If I want to moniter ALL the WRITEs to hard disk using file system filter driver,
the following dispatchers are enough or not?
IRP_MJ_CREATE (with some flags)
IRP_MJ_WRITE
IRT_MJ_SET_INFORMATION
IRP_MJ_DEVICE_CONTROL
FastIoWrite
FastIoWriteCompressed
FastIoDeviceControl
No they are not enough IRP_MJ_SET_EA, IRP_MJ_SET_SECURITY, and
IRP_MJ_SET_VOLUME_INFORMATION can all write to the hard disk. The
question is for what you are trying to do would it be better to use a
disk filter than a file system filter?
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@shaw.ca” wrote in message news:xxxxx@ntfsd:
> If I want to moniter ALL the WRITEs to hard disk using file system filter driver,
> the following dispatchers are enough or not?
>
> IRP_MJ_CREATE (with some flags)
> IRP_MJ_WRITE
> IRT_MJ_SET_INFORMATION
> IRP_MJ_DEVICE_CONTROL
> FastIoWrite
> FastIoWriteCompressed
> FastIoDeviceControl
> The question is for what you are trying to do would it be better to use a
disk filter than a file system filter?
+1
Also CLEANUP and CLOSE could cause writes. In fact depending on
implementation anything could cause a write…
> Also CLEANUP and CLOSE could cause writes. In fact depending on
implementation anything could cause a write…
+1
In fact, if the volume is not read only, depending on implementation even
the absence of anything could cause a write …
I only want to know how many files changed in the harddrive (metadata and visible files.)
Do I need to moniter FastIoWrite? I know FastIoWrite will write to cache and set dirty flag. But when cache manager flushs the dirty cache to harddrive later, my FS filter driver will get MJ_IRP_WRITE or not?