Hi
How do I log the data which is written from a memory mapped file to the file on disk with a filter driver?
Kind regards
Hans
Can you rephrase? You want to see memory mapped I/O to any file in the
system and log it someplace?
You might also want to let everyone know exactly what you’re trying to
accomplish, you might end up with a better answer.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@ntdev…
> Hi
>
> How do I log the data which is written from a memory mapped file to the
> file on disk with a filter driver?
>
> Kind regards
>
> Hans
>
Hi Scott
You are right, sorry for my last post, here is the new one:
I’m building a system monitor similar to the Process Monitor from Sysinternals. Beside other events I would like to monitor writes to memory mapped files (if a process writes to a file which is mapped to memory). I looked into minispy already and tested it against a simple application which changes the content of a file via CreateFile,CreateFileMapping, MapViewOfFile, but I think it doesn’t log the write event. So my question is what is the write way to log such writes if its possible?
Cheers
Hans
>I’m building a system monitor similar to the Process Monitor from
Sysinternals. Beside other events I would like to monitor writes to >memory
mapped files (if a process writes to a file which is mapped to memory).
First, this is best a question for NTFSD as it is file system filter
related.
Second, the answer is probably a lot more complicated than you’re hoping it
to be 
You’ll definitely see the writes come through the FSD, but they arrive as
paging I/O (IRP_PAGING_IO bit set in the IRP flags). This is because the
writing of the data happens in the background and not as a direct result of
the user calling WriteFile.
In order to fully understand this there’s going to be a fair amount of
reading to do. There’s a quick intro here:
http://www.osronline.com/article.cfm?id=34
And chapter five in the Nagar book provides more information:
http://www.amazon.com/Windows-System-Internals-Classic-Reprints/dp/0976717514
Lastly, people writing file system filters typically stumble upon the
implications of memory mapped I/O when they try to filter something opened
with Notepad (since Notepad uses MMIO). So, you can find *lots* of
discussions about monitoring MMIO by doing a Google search for:
site:osronline.com notepad ntfsd
HTH!
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@ntdev…
> Hi Scott
>
> You are right, sorry for my last post, here is the new one:
>
> I’m building a system monitor similar to the Process Monitor from
> Sysinternals. Beside other events I would like to monitor writes to memory
> mapped files (if a process writes to a file which is mapped to memory). I
> looked into minispy already and tested it against a simple application
> which changes the content of a file via CreateFile,CreateFileMapping,
> MapViewOfFile, but I think it doesn’t log the write event. So my question
> is what is the write way to log such writes if its possible?
>
> Cheers
>
> Hans
>
Scott Noone wrote:
> I’m building a system monitor similar to the Process Monitor from
> Sysinternals. Beside other events I would like to monitor writes to >memory
> mapped files (if a process writes to a file which is mapped to memory).
>…
You’ll definitely see the writes come through the FSD, but they arrive as
paging I/O (IRP_PAGING_IO bit set in the IRP flags). This is because the
writing of the data happens in the background and not as a direct result of
the user calling WriteFile.
Just in case the OP is not clear about it, allow me to add that there is
absolutely no way to monitor every write to a mapped file’s memory
region. He can certainly monitor when dirty pages are flushed to disk,
but until they get flushed, writes by an application are just normal
writes to memory. No driver is involved.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.