Hello,
I’m writing this minifilter driver and need to find out if somebody access a file for read/write or create ( new file)?
I have looked at the minispy example, but one ossie with that is it seems to me that any file operation carets bunch og IRP_MJ_CREATE, IRP_MJ_CLOSE, IRP_MJ_READ, …
So I was wondering is there any other way to detect a file operation type?
Thanks for your help
Payman
If I am reading your question correctly you are asking if there is a
simpler way to detect if a file is being access for read or write or a new
file is created. Bottom line is you have to interpret the calls are the
mini-filter give them to you. The good news is if you are truly just
interested in the items mentioned in the first sentence, this is
PostCreate, PreRead and PreWrite that you need to support.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntfsd…
> Hello,
> I’m writing this minifilter driver and need to find out if somebody
> access a file for read/write or create ( new file)?
> I have looked at the minispy example, but one ossie with that is it seems
> to me that any file operation carets bunch og IRP_MJ_CREATE,
> IRP_MJ_CLOSE, IRP_MJ_READ, …
>
> So I was wondering is there any other way to detect a file operation
> type?
>
> Thanks for your help
> Payman
>
Don,
Thanks for reply. I have looked into Since IRP_MJ_READ, IRP_MJ_WRITE. But since I’m getting bunch of this IRP_xx., it’s hard to distinguish whether this is a the same file being accessed or a new file.
Basically by looking at minispy log, it seems to me that I’m getting lot’s of IRP_MJ_CREATE, IRP_MJ_CLOSE, IRP_MJ_READ, … And all of them are interleaved.
I was hoping by looking at IRP_MJ_CREATE, it would tell me if this file is opened for read/write or is it a new file.
Payman
You can see the access permissions on the create, but this does not mean
the user will actually access the file that way. If you really want to
know if the file is read or written you need to monitor those. Now,
minifilters have context structures and if you allocate one on the create,
you can then use that in the other functions to record the data you need.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntfsd…
> Don,
> Thanks for reply. I have looked into Since IRP_MJ_READ, IRP_MJ_WRITE. But
> since I’m getting bunch of this IRP_xx., it’s hard to distinguish whether
> this is a the same file being accessed or a new file.
> Basically by looking at minispy log, it seems to me that I’m getting
> lot’s of IRP_MJ_CREATE, IRP_MJ_CLOSE, IRP_MJ_READ, … And all of them
> are interleaved.
>
> I was hoping by looking at IRP_MJ_CREATE, it would tell me if this file
> is opened for read/write or is it a new file.
>
> Payman
>
Don,
Thanks for you tips.If I allocate one context structures during the IRP_MJ_CREATE, when should I release it? Because it seems to me that even on the simplest file operation ( Lets say opne a file and read a line and close it), I get several IRP_MJ_CREATE and IRP_MJ_CLOSE. So how would I know when a file operation starts and when it ends?
Thanks again
Payman