none
Can a Filesystem Minifilter see LBA of Write Request RRS feed

  • Question

  • I need a way to get Windows telling me where on the hard drive it stores files.

    Can a filesystem minifilter get the LBA where a write request is going to end? I am currently thinking that this is not possible due to place of the minifilter.

    If it is not possible: can you think of another way of getting a filename of a request and the corresponding logical block addresses ?


    • Edited by Tebenur Saturday, November 1, 2014 6:32 PM
    Saturday, November 1, 2014 6:31 PM

Answers

  • You can catch deletes in a mini-filter and get the data before it is deleted, but you have to realize that the second the blocks are free the file system may reuse them.  The data otherwise is pretty dynamic, and I guess I am trying understand how you would use it?  You may want to go to http://www.osronline.com and ask on the NTFSD forum for additional ideas, that is where the file system guru's hang out.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Sunday, November 2, 2014 1:28 PM

All replies

  • Well the question is when are you going to use the LBA.  After the file is written or allocated you can get the LBA for the blocks and since you can determine the offset in the file you can map the offset to the correct LBA.  The file name is relatively easy have the minifilter capture the filename on Create and also handle renames, and store it in a file context for later use.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Saturday, November 1, 2014 6:43 PM
  • Well the question is when are you going to use the LBA. After the file is written or allocated you can get the LBA for the blocks and since you can determine the offset in the file you can map the offset to the correct LBA.  The file name is relatively easy have the mini filter capture the filename on Create and also handle renames, and store it in a file context for later use


    So, if I understand your answer correct, it is not directly possible to get a list of write requests containing the filename and corresponding LBA on the hard drive? And you would suggest to lookup which LBA a file is using after it has been written?

    What I though of was a filter which could see both informations at once. I wanted to create a "map" where my files are stored on the disk. I know that there are commands in the defragmentation API which allow me to retrieve the logical block addresses of a file. But I wanted to have a complete list, which files were written in which cluster. Therefore just a scanning of every file on the disk is not enough - because there could have been files which are already deleted - so my list would be incomplete.

    Sunday, November 2, 2014 1:12 PM
  • You can catch deletes in a mini-filter and get the data before it is deleted, but you have to realize that the second the blocks are free the file system may reuse them.  The data otherwise is pretty dynamic, and I guess I am trying understand how you would use it?  You may want to go to http://www.osronline.com and ask on the NTFSD forum for additional ideas, that is where the file system guru's hang out.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Sunday, November 2, 2014 1:28 PM