> I’d say TxF can be invoked only from user-mode, right?
Then it means, you’d not miss any file opening under the transaction.
Handle of current transaction is stored in TEB at offset 0xFAC
(see ntdll!RtlSetCurrentTransaction), so yes. Sure there’s
a way how to do it in kernel mode but it would probably
be sooo undocumented and I doubt anyone will to that.
L.
“Petr Kurtin” wrote in message news:xxxxx@ntfsd…
>
>> Additional question- If the mini filter driver loads at
>> SERVICE_SYSTEM_START (currently being loaded SERVICE_AUTO_START), can it
>> be guaranteed to not miss any Txf transactions?
>
> I’d say TxF can be invoked only from user-mode, right? Then it means,
> you’d not miss any file opening under the transaction.
Do you need to know when a transaction is first initiated by the user, or
when activity first occurs on the transaction for a given boot? If the
machine did not go down cleanly there may be activity remaining in the Txf
log which will need to be resolved one way or the other. This happens when
the volume is first mounted (for the default RM.) Your filter should have
seen the actions when they were first generated (ie., last boot), but
depending on your scenario and problem, you may need a persistent log to
know that you’ve already seen something.
- M
I don’t think I need to worry about left over transactions. Our process
does full scan after reboot which would account for any roll backs initiated
on boot (from the un-clean shutdown). My concern is any new transactions
after boot and prior to our scan. The scan will not see any active
transacted changes. The filter driver will hopefully see them and keeps
track of them. My concern is that the filter driver might not see all
transacted file changes after boot. Thus if it was aware of the start of a
transaction, it could be sure that any I/O tagged with a transaction had
been accounted for.
It may be I am worried about a non-existent situation.
On 9/25/07, Malcolm Smith wrote:
>
>
> “Petr Kurtin” wrote in message news:xxxxx@ntfsd…
> >
> >> Additional question- If the mini filter driver loads at
> >> SERVICE_SYSTEM_START (currently being loaded SERVICE_AUTO_START), can
> it
> >> be guaranteed to not miss any Txf transactions?
> >
> > I’d say TxF can be invoked only from user-mode, right? Then it means,
> > you’d not miss any file opening under the transaction.
>
> Do you need to know when a transaction is first initiated by the user, or
> when activity first occurs on the transaction for a given boot? If the
> machine did not go down cleanly there may be activity remaining in the Txf
> log which will need to be resolved one way or the other. This happens
> when
> the volume is first mounted (for the default RM.) Your filter should have
> seen the actions when they were first generated (ie., last boot), but
> depending on your scenario and problem, you may need a persistent log to
> know that you’ve already seen something.
>
> - M
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>