In addition to your perf concerns, be aware that off-line modifications won’t get tracked by your filter. Activity performed by certain backup products as well as things like windows recovery console can change file contents in ways that you won’t be able to detect. Depending on your requirements, you should have some way to detect this kind of change as well as tracking the IO via filter
Sent from Surface Pro
From: u_pashi@ua.fm
Sent: Friday, June 13, 2014 3:33 AM
To: Windows File Systems Devs Interest List
I want to track changes in specific file. I can chose as my base:
a) target file name, and check file name in IRP_MJ_CREATE callback, if file is the target file - set flag in stream context. It is easier to check by name, but string name is harder to validate, send from user mode, etc. Also string file name can be changed (file renamed) so i must track renames.
b)target file id (unique fs indefiner) wich looks like mpre reliable. I can check for id by FltQueryInformationFile in IRP_MJ_CREATE post callback, if file is the target - set flag in stream context. ulong id is easier to send, store, validate then string. also it doesn’t change after rename. But using of FltQueryInformationFile is harder (there is different approach with 128 bit file id in ReFs).
I don’t know about perfomance… won’t the system perfomance be degraded if i will query FltQueryInformationFile on every IRP_MJ_CREAT? For me it looks like string dile name is naturaly availible in IRP_MJ_CREATE and don’t sure about file id… What will you advise to use name or id?
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer