Hi all! I’m very new in the driver development and I’m trying to find the place in driver, where I can filter the messages. For example, I need only IRP_MJ_READ messages. Where is the safe place to avoid all other messages than IRP_MJ_READ to avoid unnecessary copying and buffer usage?
And the second question, why I can’t find any message about pagefile.sys usage? Is is possible to log pagefile.sys access?
If you look in the RegistrationData.c you will see that minispy tracks
all operations. Eliminate, everything but CREATE, CLOSE and the
operations you are interested in. On an IRP_MJ_CREATE the flag
SL_OPEN_PAGING_FILE is provided to indicate a paging file.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:
> Hi all! I’m very new in the driver development and I’m trying to find the place in driver, where I can filter the messages. For example, I need only IRP_MJ_READ messages. Where is the safe place to avoid all other messages than IRP_MJ_READ to avoid unnecessary copying and buffer usage?
>
> And the second question, why I can’t find any message about pagefile.sys usage? Is is possible to log pagefile.sys access?
> If you look in the RegistrationData.c you will see that minispy tracks
all operations. Eliminate, everything but CREATE, CLOSE and the
operations you are interested in.
Thank you!
On an IRP_MJ_CREATE the flag
SL_OPEN_PAGING_FILE is provided to indicate a paging file.
What about READ and WRITE operations?
You have to track the based on the CREATE. Use the FLT_STREAM_CONTEXT
to mark that it is the paging file, then you can react to reads and
writes to the file. This is a pretty simple filter to create.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:
> > If you look in the RegistrationData.c you will see that minispy tracks
> > all operations. Eliminate, everything but CREATE, CLOSE and the
> > operations you are interested in.
>
> Thank you!
>
> > On an IRP_MJ_CREATE the flag
> > SL_OPEN_PAGING_FILE is provided to indicate a paging file.
>
> What about READ and WRITE operations?
> You have to track the based on the CREATE. Use the FLT_STREAM_CONTEXT
to mark that it is the paging file, then you can react to reads and
writes to the file. This is a pretty simple filter to create.
Sorry for a stupid question (but I really newbie in drivers). Should I do this in the same driver on IRP_MJ_CREATE operation or should I create new one to track page file?
It is all in one driver. Create a FLT_STREAM_CONTEXT with a BOOLEAN
indicating it is the page file, then get the context in the read and
write operations to know you have the file you are interested in.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:
> > You have to track the based on the CREATE. Use the FLT_STREAM_CONTEXT
> > to mark that it is the paging file, then you can react to reads and
> > writes to the file. This is a pretty simple filter to create.
>
> Sorry for a stupid question (but I really newbie in drivers). Should I do this in the same driver on IRP_MJ_CREATE operation or should I create new one to track page file?
On 1/22/2011 6:14 PM, Don Burn wrote:
It is all in one driver. Create a FLT_STREAM_CONTEXT with a BOOLEAN
indicating it is the page file, then get the context in the read and
write operations to know you have the file you are interested in.
One note, NTFS and FAT do not support per stream contexts on paging
files. To track paging file access on these file systems, you need to
implement the tracking mechanism yourself, the ‘old fashion way’.
Pete
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr“xxxxx@gmail.com” wrote in message
> news:xxxxx@ntfsd:
>
>> > You have to track the based on the CREATE. Use the FLT_STREAM_CONTEXT
>> > to mark that it is the paging file, then you can react to reads and
>> > writes to the file. This is a pretty simple filter to create.
>>
>> Sorry for a stupid question (but I really newbie in drivers). Should I
>> do this in the same driver on IRP_MJ_CREATE operation or should I
>> create new one to track page file?
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
> One note, NTFS and FAT do not support per stream contexts on paging
files. To track paging file access on these file systems, you need to
implement the tracking mechanism yourself, the ‘old fashion way’.
How difficult it can be?
Is there another way to track pagefile usage (in user mode app)?
–
Pavel Sokolov
On 1/23/2011 2:12 PM, Pavel Sokolov wrote:
> One note, NTFS and FAT do not support per stream contexts on paging
> files. To track paging file access on these file systems, you need to
> implement the tracking mechanism yourself, the ‘old fashion way’.How difficult it can be?
Is there another way to track pagefile usage (in user mode app)?
Paging file access can not be tracked in user mode. How hard is it?
There are several edge cases which under normal file tracking are
difficult to get right but when tracking the paging file are not all
that bad.
There is a good article in the Filesystem FAQ on OSR’s site that talks
about tracking in this way and the edge cases you need to handle.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295