Hi all,
I am developing a filter driver to monitor file usage. One of the goals of my project is to know when a user has opened a file, and when they subsequently close a file (in user’s terms). For example, I’d like to generate an event when a user opens a file in notepad, then another event when they close the notepad window and thus the file.
My current filter driver sees the events from the file being opened, but I am not seeing events when I close files. I admittedly have some problems with my driver. I am using stream contexts when I now believe I should be using stream handle contexts. But even using ProcMon I do not see evens when I close files either. But I recently discovered the command line program Handle that lists all open file handles. This utility is able to determine that the file is still being used by notepad even when I don’t see any further events from ProcMon.
Am I going about things the wrong way? Does closing a file handle generate a mini filter callback?
Thanks for any input!
Joaquin Luna
What have you registered for your callbacks? For user mode handle close
calls, such as CloseHandle(), you would receive a IRP_MJ_CLEANUP
callback in the mini-filter, not an IRP_MJ_CLOSE. And try using FileSpy …
Note that for memory mapped files, a user can close the file handle
backing the memory mapped section but keep the section handle open and
continue to perform IO via memcpy() calls to the mapped view. Thus under
your design a user could open/close a file and continue to modify the file.
Pete
On 7/29/2014 7:17 PM, xxxxx@lenovo.com wrote:
Hi all,
I am developing a filter driver to monitor file usage. One of the goals of my project is to know when a user has opened a file, and when they subsequently close a file (in user’s terms). For example, I’d like to generate an event when a user opens a file in notepad, then another event when they close the notepad window and thus the file.
My current filter driver sees the events from the file being opened, but I am not seeing events when I close files. I admittedly have some problems with my driver. I am using stream contexts when I now believe I should be using stream handle contexts. But even using ProcMon I do not see evens when I close files either. But I recently discovered the command line program Handle that lists all open file handles. This utility is able to determine that the file is still being used by notepad even when I don’t see any further events from ProcMon.
Am I going about things the wrong way? Does closing a file handle generate a mini filter callback?
Thanks for any input!
Joaquin Luna
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295