MiniSpy output

Hello,

I have finally managed to get minispy working and its output is really flying.

In the output I get:

IRP 00001C02 20:03:38:681 20:03:38:691 1860.1950 IRP_MJ_CREATE
00000884 --S- F8DC45A0 00000000:00000001
\Device\HarddiskVolume1\WINDOWS\system32\msasn1.dll

(0xF8A0C8D8,0x01000040,0x00070080,0x00000000,0x00000000,0x0)

I was wondering if it is possible to find out which pid (process) has
made this filesystem call. What do the hex values in the last
parentheses mean?

I am basically interested in monitoring filesystem accesses made by a
particular pid and wanted to know if it is possible to use minispy for
that?

Really appreciate the help!

thanks,

Ronak

if I were you, I would have asked the question ( where it is getting printed
out from ??? ). Is it the user mode exe you are exercizing ?. Please
look at that code first !!!. That would give you what they are all those
Hex vals.

Next thing to look at is that if you want to know the pid , at what point
the messages being collected on the driver side, and is there any
possiblities that the thd is executing in arbitrary thd. If not then you can
grab the thd id etc., and make room in the message structure for it ,
populate in the driver, retrieve on the user pgm that you are exercizing …

-pro

----- Original Message -----
From: “Ronak Sutaria”
To: “Windows File Systems Devs Interest List”
Cc:
Sent: Wednesday, May 18, 2005 5:16 PM
Subject: [ntfsd] MiniSpy output

Hello,

I have finally managed to get minispy working and its output is really
flying.

In the output I get:

IRP 00001C02 20:03:38:681 20:03:38:691 1860.1950 IRP_MJ_CREATE
00000884 --S- F8DC45A0 00000000:00000001
\Device\HarddiskVolume1\WINDOWS\system32\msasn1.dll

(0xF8A0C8D8,0x01000040,0x00070080,0x00000000,0x00000000,0x0)

I was wondering if it is possible to find out which pid (process) has
made this filesystem call. What do the hex values in the last
parentheses mean?

I am basically interested in monitoring filesystem accesses made by a
particular pid and wanted to know if it is possible to use minispy for
that?

Really appreciate the help!

thanks,

Ronak


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

> I was wondering if it is possible to find out which pid (process) has

made this filesystem call.

The modified version of FileSpy, which is available at OSR,
can do this. If you just look for a tool that does it, you can get
the FileSpy.

If you need to implement it, then FileSpy’s data structure
sent to the user mode already contains the process ID and
thread ID. I haven’t seen the minispy yet, but it might be there too

  • do as Prokash Sinha adviced and look at the source codes,
    this is what they are for :slight_smile:

L.