none
Question about FileSystem DeviceDriver RRS feed

  • Question

  • Hello,
    I need to write a device driver that hooks up FileSystem activities. if the file was created or deleted, I would be informed by the driver. Is there anything possible? Can anybody suggest regarding this ?

    -Mrutyunjaya

    Wednesday, July 18, 2018 8:51 AM

Answers

All replies

  • You don't need any driver for this. Read on using the change journal.

    -- pa

    Wednesday, July 18, 2018 10:50 AM
  • Pavel is correct, but if you need to do more, take a look at the FileSpy sample of a mini-filter.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, July 18, 2018 2:22 PM
  • Could you please tell me, what are the scenarios where can I consider of mini-filter driver.

    -Mrutyunjaya

    Thursday, July 19, 2018 7:01 AM
  • The change log is fine if you just want to see the creates and deletes after the fact.   If you have a need for interacting with the actions, for example stopping creating of some files, you would need a mini-filter.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, July 19, 2018 10:43 AM
  • What about detecting file copy/move operation. How can I achieve this ?

    -Mrutyunjaya

    Thursday, July 19, 2018 11:39 AM
  • First, file moves come in two approaches, one is a rename of a file to another location on the same physical volume.  When the new location is on a different volume the action becomes a copy and a delete of the original file.  The problem is that a copy is not a single operation, but instead is a set of reads of the original and writes to the new file.   Even this is a simplification, since there are variation on how this is done, for example an application that processes a specific file type (for example a word processor) is doing a copy if you then save the file to another location, but the sequence of I/O primitive operations may be totally different than the Windows Shell doing a copy.   If you dealing with a security application, things get worse because there are all kinds of approaches that have been used to bypass copy blockers.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, July 19, 2018 12:03 PM