Hi all,
I am writing a filter driver that must buffer a log of all write events to file system and then periodically flush it to a disk.
My question is: What I should to do to don’t miss a buffered data if snapshot event will be started?
Maybe I can somehow catch vss events and flush my data to the disk before it?
Thanks a lot for your answers!
IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES
After this IOCTL will flow through the filter (it is documented for the purpose of filtering), no writes will arrive between FSD lower egde and VolSnap upper edge, till the snapshot creation.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Hi all,
>
> I am writing a filter driver that must buffer a log of all write events to file system and then periodically flush it to a disk.
> My question is: What I should to do to don’t miss a buffered data if snapshot event will be started?
> Maybe I can somehow catch vss events and flush my data to the disk before it?
>
> Thanks a lot for your answers!
>
Thank you a lot for your advice, Maxim. It is work well.
But do you know why I get IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES twice in pre and post callbacks each? I invistigated pid and they are different.
For example:
PreDeviceIOControlCallback: pid = 25c
PostDeviceIOControlCallback: pid = 25c
PreDeviceIOControlCallback: pid = 25c
PostDeviceIOControlCallback: pid = 4
Besides, this pid is not equal with pid of program which has been requested vss that I can see in procmon, for example. I took into consideration the fact that pid appears in different numbering systems in procmon and result of PsGetCurrentProcessId().
Is it ok?
up!
The problem is that I catch IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES twice. I have suggested that once it comes to the driver and another for the partition itself. Maybe someone knows how to distinguish between them?