USB Minifilter driver

Gabor_Kokai · November 30, 2006, 4:56am

Hy Everybody,

I am developing a filesystem minifilter driver which logs all writing operations. My problem is that I can’t filter those operations which really write to the disk. My driver lists all writing operations such as paging io, caching etc. (This problem is more common when I am writing to a USB device.) How could I decide if a writing operation is really writing to the disk not somewhere else?

OSR_Community_User · November 30, 2006, 5:34am

> How could I decide if a writing operation is really writing to the disk

not somewhere else?

IRP_NOCACHE in the IRP Flags

L.

OSR_Community_User · November 30, 2006, 3:57pm

>operation is really writing to the disk not somewhere else?

IRP_NONCACHED_IO

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Gabor_Kokai · December 1, 2006, 4:42am

Thanx for the quick answer! I tried to filter the writing operations (IRP_MJ_WRITE) with this flag, but there were a lot of real write operations (which wrote to the disk), which IRPFlags didn’t contain the IRP_NOCACHE. Any other idea?
Thanx in advance!

OSR_Community_User · December 1, 2006, 7:12am

FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO

xxxxx@freemail.hu wrote:

Thanx for the quick answer! I tried to filter the writing operations (IRP_MJ_WRITE) with this flag, but there were a lot of real write operations (which wrote to the disk), which IRPFlags didn’t contain the IRP_NOCACHE. Any other idea?
Thanx in advance!

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Gabor_Kokai · December 5, 2006, 8:39am

I’ve tried to filter with FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO. It worked almost good, but there were other write operations too, that were not real writing operations (but less than unfiltered). Another problem with this method is that the FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO filters the fast I/O operations (but it isn’t problem when I filter USB operations). Is it possible to make a more detailed filter?

OSR_Community_User · December 6, 2006, 7:26am

xxxxx@freemail.hu wrote:

I’ve tried to filter with FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO. It worked almost good, but there were other write operations too, that were not real writing operations (but less than unfiltered). Another problem with this method is that the FLTFL_OPERATION_REGISTRATION_SKIP_CACHED_IO filters the fast I/O operations (but it isn’t problem when I filter USB operations). Is it possible to make a more detailed filter?

A little tired here… Your terminology of ‘not real writing operations’
is a little confusing. I looked back to your original post and you said,
“My driver lists all writing operations such as paging IO, caching” so I
assume your wanting to && the above flag with
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO to kill all the paging and
caching IO.

In the docs I’m using, these flags are kinda ‘tucked’ away and hard too
find… Is this what your looking too do?

Gabor_Kokai · December 6, 2006, 10:46am

Almost If I && them it could be good if I’m using FAT file system but if I’m using NTFS there are other operations. How could I get the type of the file system which is involved in the operation?
Anyway thanx for the quick answers!

David_Beaver · December 6, 2006, 12:36pm

Sigh. Search the list archives. Go to the MSDN docs and look for GetVolumeInformation() or the IRP_MJ_GET_VOLUME_INFORMATION IRP (FILE_FS_ATTRIBUTE_INFORMATION). If you’re doing a filter, look for the FltRegisterFilter() API and the FltInstanceSetup callback (PFLT_INSTANCE_SETUP_CALLBACK) instance.

Be aware that there are filesystems other than FAT and NTFS in which you might be interested in the future (EXFAT, UDF, third party file systems like ours…). Also be aware that the file system can lie to the GetVolumeInformation() call and tell you it’s something it’s not. We do this so that we can use many of the Windows utilities (DFS, LDM, etc.) which assume NTFS capabilities without querying for anything but the file system name (they ignore the capabilities list returned by the call).

…dave

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@freemail.hu
Sent: Wednesday, December 06, 2006 7:46 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] USB Minifilter driver

Almost If I && them it could be good if I’m using FAT file system but if I’m using NTFS there are other operations. How could I get the type of the file system which is involved in the operation?
Anyway thanx for the quick answers!

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@exmsft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

David_Beaver · December 6, 2006, 12:50pm

Doh!

Try IRP_MJ_QUERY_VOLUME_INFORMATION, not IRP_MJ_GET_VOLUME_INFORMATION.

…dave

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of David Beaver
Sent: Wednesday, December 06, 2006 9:36 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] USB Minifilter driver

Sigh. Search the list archives. Go to the MSDN docs and look for GetVolumeInformation() or the IRP_MJ_GET_VOLUME_INFORMATION IRP (FILE_FS_ATTRIBUTE_INFORMATION). If you’re doing a filter, look for the FltRegisterFilter() API and the FltInstanceSetup callback (PFLT_INSTANCE_SETUP_CALLBACK) instance.

Be aware that there are filesystems other than FAT and NTFS in which you might be interested in the future (EXFAT, UDF, third party file systems like ours…). Also be aware that the file system can lie to the GetVolumeInformation() call and tell you it’s something it’s not. We do this so that we can use many of the Windows utilities (DFS, LDM, etc.) which assume NTFS capabilities without querying for anything but the file system name (they ignore the capabilities list returned by the call).

…dave

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@freemail.hu
Sent: Wednesday, December 06, 2006 7:46 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] USB Minifilter driver

Almost If I && them it could be good if I’m using FAT file system but if I’m using NTFS there are other operations. How could I get the type of the file system which is involved in the operation?
Anyway thanx for the quick answers!

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@exmsft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Gabor_Kokai · December 7, 2006, 10:03am

Works perfect :-)))
Thanx for everybody!!!