Hi Guys,
i am developing a legacy file filter driver and i want to track a various changes are done on directory or file (size changes, last access ,last write etc…). i read winddk but i could not found anythingthat help except FsRtlNotifyFullChangeDirectory but i do not know to use this to achive my functionalities.
please thow some light…
On 10/28/2010 3:41 AM, xxxxx@gmail.com wrote:
Hi Guys,
i am developing a legacy file filter driver and i want to track a various changes are done on directory or file (size changes, last access ,last write etc…). i read winddk but i could not found anythingthat help except FsRtlNotifyFullChangeDirectory but i do not know to use this to achive my functionalities.
This API and its relatives are for the ‘other end’ of the notification
processing, they are used by the underlying file system to notify when a
change has occurred. Instead check out the
IRP_MJ_DIRECTORY_CONTROL/IRP_MN_NOTIFY_CHANGE_DIRECTORY. You can send
this down to the file system, specify a directory or file name and it
will complete the request indicating what has been modified when
something does happen.
You can look at the FAT source for how the file system handles it.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Directory change notification is a mechanism that allows monitoring of
directory changes without writing a file system filter. It can be used by
user mode code (such as FindFirstChangeNotification and friends) or by a
kernel mode code caller (that is not a file system filter).
Because from a file system perspective things are largely similar in
implementation (add path to watch to some list and then for each operation
check against the paths and the operations that are interesting and if there
is a match, send the notification) this is done in a library. The
FsRtlNotifyxxxChangeDirectory functions are called by a file system when it
receives a notification request (when it receives the
IRP_MJ_DIRECTORY_CONTROL with the IRP_MN_NOTIFY_CHANGE_DIRECTORY function)
and the FsRtlNotifyxxxReportChange are called by the file system when any
operation that might be of interest to someone happens. The FsRtl library
takes care of queuing the IRP and completing it when necessary, buffering
changes and so on. The FAT source should show how this is done.
Naturally, anyone implementing a filter that modifies the namespace or file
properties in some way also needs to handle these APIs.
If you are writing an “activity monitor” type of filter you probably don’t
need to worry about these and instead focus on just logging operations that
are interesting to you.
But before you start coding, please make sure that the existing mechanisms
windows provides (FindFirstChangeNotification for all file systems and the
USN journal for NTFS) aren’t enough to achieve what you want, because it
would simplify things a great deal. Also, they are available in user mode so
you won’t need a filter at all.
Thanks,
Alex.
Thanks Alex for reply.
i got your point and i know we can do that easily in user mode.
but then concern is that i think i would
never get a process name which is associated with file operation.
we want to log also process name and
so far i know that we have to write a file filter driver.
am i right?
As far as I know you are. Neither the USN journal nor directory change
notifications provide this functionality.
In this case you probably need something similar to procmon. You will need a
minifilter and you will also need to filter the operations you are
interested in yourself. Most likely you won’t care about
IRP_MN_NOTIFY_CHANGE_DIRECTORY at all…
Thanks,
Alex.