mount/unmount volume

NTFSD
1

Hello,

I am writing a file system filter driver to monitor I/O
activity. Following are the objectives :

  • Monitor mounting/unmounting of CD, floppy device,
    mapped drives and network activity as well as local file
    system activity.
    The filter driver that i have written is based on filemon.
    Right now to get the mount/unmount calls i have just
    added code for IRP_MN_MOUNT_VOLUME and
    IRP_MN_UNMOUNT_VOLUME. But this is what i have
    observed.
  • I get many IRP_MN_MOUNT_VOLUME for the system
    drive.
  • No corresponding IRP_MN_UNMOUNT_VOLUME are
    obtained. In fact i don’t get any
    IRP_MN_UNMOUNT_VOLUME call.
  • I recieve no call when a drive is mapped.
  • I get a call when a floppy is accessed i.e when i access
    a file. Not when i just insert the floppy in the drive.
  • No call is recieved for CD-ROM.
  • i do recieve a call for subst command.
    Could someone please guide me as to what
    modifications i need to make in filemon so that i will get
    mount and unmount calls for removable devices as well
    as mapped drives.
    Thanks,
    Regards,
    Deena
2

Deena,

There is no IRP_MN_UNMOUNT_VOLUME call. There is an IRP_MN_VERIFY_VOLUME
operation, but that applies specifically to removable media devices (versus
removable devices - those operations arrive as plug and play operations.)

The normal dismount sequence (all
IRP_MJ_FILE_SYSTEM_CONTROL/IRP_MN_USER_FS_REQUEST) is either
FSCTL_LOCK_VOLUME, FSCTL_DISMOUNT_VOLUME, FSCTL_UNLOCK_VOLUME or just simply
FSCTL_DISMOUNT_VOLUME (the latter being a “forced” or “unclean” dismount).

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: deena [mailto:xxxxx@indiatimes.com]
Sent: Thursday, May 08, 2003 8:55 AM
To: File Systems Developers
Subject: [ntfsd] mount/unmount volume

Hello,

I am writing a file system filter driver to monitor I/O
activity. Following are the objectives :

  • Monitor mounting/unmounting of CD, floppy device,
    mapped drives and network activity as well as local file
    system activity.
    The filter driver that i have written is based on filemon.
    Right now to get the mount/unmount calls i have just
    added code for IRP_MN_MOUNT_VOLUME and
    IRP_MN_UNMOUNT_VOLUME. But this is what i have
    observed.
  • I get many IRP_MN_MOUNT_VOLUME for the system
    drive.
  • No corresponding IRP_MN_UNMOUNT_VOLUME are
    obtained. In fact i don’t get any
    IRP_MN_UNMOUNT_VOLUME call.
  • I recieve no call when a drive is mapped.
  • I get a call when a floppy is accessed i.e when i access
    a file. Not when i just insert the floppy in the drive.
  • No call is recieved for CD-ROM.
  • i do recieve a call for subst command.
    Could someone please guide me as to what
    modifications i need to make in filemon so that i will get
    mount and unmount calls for removable devices as well
    as mapped drives.
    Thanks,
    Regards,
    Deena

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

There is no such thing as IRP_MN_UNMOUNT_VOLUME, it is
FSCTL_DISMOUNT_VOLUME sent to IRP_MJ_FILE_SYSTEM_CONTROL.

Also Filemon is an unreliable way of writing FSFs, SFILTER provided by
MS is much better.

I recieve no call when a drive is mapped

Network redirector requires another kind of filter, absolutely
another.

Max

----- Original Message -----
From: “deena”
To: “File Systems Developers”
Sent: Thursday, May 08, 2003 4:55 PM
Subject: [ntfsd] mount/unmount volume

> Hello,
>
> I am writing a file system filter driver to monitor I/O
> activity. Following are the objectives :
> - Monitor mounting/unmounting of CD, floppy device,
> mapped drives and network activity as well as local file
> system activity.
> The filter driver that i have written is based on filemon.
> Right now to get the mount/unmount calls i have just
> added code for IRP_MN_MOUNT_VOLUME and
> IRP_MN_UNMOUNT_VOLUME. But this is what i have
> observed.
> - I get many IRP_MN_MOUNT_VOLUME for the system
> drive.
> - No corresponding IRP_MN_UNMOUNT_VOLUME are
> obtained. In fact i don’t get any
> IRP_MN_UNMOUNT_VOLUME call.
> - I recieve no call when a drive is mapped.
> - I get a call when a floppy is accessed i.e when i access
> a file. Not when i just insert the floppy in the drive.
> - No call is recieved for CD-ROM.
> - i do recieve a call for subst command.
> Could someone please guide me as to what
> modifications i need to make in filemon so that i will get
> mount and unmount calls for removable devices as well
> as mapped drives.
> Thanks,
> Regards,
> Deena
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

4

thanks… and its just by mistake that i wrote IRP_MN_UNMOUNT_VOLUME…
now i did study sfilter available in the IFS kit… I tried to study it by
just putting DbgPrint’s in the mount and unmount IRP’s… and then tried
subst command to create a virtual drive but got no output… could u
please guide me as to how i should start with sfilter…
thanks…
Regards,
Deena

5

> please guide me as to how i should start with sfilter…

Read the source, then ask questions here.

Max