Message 2 of 2
03 Aug 18 12:32
Join Date: 31 Dec 2014
Posts To This List: 301
Can Read and Write IRPs come before IOCTL_VOLUME_ONLINE to a volume
You do not need to filter ONLINE, and you surely do not need to filter any
sort of MOUNT IRPS in the file system. You can do everything you need in
the volume filter. Your tracking should start when you receive the first
write to the volume.
On Fri, Aug 3, 2018 at 7:07 AM email@example.com <
> I need to start tracking the write IRPs happening on the volume. To do
> that I thought of starting my tracking once I receive IOCTL_VOLUME_ONLINE
> to that volume.
> Can Read and Write IRPs come before IOCTL_VOLUME_ONLINE to a volume.
> or should I rely on IRP_MN_MOUNT_VOLUME.
> Basically should I start tracking once I receive IRP_MN_MOUNT_VOLUME.
> which one is more reliable.
> I remember I saw somewhere where people have mentioned that they have seen
> Read IRPs before IOCTL_VOLUME_ONLINE.
<...excess quoted lines suppressed...>
Disrupting the establishment since 1964
*This is a personal email account and as such, emails are not subject to
archiving. Nothing else really matters.*