File System Hook
in [Device Drivers]
|
From: Allan on 5 Apr 2008 22:17 I need to monitor a particular file if the same file handle is being used to write data to it. Is it possible to hook the file system to get information like these? Is there ready made software that does this? File File Handle Event Config.ini 1 File Opened Config.ini 1 File Append Data Config.ini 1 File Append Data Config.ini 1 File Append Data Config.ini 1 File Closed
From: Maxim S. Shatskih on 5 Apr 2008 07:25 FILEMON -- Maxim Shatskih, Windows DDK MVP StorageCraft Corporation maxim(a)storagecraft.com http://www.storagecraft.com "Allan" <mmress(a)hotmail.com> wrote in message news:uJGDe6wlIHA.4684(a)TK2MSFTNGP06.phx.gbl... > I need to monitor a particular file if the same file handle is being used to > write data to it. > Is it possible to hook the file system to get information like these? > Is there ready made software that does this? > > File File Handle Event > Config.ini 1 File Opened > Config.ini 1 File Append Data > Config.ini 1 File Append Data > Config.ini 1 File Append Data > Config.ini 1 File Closed > > >
From: Allan on 5 Apr 2008 23:17 Thanks! I had just got the answer too. Ok. I had found the solution. There is no need to track the file handle for my case. I just need to track the event to "File Open" to the Config.ini file, and track a corresponding "File Close" event. I would be able to tell the same handle had written data to the Config.ini file. There is a ready made software File Monitor or Process Monitor. http://technet.microsoft.com/en-us/sysinternals/bb545046.aspx // File Open 8:10:06 PM Project1.exe:1856 C:\gb\file.txt Options: OverwriteIf Access: 00120196 8:10:06 PM Project1.exe:1856 C:\gb\ Options: Open Directory Access: 00100000 // File Write Data 8:10:11 PM Project1.exe:1856 Msimtf.dll Attributes: A 8:10:11 PM Project1.exe:1856 Msimtf.dll Options: Open Access: 00100020 8:10:11 PM Project1.exe:1856 Msimtf.dll Length: 159232 8:10:11 PM Project1.exe:1856 Msimtf.dll 8:10:11 PM Project1.exe:1856 Msimtf.dll 8:10:11 PM Project1.exe:1856 Msimtf.dll Attributes: A 8:10:11 PM Project1.exe:1856 Msimtf.dll Options: Open Access: 00100020 8:10:11 PM Project1.exe:1856 Msimtf.dll Length: 159232 8:10:11 PM Project1.exe:1856 Msimtf.dll 8:10:11 PM Project1.exe:1856 Msimtf.dll // File Close 8:10:16 PM Project1.exe:1856 C:\gb\file.txt Offset: 0 Length: 5 8:10:16 PM Project1.exe:1856 C:\gb\file.txt 8:10:16 PM Project1.exe:1856 C: 8:10:16 PM Project1.exe:1856 C:\gb\file.txt "Maxim S. Shatskih" <maxim(a)storagecraft.com> wrote in message news:e9DjI$wlIHA.5268(a)TK2MSFTNGP05.phx.gbl... > FILEMON > > -- > Maxim Shatskih, Windows DDK MVP > StorageCraft Corporation > maxim(a)storagecraft.com > http://www.storagecraft.com > > "Allan" <mmress(a)hotmail.com> wrote in message > news:uJGDe6wlIHA.4684(a)TK2MSFTNGP06.phx.gbl... >> I need to monitor a particular file if the same file handle is being used >> to >> write data to it. >> Is it possible to hook the file system to get information like these? >> Is there ready made software that does this? >> >> File File Handle Event >> Config.ini 1 File Opened >> Config.ini 1 File Append Data >> Config.ini 1 File Append Data >> Config.ini 1 File Append Data >> Config.ini 1 File Closed >> >> >> >
From: doskey on 7 Apr 2008 03:02 On 4ÔÂ6ÈÕ, ÉÏÎç11ʱ17·Ö, "Allan" <mmr...(a)hotmail.com> wrote: > Thanks! I had just got the answer too. > > Ok. I had found the solution. > There is no need to track the file handle for my case. > I just need to track the event to "File Open" to the Config.ini file, and > track a corresponding "File Close" event. I would be able to tell the same > handle had written data to the Config.ini file. > > There is a ready made software File Monitor or Process Monitor. > > http://technet.microsoft.com/en-us/sysinternals/bb545046.aspx > > // File Open > 8:10:06 PM Project1.exe:1856 C:\gb\file.txt Options: OverwriteIf Access: > 00120196 > 8:10:06 PM Project1.exe:1856 C:\gb\ Options: Open Directory Access: > 00100000 > > // File Write Data > 8:10:11 PM Project1.exe:1856 Msimtf.dll Attributes: A > 8:10:11 PM Project1.exe:1856 Msimtf.dll Options: Open Access: 00100020 > 8:10:11 PM Project1.exe:1856 Msimtf.dll Length: 159232 > 8:10:11 PM Project1.exe:1856 Msimtf.dll > 8:10:11 PM Project1.exe:1856 Msimtf.dll > 8:10:11 PM Project1.exe:1856 Msimtf.dll Attributes: A > 8:10:11 PM Project1.exe:1856 Msimtf.dll Options: Open Access: 00100020 > 8:10:11 PM Project1.exe:1856 Msimtf.dll Length: 159232 > 8:10:11 PM Project1.exe:1856 Msimtf.dll > 8:10:11 PM Project1.exe:1856 Msimtf.dll > > // File Close > 8:10:16 PM Project1.exe:1856 C:\gb\file.txt Offset: 0 Length: 5 > 8:10:16 PM Project1.exe:1856 C:\gb\file.txt > 8:10:16 PM Project1.exe:1856 C: > 8:10:16 PM Project1.exe:1856 C:\gb\file.txt > > "Maxim S. Shatskih" <ma...(a)storagecraft.com> wrote in messagenews:e9DjI$wlIHA.5268(a)TK2MSFTNGP05.phx.gbl... > > > FILEMON > > > -- > > Maxim Shatskih, Windows DDK MVP > > StorageCraft Corporation > > ma...(a)storagecraft.com > >http://www.storagecraft.com > > > "Allan" <mmr...(a)hotmail.com> wrote in message > >news:uJGDe6wlIHA.4684(a)TK2MSFTNGP06.phx.gbl... > >> I need to monitor a particular file if the same file handle is being used > >> to > >> write data to it. > >> Is it possible to hook the file system to get information like these? > >> Is there ready made software that does this? > > >> File File Handle Event > >> Config.ini 1 File Opened > >> Config.ini 1 File Append Data > >> Config.ini 1 File Append Data > >> Config.ini 1 File Append Data > >> Config.ini 1 File Closed I think you don't need FSD filter or minifilter driver. You maybe need a SSDT hook driver. You can hook some native API such as NtCreateFile, NtWriteFile and NtReadFile. I think it can do this case. :)
From: Maxim S. Shatskih on 7 Apr 2008 06:29 >I think you don't need FSD filter or minifilter driver. >You maybe need a SSDT hook driver. Will not work on x64 Vista/2008, also note that NtReadFile hook will not catch paging IO. -- Maxim Shatskih, Windows DDK MVP StorageCraft Corporation maxim(a)storagecraft.com http://www.storagecraft.com
|
Next
|
Last
Pages: 1 2 Prev: Vista Error Message Next: How do I let audio device in "Sounds and Audio Devices"? |