I’ve built this sample off WDK 8.1 with configuration set as Windows 8 Debug x64.
I have been able to successfully install it on a Windows 2012 Standard Edition
server where the Hyper V role is enabled. I can see all file events that the driver supports, on the parent partition.
How do I get access to file events on the child partition?
I have a guest vm running Windows 2012 Standard Edition in its own child partition.
For e.g., if I create a text document on a volume in the guest vm, I can see some events on the vhdx in the minispy log for this but I can’t see the actual file name path.
I have read through a few TechEd & Build presentations that essentially say that a minifilter driver will work over Hyper V also - ISV’s just need to make sure that it is tested.
So, considering this, my queries are:
Is it possible to get introspection on file level (for events like file creation / writing / open etc of a file in a child partition) in a minifilter driver running in the parent partition?
If yes, what level of details are available and what sort of introspection can happen?
Which sample is fit for the requirement.
Thank a Lot
My understanding is that there is no mechanism available to to capture
file level events in the guest (child partition) from a filter installed
on the host (parent partition). To capture the file level events in the
guest you need to have the filter installed in the guest.
Maybe I am not understanding your question though …
Pete
On 1/2/2014 5:22 AM, xxxxx@gmail.com wrote:
I’ve built this sample off WDK 8.1 with configuration set as Windows 8 Debug x64.
I have been able to successfully install it on a Windows 2012 Standard Edition
server where the Hyper V role is enabled. I can see all file events that the driver supports, on the parent partition.
How do I get access to file events on the child partition?
I have a guest vm running Windows 2012 Standard Edition in its own child partition.
For e.g., if I create a text document on a volume in the guest vm, I can see some events on the vhdx in the minispy log for this but I can’t see the actual file name path.
I have read through a few TechEd & Build presentations that essentially say that a minifilter driver will work over Hyper V also - ISV’s just need to make sure that it is tested.
So, considering this, my queries are:
Is it possible to get introspection on file level (for events like file creation / writing / open etc of a file in a child partition) in a minifilter driver running in the parent partition?
If yes, what level of details are available and what sort of introspection can happen?
Which sample is fit for the requirement.
Thank a Lot
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
No, you’ll just see read/write operations to the VHD. The child speaks to
the VHD as if it’s a disk, so by the time you see the I/O on the parent it’s
just disk I/O.
-scott
OSR
wrote in message news:xxxxx@ntfsd…
I’ve built this sample off WDK 8.1 with configuration set as Windows 8 Debug
x64.
I have been able to successfully install it on a Windows 2012 Standard
Edition
server where the Hyper V role is enabled. I can see all file events that the
driver supports, on the parent partition.
How do I get access to file events on the child partition?
I have a guest vm running Windows 2012 Standard Edition in its own child
partition.
For e.g., if I create a text document on a volume in the guest vm, I can see
some events on the vhdx in the minispy log for this but I can’t see the
actual file name path.
I have read through a few TechEd & Build presentations that essentially say
that a minifilter driver will work over Hyper V also - ISV’s just need to
make sure that it is tested.
So, considering this, my queries are:
Is it possible to get introspection on file level (for events like file
creation / writing / open etc of a file in a child partition) in a
minifilter driver running in the parent partition?
If yes, what level of details are available and what sort of introspection
can happen?
Which sample is fit for the requirement.
Thank a Lot
scott,
If we filter the write happened to the VHD file , then is that possible to get the modified file offset and length using minispy filter?
If yes, please point out me for any samples to retrieve the file offset and length.
You would need to know the internals of the file system in the guest
which issued this write to the underlying storage. But using the
mini-spy filter on the host OS and seeing the write to the VHD you
cannot unravel this information very easily, if at all.
Pete
On 1/5/2014 11:41 PM, xxxxx@gmail.com wrote:
scott,
If we filter the write happened to the VHD file , then is that possible to get the modified file offset and length using minispy filter?
If yes, please point out me for any samples to retrieve the file offset and length.
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
If it is just for testing purpose, VMWare ESX has hooks which gives you information about file information within the guest (VShield). You may want to try that. Obviously they will have a filter driver running inside the host.