATE request, but I can see
>>> IRP_MJ_CREATE
> when
>>> my
>>> usb mass stroage device insert into my PC , I can not see it
>>> when I
> read
>>> or write some file in my
>>> usb mass stroage,why???
>>>
>>>
>>>
>>> —
>>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>>
>>> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@telus.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
–
Cliff Russell
Software Engineer
e-mail: xxxxx@atimi.com
ichat: xxxxx@mac.com
phone: 250 818 5711
Atimi Software: Software Development - On Time.
http://www.atimi.com
> How could I know my filter driver is a file system filter driver or a
storage stack filter driver?
:-)))
As the author, you should damn well know
what your driver is. Many implementation things
depend on it
I think that, when my filter driver be on top of file system it is a file
system filter driver
when my filter driver be on top of storage it is a filter driver is not it
?
Exactly.
my question is that how can I make my filter driver be on top of file
system
See the Filespy or SFilter example. You have to intercept
the volume mount and dismount requests. You also have to
watch new file system registration (using IoRegisterFsRegistrationChange)
I install my filter driver by an INF file and there are two sys files
wrote
in that INF disk.sys (is this file system driver `???)
No, it is a storage driver, handling e.g. USB disk drives.
L.
“Ladislav Zezula” ??? news:xxxxx@ntfsd ???..
> > How could I know my filter driver is a file system filter driver or a
> > storage stack filter driver?
>
> :-)))
> As the author, you should damn well know
> what your driver is. Many implementation things
> depend on it
>
> > I think that, when my filter driver be on top of file system it is a
file
> > system filter driver
> > when my filter driver be on top of storage it is a filter driver is not
it
> > ?
>
> Exactly.
>
> > my question is that how can I make my filter driver be on top of file
> > system
>
> See the Filespy or SFilter example. You have to intercept
> the volume mount and dismount requests. You also have to
> watch new file system registration (using IoRegisterFsRegistrationChange)
>
> > I install my filter driver by an INF file and there are two sys files
> > wrote
> > in that INF disk.sys (is this file system driver `???)
>
> No, it is a storage driver, handling e.g. USB disk drives.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OK…I see thanks alot.
by the way, what I want to do is to log the file name when file IO(file read
file write) in my usb mass storage,can I do this with disk.sys ? or I have
to do this with file system driver ??
>
> L.
>
>
> by the way, what I want to do is to log the file name when file IO(file
read
file write) in my usb mass storage,can I do this with disk.sys ? or I have
to do this with file system driver ??
You cannot achieve it with disk.sys. Storage drivers
do not know anything about files, they have only
“Read a sector” or “write a sector” (plus some IOCTLs
and some more IRP calls).
Compare two utilities : Diskmon (storage filter)
and filemon (file system filter) you can see what they
show and you’ll get the idea what which filter
(file system filter and disk filter) could do.
L.
I am really appreciate about your reply.
But would you please give me more advice about how to mount my filter driver
to file system driver 
Is it just change disk.sys to some other sys file? (for example ntfs.sys ?)
thanks alot…
“Ladislav Zezula” ??? news:xxxxx@ntfsd ???..
> > by the way, what I want to do is to log the file name when file IO(file
> > read
> > file write) in my usb mass storage,can I do this with disk.sys ? or I
have
> > to do this with file system driver ??
>
> You cannot achieve it with disk.sys. Storage drivers
> do not know anything about files, they have only
> “Read a sector” or “write a sector” (plus some IOCTLs
> and some more IRP calls).
>
> Compare two utilities : Diskmon (storage filter)
> and filemon (file system filter) you can see what they
> show and you’ll get the idea what which filter
> (file system filter and disk filter) could do.
>
> L.
>
>
> But would you please give me more advice about how to mount my filter
driver
to file system driver
Is it just change disk.sys to some other sys file? (for example ntfs.sys
?)
thanks alot…
Please, look into the sfilter and filespy examples how to do it.
You will find all information there.
L.
Is there any free source code of filespy ??
where can I get it ?
“Ladislav Zezula” ??? news:xxxxx@ntfsd ???..
> > But would you please give me more advice about how to mount my filter
> > driver
> > to file system driver
> > Is it just change disk.sys to some other sys file? (for example ntfs.sys
> > ?)
> > thanks alot…
>
> Please, look into the sfilter and filespy examples how to do it.
> You will find all information there.
>
> L.
>
>