Hi All,
I am new to File system driver, Just I want to know the way how to do the following things in NTFSD
Previously I accomplish those things by Win32 API hooking, but for some reasons I want to do it in Kernel level.
The main objective for me is just log source and destination filename with fullpath for above operations. Is any way to do it in NTFSD?.
Regards
-Karthi
Have you done any research on the problem? If you don’t know how the file
system works, it will be impossible for you to succeed in your quest. There
is no CopyFile or MoveFile “operation” in the file system driver. There is
a rename operation that can provide some of the semantics of MoveFile but
only within a single volume. This query appears every few weeks, so I guess
you didn’t read the FAQ or search the newsgroup.
wrote in message news:xxxxx@ntfsd…
> Hi All,
>
> I am new to File system driver, Just I want to know the way how to do the
> following things in NTFSD
>
> - Track the CopyFile operation
> - Track the MoveFile operation
>
> Previously I accomplish those things by Win32 API hooking, but for some
> reasons I want to do it in Kernel level.
>
> The main objective for me is just log source and destination filename with
> fullpath for above operations. Is any way to do it in NTFSD?.
>
> Regards
> -Karthi
>
> I am new to File system driver, Just I want to know the way how to do the
following things in NTFSD
- Track the CopyFile operation
- Track the MoveFile operation
Previously I accomplish those things by Win32 API hooking, but for some
reasons I want to do it in Kernel level.
You cannot. Writes to the destination file are not distinguishable from writes,
say, from Word or unzip or so.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi Karthik,
Though you have already got some comments from experts but i would like to
add a few things.
For MoveFile, you can probably see how to detect Rename operation.
You can find alot of related stuff for this on OSR website.
For CoyFile, though there is no Copy operation as such at Kernel Level
(Series of Read and Write IRPs are there). Still if you want to do it, you
can proably apply some heuristics by observing the sequence of IRPs (Read,
Write, Create, Cleanup) and filesize on the source and destination file with
a particluar Executable (Explorer.exe, cmd.exe etc).
Although you can never be sure that this will surely detect the correct
operation in all the cases but if carefully designed you can cover many a
cases by this.
Regards,
Shreshth
On 4/18/07, Maxim S. Shatskih wrote:
>
> > I am new to File system driver, Just I want to know the way how to do
> the
> >following things in NTFSD
> >
> > - Track the CopyFile operation
> > - Track the MoveFile operation
> >
> > Previously I accomplish those things by Win32 API hooking, but for some
> >reasons I want to do it in Kernel level.
>
> You cannot. Writes to the destination file are not distinguishable from
> writes,
> say, from Word or unzip or so.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>