Hello all -
I am developing a file system monitoring minifilter driver. It is apparent that certain operations to a file (e.g. write, set security, etc) cause the FILE_ATTRIBUTE_ARCHIVE bit to be set automatically (i.e. not in a separate operation) if it was initially cleared. There are other operations that do not (set information, etc). This appears to happen underneath the filter I have. Does anyone know if there is a definitive list of operations that will cause this behavior on FAT and NTFS file systems, or other documentation that describes this behavior in detail? I’ve searched far and wide, and cannot find one.
One post on this site suggested looking at fastfat to see how this happens. Any information to further enlighten me on this subject would be greatly appreciated.
Thanks!
Well fastfat is sample fat file system driver included in IFS KIT or WDK.
You could search the souces for eg FILE_ATTRIBUTE_ARCHIVE. If I remember
correct fastfat sets the archive bit whenever the data stream has been
changed; dont trust me on this I’d assume I dont remember correct 
wrote in message news:xxxxx@ntfsd…
> Hello all -
>
> I am developing a file system monitoring minifilter driver. It is
> apparent that certain operations to a file (e.g. write, set security, etc)
> cause the FILE_ATTRIBUTE_ARCHIVE bit to be set automatically (i.e. not in
> a separate operation) if it was initially cleared. There are other
> operations that do not (set information, etc). This appears to happen
> underneath the filter I have. Does anyone know if there is a definitive
> list of operations that will cause this behavior on FAT and NTFS file
> systems, or other documentation that describes this behavior in detail?
> I’ve searched far and wide, and cannot find one.
>
> One post on this site suggested looking at fastfat to see how this
> happens. Any information to further enlighten me on this subject would be
> greatly appreciated.
>
> Thanks!
> - Andy
>
Thanks Lyndon - I appreciate the response. Fastfat is a good example of one implementation of this bit being set. Does anyone know if there is a definitive list of when this bit is changed? My observations seem to indicate that if either the data itself changes, or the security descriptor (NTFS) changes, the Archive bit is automatically set. Other changes like basic attributes (read-only, hidden, etc) do not seem to set the archive bit automatically. I’m just trying to make sure my monitoring driver acts appropriately in all cases without having to incur the overhead of obtaining the attributes again after each operation to test if it cahnged. Thanks again! - Andy
There is no definitive list; each file system implements its own set of
rules and those rules change over time.
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Thank you Tony - I appreciate your reply.