- Filter driver question & determine calling app/process?
- Posted by David on November 5th, 2003
Assuming the filter driver is installed on a physical drive:
1) Can a filter driver for a physical hard drive be dynamically
loaded/unloaded?
2) How could I tell if the write to the hard drive is for the paging file?
3) How could I tell the user mode process/program that initiated the
WriteFile() command?
4) How could I tell if this is something I'm writing myself (from the
filter) via ZwWriteFile()?
TIA
- Posted by Maxim S. Shatskih on November 6th, 2003
No, only by disk disable/enable, and you cannot disable the SystemRoot disk or
any disk with a pagefile or running apps.
It can be switched to do-nothing more though.
Looks like there is no ways on disk filter level, only on FSD level.
You cannot on disk filter level, most user writes will go there by a cache lazy
writer fired by ExQueueWorkItem.
The resume: use the FSD filter to hit your purposes.
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com
- Posted by David on November 6th, 2003
Thanks Maxim,
Does that require the other DDK (can't think of the name off the top of my
head)?
What method/functions are used at that (FSD) level to determine if it's the
paging file and the user app/process that initiated the WriteFile call?
Also, was/is there a way to do number 4 of the original message?
D
"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:eE0pp6$oDHA.2232@TK2MSFTNGP09.phx.gbl...
- Posted by Maxim S. Shatskih on November 6th, 2003
Yes, this require the IFS Kit.
In the FS filter, you have access to the file object, and the file object
for a pagefile is specially marked.
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com
"David" <xx70751.3507@compuserve.cxx> wrote in message
news:#BqfbiJpDHA.2588@tk2msftngp13.phx.gbl...
