Hi,
We need to monitor what document files each currently running application has open. So we need to monitor what .doc files word has open, what .pdf files Acrobat Reader has open. For that we are using file system filter driver. We have licensed IFS Kit and i was testing with Filespy sample. I also tested FileMonitor from Sysinternals and Filespy from OSR. All these options look great and works fine for me. I have some questions regarding modifying these samples to be more efficient.
-
Is it safe to just log IRP calls (IRP_MJ_CREATE in particular) and leave FastIo and FilterOp Calls so we have less log to examine.
-
To monitor network files, I am filtering LanmanRedirector. What other redirectors I should filter.
-
Since we do not need to know names of .dlls, .exe, . ico, .ttf etc loaded by process so we want to filter out these files from log. We tried doing at user level but we want to do it in driver. This is because if user opens say 5 .doc files at same time we get lot of “out of buffer” error. Filespy from OSR was also having same problem. So we do not want to log these types of files in driver itself. So, to do this:
a) What set of string functions I shall use to get the extension from filepath and compare it with .dll or .exe
b) How it will affect performance
c) Is it safe to do because somewhere in comments I read that we might be at dispatch level.
I am new to driver development and also does not have any chance to attend OSR seminars as they do not conduct it in India 
…I would really appreciate if somebody can provide any clues.
Thanks in advance
Ashish
You can dowmload the FileSpy tool from downloads section
at http://www.osronline.com. It is a GUI tool, using the modified
FileSpy driver from the IFS Kit.
- It is able to exclude all or particular FastIO calls from the log
- It is able to filter requests by the process
- It is able to include/exclude certain paths
- It is able to monitor non-MS redirectors (like Netware redirector)
- You may interactively increment the number of buffers so you
will not receive the “Out of buffers” error.
----- Original Message -----
From: Ashish
To: Windows File Systems Devs Interest List
Sent: Tuesday, April 05, 2005 7:31 AM
Subject: [ntfsd] Watching File Access
Hi,
We need to monitor what document files each currently running application has open. So we need to monitor what .doc files word has open, what .pdf files Acrobat Reader has open. For that we are using file system filter driver. We have licensed IFS Kit and i was testing with Filespy sample. I also tested FileMonitor from Sysinternals and Filespy from OSR. All these options look great and works fine for me. I have some questions regarding modifying these samples to be more efficient.
-
Is it safe to just log IRP calls (IRP_MJ_CREATE in particular) and leave FastIo and FilterOp Calls so we have less log to examine.
-
To monitor network files, I am filtering LanmanRedirector. What other redirectors I should filter.
-
Since we do not need to know names of .dlls, .exe, . ico, .ttf etc loaded by process so we want to filter out these files from log. We tried doing at user level but we want to do it in driver. This is because if user opens say 5 .doc files at same time we get lot of “out of buffer” error. Filespy from OSR was also having same problem. So we do not want to log these types of files in driver itself. So, to do this:
a) What set of string functions I shall use to get the extension from filepath and compare it with .dll or .exe
b) How it will affect performance
c) Is it safe to do because somewhere in comments I read that we might be at dispatch level.
I am new to driver development and also does not have any chance to attend OSR seminars as they do not conduct it in India …I would really appreciate if somebody can provide any clues.
Thanks in advance
Ashish
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
I use it, I like it 
“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
You can dowmload the FileSpy tool from downloads section
at http://www.osronline.com. It is a GUI tool, using the modified
FileSpy driver from the IFS Kit.
- It is able to exclude all or particular FastIO calls from the log
- It is able to filter requests by the process
- It is able to include/exclude certain paths
- It is able to monitor non-MS redirectors (like Netware redirector)
- You may interactively increment the number of buffers so you
will not receive the “Out of buffers” error.
----- Original Message -----
From: Ashish
To: Windows File Systems Devs Interest List
Sent: Tuesday, April 05, 2005 7:31 AM
Subject: [ntfsd] Watching File Access
Hi,
We need to monitor what document files each currently running application has open. So we need to monitor what .doc files word has open, what .pdf files Acrobat Reader has open. For that we are using file system filter driver. We have licensed IFS Kit and i was testing with Filespy sample. I also tested FileMonitor from Sysinternals and Filespy from OSR. All these options look great and works fine for me. I have some questions regarding modifying these samples to be more efficient.
1) Is it safe to just log IRP calls (IRP_MJ_CREATE in particular) and leave FastIo and FilterOp Calls so we have less log to examine.
2) To monitor network files, I am filtering LanmanRedirector. What other redirectors I should filter.
3) Since we do not need to know names of .dlls, .exe, . ico, .ttf etc loaded by process so we want to filter out these files from log. We tried doing at user level but we want to do it in driver. This is because if user opens say 5 .doc files at same time we get lot of “out of buffer” error. Filespy from OSR was also having same problem. So we do not want to log these types of files in driver itself. So, to do this:
a) What set of string functions I shall use to get the extension from filepath and compare it with .dll or .exe
b) How it will affect performance
c) Is it safe to do because somewhere in comments I read that we might be at dispatch level.
I am new to driver development and also does not have any chance to attend OSR seminars as they do not conduct it in India …I would really appreciate if somebody can provide any clues.
Thanks in advance
Ashish
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
I know and I tried this tool, but as I mentioned below, I want to do it in driver. I guess FIleSpy do this filteration in GUI application. Even if I increase the limit but still I have a risk that sometime that buffer might be insufficient. So I want to optimize driver to not log Dlls and Exe names.
Can I do this in driver itself…
----- Original Message -----
From: Ladislav Zezula
To: Windows File Systems Devs Interest List
Sent: Tuesday, April 05, 2005 11:18 AM
Subject: Re: [ntfsd] Watching File Access
You can dowmload the FileSpy tool from downloads section
at http://www.osronline.com. It is a GUI tool, using the modified
FileSpy driver from the IFS Kit.
- It is able to exclude all or particular FastIO calls from the log
- It is able to filter requests by the process
- It is able to include/exclude certain paths
- It is able to monitor non-MS redirectors (like Netware redirector)
- You may interactively increment the number of buffers so you
will not receive the “Out of buffers” error.
----- Original Message -----
From: Ashish
To: Windows File Systems Devs Interest List
Sent: Tuesday, April 05, 2005 7:31 AM
Subject: [ntfsd] Watching File Access
Hi,
We need to monitor what document files each currently running application has open. So we need to monitor what .doc files word has open, what .pdf files Acrobat Reader has open. For that we are using file system filter driver. We have licensed IFS Kit and i was testing with Filespy sample. I also tested FileMonitor from Sysinternals and Filespy from OSR. All these options look great and works fine for me. I have some questions regarding modifying these samples to be more efficient.
-
Is it safe to just log IRP calls (IRP_MJ_CREATE in particular) and leave FastIo and FilterOp Calls so we have less log to examine.
-
To monitor network files, I am filtering LanmanRedirector. What other redirectors I should filter.
-
Since we do not need to know names of .dlls, .exe, . ico, .ttf etc loaded by process so we want to filter out these files from log. We tried doing at user level but we want to do it in driver. This is because if user opens say 5 .doc files at same time we get lot of “out of buffer” error. Filespy from OSR was also having same problem. So we do not want to log these types of files in driver itself. So, to do this:
a) What set of string functions I shall use to get the extension from filepath and compare it with .dll or .exe
b) How it will affect performance
c) Is it safe to do because somewhere in comments I read that we might be at dispatch level.
I am new to driver development and also does not have any chance to attend OSR seminars as they do not conduct it in India …I would really appreciate if somebody can provide any clues.
Thanks in advance
Ashish
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
> I guess FIleSpy do this filteration in GUI application
Yes. I wanted to keep the Filespy as-original-as possible.
Can I do this in driver itself…
Of course you can. You have to find a good place where to
check the name against a wildcard pattern and if necessary, then
exclude it.
L.
The other question which was missed is:
Is it safe to just watch for IRP_MJ_CREATE messages if I just want to know the filepath a process is opening…
----- Original Message -----
From: Ladislav Zezula
To: Windows File Systems Devs Interest List
Sent: Thursday, April 07, 2005 12:53 PM
Subject: Re: [ntfsd] Watching File Access
I guess FIleSpy do this filteration in GUI application
Yes. I wanted to keep the Filespy as-original-as possible.
Can I do this in driver itself…
Of course you can. You have to find a good place where to
check the name against a wildcard pattern and if necessary, then
exclude it.
L.
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
> Is it safe to just watch for IRP_MJ_CREATE messages if
I just want to know the filepath a process is opening…
If I understand your question well, then yes.
L.