Volume filter driver not monitoring some system files

Question

I am working on an upper volume filter driver that monitors writes/modification on a sector and then set the respective bits of that sector in my own bitmap. I am using the diskperf example that is provided in WDK as base.

Mostly all the writes/modification on a sector are monitored and the respective bits are set. My problem is my filter driver is not able to monitor certain sectors, for eg: $MFT, $MFTMirr etc.

But its able to track the sector of $LogFile. Can anyone please tell what kind of attributes or flags need to be set to handle all types of write IOs so that my filter driver can track all the sectors including system files sectors like $MFT and such files?

Any kind of help will be appreciated. Thanks in advance.

score 0 · Answer 1 · answered Dec 03 '13 at 09:15

0

If your driver is volume filter driver, it should get all read/writes on that volume. But writes for $Mft or $MftMirror might not be going through volume driver. The NTFS driver might be directly writing to partition/disk through private apis, skipping volume stack. Hence you would not be seeing the writes in your driver.

answered Dec 03 '13 at 09:15

Rohan

52,392
12
90
87

Hi, Thanks for replying. Do you know any way, so that I can get to know in my driver when any writes are done on $Mft files? – user3057138 Dec 03 '13 at 12:31
@user3057138, I think you need to go down the stack. Write disk filter driver to get those I/Os. – Rohan Dec 03 '13 at 12:59
@user3057138: or stealing major function entries from the NTFS driver? It's risky, though. – 0xC0000022L Aug 01 '15 at 16:32

Volume filter driver not monitoring some system files

1 Answers1