Volume filter driver not monitoring some system files RRS feed

  • Question

  • Hi,

    I am working on an upper volume filter driver that monitors writes/modification on a sector and then set the respective bits of that sector in my own bitmap. I am using the diskperf example that is provided in WDK as base.

    Mostly all the writes/modification on a sector are monitored and the respective bits are set. My problem is my filter driver is not able to monitor certain sectors,
    for eg: $MFT, $MFTMirr etc.

    But its able to track the sector of $LogFile.
    Can anyone suggest me what should I do so that my filter driver can track all the sectors including system files sectors like $MFT and such files?

    Any kind of help will be appreciated. Thanks in advance.
    Friday, November 29, 2013 2:41 PM

All replies

  • Is this a file system filter or a volume filter?  If it is dealing with files go ask the question on on the NTFSD list.  I do know that $MFT and some other files are special so this may be the problem.  If it is a volume filter then it should be just blocks you are dealing with, and there should not be a problem.

    Don Burn Windows Filesystem and Driver Consulting Website: Blog:

    Friday, November 29, 2013 2:43 PM
  • Hi,

    Yes, it is an upper volume filter driver and I am dealing with blocks and sectors.
    I tested many times but the block and sector of $MFT files were missing every time.
    Friday, November 29, 2013 2:45 PM
  • Hi,

    Thanks for the reply.

    Can anyone please tell what kind of attributes or flags need to be set to handle all types of write IO?

    • Edited by Chrish08 Saturday, November 30, 2013 1:39 PM
    Saturday, November 30, 2013 1:39 PM
  • Can anyone provide me proper guidance to solve my problem?

    Any kind of help will be appreciated.

    Tuesday, December 3, 2013 2:15 PM
  • Yes, I did get some replies, but my problem is yet not resolved. So, I'm hoping for a solution from here.

    Wednesday, December 4, 2013 7:51 AM
  • tell us is your problem related to fragmented disk/volume so you are not able to get all the sectors in your bitmap?

    Saturday, December 21, 2013 10:09 AM