Windows File System Filter Driver

Question

I am trying to create a small file system filter driver for testing/demonstrating how to track the impact that filter drivers have on I/O performance using ETW in Windows Server 2008 R2. I've downloaded the DDK and built a few of the samples, but I am having problems with trying to filter on a specific disk device, or on a specific file extension, either of which will work for the task I am trying to do. What I want to do is isolate the filter driver to a specific disk/volume, or to files with a specific extension to show how the I/O performance can be affected by filter drivers processing requests. I've been using the passthrough sample for testing, and everywhere I try to introduce latency I get negative affects because I can't properly filter the operations down to specifically what I am trying to do.

This is never intended to be a fully functional driver, I'd ideally like to be able to intercept/affect IRP_MJ_WRITE operations on a specific volume or specific file extensions so that I can show the effect the filter driver has on those operations. Is there any easy way to do this that I am just missing here? I understand fully that people make a living writing these types of drivers, but I'd really like to be able to produce a simple filter if possible.

Thanks!

Answer 1

You can try to attach to specific volume either by

• fltmc attach ... command or
• FltAttachVolume in minifilter driver or
• FilterAttach from user space program.

Note: filtering applies to all file operations on attached volume. If you want to include/exclude specific file names/extensions that is little complicated. You need to find filename (which is not easily available) and skip for unwanted files. Also, this will involve much more processing than you want to work with.