I need to monitor the file write action, use minifilter.
I found that some additional write action and set file length action appear in my log. The SYSTEM process done it. But not ordinary PAGE_IO.
I have a test program. It calls the system API: CreateFileW with NoBuffering flag. And I can see some unknown write action, and unknown SetInformation action (SetEndOfFile) showed in my log. These actions were not called by my program, the SYSTEM called them.
Although the write action does not affect the user’s files, but affect me.
My question is why SYSTEM still do some extra write and Set Length to files that I accessed with NoBuffering flag? And how to prevent SYSTEM do that?
This is to make the cache coherent with the disk. You have just asked to
see the file not using the cache. Therefore in order to guarantee that what
you see is correct any first cache content has to be flushed to disk. The
SetLength is to do with maintaining VDL.
I have a user mode program, which needs to write data to some files. Also the user may read and write these files. I need to distinguish the write action between my program do, or users do.
I am sure that the files which I am writing was opened with FILE_FLAG_NO_BUFFERING flag. But my SetFilePointer and SetEndOfFile is another HANDLE that not opened with FILE_FLAG_NO_BUFFERING (in order to set the real length).
Now I do not know which write action is my. And I need to distinguish them exactly, in my minifilter.
I’d say the easiest way to do this is to use a StreamHandle context to tag your file. Then in each preOp you can do a FltGetStreamHandleContext() to figure out if it’s your file…
It seems this might give a limited lifetime solution, because, if I
remember correctly, streams were one of the features deprecated in WinFS.
joe
I’d say the easiest way to do this is to use a StreamHandle context to tag
your file. Then in each preOp you can do a FltGetStreamHandleContext() to
figure out if it’s your file…
Yes, I can use the StreamHandle context. But the situation is:
I created a new file, with FILE_FLAG_NO_BUFFERING.
I wrote the file , opned with FILE_FLAG_NO_BUFFERING.
I set the file length, opend without No Buffering.
Wait a few seconds.
The user created another new file in the same folder.
After the user created his new file, I can see the system process write my file, and set length to my file. I am sure the user did not use my file before.
This is not occur every time, but it does some time.
If the user and I write the same file (that is very possible), it would be very difficult to distinguish the action.
The additional action of system would make me unable to identify the real operation of the user.
I’m afraid you are confusing alternate data streams with stream contexts. Stream contexts do not depend on ADS and i don’t think there are any plans to deprecate them.
It seems this might give a limited lifetime solution, because, if I
remember correctly, streams were one of the features deprecated in WinFS.
joe
> I’d say the easiest way to do this is to use a StreamHandle context to tag
> your file. Then in each preOp you can do a FltGetStreamHandleContext() to
> figure out if it’s your file…
>
> Thanks,
> Alex.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Not necessarily. StreamHandles are associated with a specific FILE_OBJECT. So other opens for the same file or stream should not impact your context. Of course there are cases where some component in the system ( or maybe some other filter) will hang on to your FILE_OBJECT or use it for their own ends, but thats a different issue.
Yes, I can use the StreamHandle context. But the situation is:
I created a new file, with FILE_FLAG_NO_BUFFERING.
I wrote the file , opned with FILE_FLAG_NO_BUFFERING.
I set the file length, opend without No Buffering.
Wait a few seconds.
The user created another new file in the same folder.
After the user created his new file, I can see the system process write my file, and set length to my file. I am sure the user did not use my file before.
This is not occur every time, but it does some time.
If the user and I write the same file (that is very possible), it would be very difficult to distinguish the action.
The additional action of system would make me unable to identify the real operation of the user.
I am sorry I found I made a mistake.
After investigate my data, system process did not make a writing action by itself. Some program read and wrote my files. That confused me.