Tracking user-visible file operations

faras_namus · June 24, 2005, 9:37am

Hi,

Does anyone have experience with tracking user-visible file-operations
in the filter driver?

I mean I want to log actions like create, delete, rename, modified,
change permissions, change ACLS, add stream, delete stream, add
extended attributes, delete extended attributes etc.

Now most of these operations translate to one or more IRP’s which
means you have to carry a lot of state to track down such operations.
What is the recommended way to perform this task? filter drivers or
some directory notification code in user mode?

Thanks

OSR_Community_User · June 27, 2005, 1:19am

> I mean I want to log actions like create, delete, rename, modified,

change permissions, change ACLS, add stream, delete stream, add
extended attributes, delete extended attributes etc.

Do you know of Filemon or FileSpy ?

L.

Lyndon_J_Clarke-2 · June 27, 2005, 6:07am

Suggestion :- Get IFS KIT.

“NTFSD-List” wrote in message news:xxxxx@ntfsd…
Hi,

Does anyone have experience with tracking user-visible file-operations
in the filter driver?

I mean I want to log actions like create, delete, rename, modified,
change permissions, change ACLS, add stream, delete stream, add
extended attributes, delete extended attributes etc.

Now most of these operations translate to one or more IRP’s which
means you have to carry a lot of state to track down such operations.
What is the recommended way to perform this task? filter drivers or
some directory notification code in user mode?

Thanks

OSR_Community_User · June 27, 2005, 2:02pm

Yes, I have done this in several filter drivers.

Essentially, you are on the right track. You will need to carry the state of
each open file stream (FCB/SCB) and each open FileObject. It also depends on
the granularity of data you desire. One might be able to use the USN change
journal (NTFS only) for this if you don’t care about where or what data is
written, or files that hardly ever get closed.

As Lyndon said – Get the IFS Kit (or OSR FDDK) for sound examples.

/ted

-----Original Message-----
From: NTFSD-List [mailto:xxxxx@gmail.com]
Sent: Friday, June 24, 2005 8:35 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Tracking user-visible file operations

Hi,

Does anyone have experience with tracking user-visible file-operations in
the filter driver?

I mean I want to log actions like create, delete, rename, modified, change
permissions, change ACLS, add stream, delete stream, add extended
attributes, delete extended attributes etc.

Now most of these operations translate to one or more IRP’s which means you
have to carry a lot of state to track down such operations. What is the
recommended way to perform this task? filter drivers or some directory
notification code in user mode?

Thanks

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com