Hello
I would like to track, in my FSFD, file-instance (FileObject) rather than
file-state (FsContext).
User mode: CreateFile() -> Read/Write/Misc() -> CloseHandle()
Should that translate to IRP_MJ_CREATE -> Misc MJs -> IRP_MJ_CLOSE?
I get an FO and that same FO is used till IRP_MJ_CLOSE is issued (after user
mode issues CloseHandle()) ?
I read that IRP_MJ_CLOSE won’t be issued directly even if user called
CloseHandle(), that is why I see an IRP_MJ_CREATE but not an immediate
IPP_MJ_CLOSE after the usermode app. closes the handle?
How can I then track file activity for a given file form the moment of its
creation (say CreateFile()) till the moment that the user closes that file
instance (CloseHandle()) ?
I am interested to track instances, as I am aware that there might be
multiple FOs having save FsContext.
Please advise.
–
Elias
> User mode: CreateFile() -> Read/Write/Misc() -> CloseHandle()
Usually
IRP_MJ_CREATE
IRP_MJ_READ
IRP_MJ_READ (noncached)
IRP_MJ_WRITE
IRP_MJ_WRITE(noncached)
IRP_MJ_CLEANUP(Called after CloseHandle)
IRP_MJ_CLOSE (After last reference to the file object is removed)
I read that IRP_MJ_CLOSE won’t be issued directly even if user called
CloseHandle(), that is why I see an IRP_MJ_CREATE but not an immediate
IPP_MJ_CLOSE after the usermode app. closes the handle?
CloseHandle invokes IRP_MJ_CLEANUP. If the IRP_MJ_CLOSE
comes depends on if anyone else (e.g. Cache manager or VMM)
holds a refrence to the file object. Usually, if you don’t cause the file to
be cached,
the IRP_MJ_CLOSE comes directly after CLEANUP.
If you cause data to be loaded into the cache (so if you issue a ReadFile
or WriteFile), the file may stay in the cache quite long (maybe until system
restart, file delete or dismount volume) and it is possible that you do not
receve
an IRP_MJ_CLOSE long time.
L.
Thank you.
I’ve been mixing between CLOSE and CLEANUP.
Now tracking CLEANUP helped me to track file instances that are being opened
/ closed by user mode apps.
–
Elias
“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
>> User mode: CreateFile() -> Read/Write/Misc() -> CloseHandle()
>
> Usually
> IRP_MJ_CREATE
> IRP_MJ_READ
> IRP_MJ_READ (noncached)
> IRP_MJ_WRITE
> IRP_MJ_WRITE(noncached)
> IRP_MJ_CLEANUP(Called after CloseHandle)
> IRP_MJ_CLOSE (After last reference to the file object is removed)
>
>> I read that IRP_MJ_CLOSE won’t be issued directly even if user called
>> CloseHandle(), that is why I see an IRP_MJ_CREATE but not an immediate
>> IPP_MJ_CLOSE after the usermode app. closes the handle?
>
> CloseHandle invokes IRP_MJ_CLEANUP. If the IRP_MJ_CLOSE
> comes depends on if anyone else (e.g. Cache manager or VMM)
> holds a refrence to the file object. Usually, if you don’t cause the file
> to be cached,
> the IRP_MJ_CLOSE comes directly after CLEANUP.
>
> If you cause data to be loaded into the cache (so if you issue a ReadFile
> or WriteFile), the file may stay in the cache quite long (maybe until
> system
> restart, file delete or dismount volume) and it is possible that you do
> not receve
> an IRP_MJ_CLOSE long time.
>
> L.