moveing

Bedanto · January 4, 2006, 2:01am

using an FSFD, can I find out whether a file is moved. Example in a tool
like filemon, can it be located whether a file was moved from the IRPs?

OSR_Community_User · January 4, 2006, 5:49am

It depends on what you mean by “moved”.

Moving from C:\dir1\file1.txt to C:\dir2\file2.txt is just
IRP_MJ_SET_INFORMATION with FileInformationClass set to
FileRenameInformation.

This is quite different from moving C:\dir1\file1.txt to D:\dir2\file2.txt,
which consists of copying the file to D: and then deleting it from C:.
That’s trickier.

Ken

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bedanto
Sent: Wednesday, January 04, 2006 1:54 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] moveing

using an FSFD, can I find out whether a file is moved. Example in a tool
like filemon, can it be located whether a file was moved from the IRPs?
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com

Bedanto · January 4, 2006, 6:04am

>This is quite different from moving C:\dir1\file1.txt to D:\dir2\file2.txt,

which consists of copying the file to D: and then deleting it from C:.
That’s trickier.

Ken I am referring to the second case, th one quoted above. Is there a way
to tll exactly in the above scenario? if so how?

OSR_Community_User · January 4, 2006, 6:59am

That’s very difficult if not impossible. The typical sequence would be:

Open C:\dir1\file1.txt for reading
Create D:\dir2\file2.txt
Read the first file, writing to the second file
Close both files
Delete the first file

As you can imagine, there are a lot of situations where parts of the above
sequence would be something other than a move. Also, there could be other
sequences that would accomplish the same thing. You’d have to make some
assumptions that may not always be valid.

So the general answer is: No, you can’t do it.

Ken

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bedanto
Sent: Wednesday, January 04, 2006 6:04 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] moveing

This is quite different from moving C:\dir1\file1.txt to D:\dir2\file2.txt,
which consists of copying the file to D: and then deleting it from C:.
That’s trickier.

Ken I am referring to the second case, th one quoted above. Is there a way
to tll exactly in the above scenario? if so how?
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com

amitr0-2 · January 4, 2006, 7:11am

>Ken I am referring to the second case, th one quoted above. Is there a way
to tll exactly in the above scenario? if so how?

Looks pretty difficult. what if the same process creates two threads and one
copies th data and another just creates a file of the same name in a diff
drive and writes something else on it. Your driver might fall for the prank,
and in th process of ‘trying to’ detect a move operation, will give wrong
information