Click here to Skip to main content
14,330,776 members

Comments by Wshwilfried (Top 12 by date)

Wshwilfried 21-Apr-16 20:11pm View
My end goal is to track modifications made on certain set of files that I monitor in a mini filter and track their respective sectors at disk level with another driver. I have started to implement it but I had some failure to track sectors of resident files this including file attributes etc that are embedded within the base file record. So I came to the conclusion that If I found a way to track the sectors representing those file's attributes that would satisfy me, thus the post.
Wshwilfried 13-Apr-16 20:28pm View
Thanks you very much. I clearly see it now.
Wshwilfried 8-Apr-16 3:57am View
Thank you for the prompt reply. I am going through the CMOS RAM addresses but dont find anything about encryption support could you please show me what I should look at?
Wshwilfried 8-Apr-16 0:58am View
Thank you very much it solved my problem, programming drivers is really an art.
Wshwilfried 22-Mar-16 23:58pm View
In my second call to ZwCreateFile I set the desired access to SYNCHRONIZE and it worked. Can anyone explain why? I thought since My goal is to simultaneously read the file I had to provide FILE_READ_DATA or GENERIC_READ.
Wshwilfried 6-Mar-16 21:50pm View
I think I found it, I just Set the byte offset to 0 when calling ZwWritefile and since the buffers are of the same size it always get updated.
Wshwilfried 6-Mar-16 21:10pm View
I just tried That but it is not giving what I want also it isn't much different from FILE_OVERWRITE_IF that I was using before posting my question. What I need is that when calling ZwWriteFile the file content get cleared before the new buffer get written to the corresponding file.
Wshwilfried 1-Mar-16 19:16pm View
Thank you, I'll try that.
Wshwilfried 22-Jul-15 5:09am View
I Will suggest you find the IRPs that get sent for the operation you desire to track. There are lots of tutorials here at code project and Google, start from there and once you have tried something i'm sure you get more help.
Wshwilfried 3-Jul-15 5:22am View
I did get this from msdn STATUS_OBJECT_NAME_NOT_FOUND (The filter service key is not found in the registry.-or-The filter instance is not registered).I then updated the inf file like this but still have the same error

;;; WegsFsFilter

Signature = "$Windows NT$"
; TODO - Change the Class and ClassGuid to match the Load Order Group value, see
Class = "ActivityMonitor" ;This is determined by the work this filter driver does
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Load Order Group value
Class = "_TODO_Change_Class_appropriately_"
ClassGuid = {_TODO_Change_ClassGuid_appropriately_}
Provider = %ManufacturerName%
DriverVer = 07/01/2015,
CatalogFile =

DefaultDestDir = 12
WegsFsFilter.DriverFiles = 12 ;%windir%\system32\drivers

;; Default install sections

OptionDesc = %ServiceDescription%
CopyFiles = WegsFsFilter.DriverFiles

AddService = %ServiceName%,,WegsFsFilter.Service

;; Default uninstall sections

DelFiles = WegsFsFilter.DriverFiles

DelService = %ServiceName%,0x200 ;Ensure service is stopped before deleting

; Services Section

DisplayName = %ServiceName%
Description = %ServiceDescription%
ServiceBinary = %12%\%DriverName%.sys ;%windir%\system32\drivers\
Dependencies = "FltMgr"
; TODO - Change the Load Order Group value, see
LoadOrderGroup = "FSFilter Activity Monitor"
LoadOrderGroup = "_TODO_Change_LoadOrderGroup_appropriately_"
AddReg = WegsFsFilter.AddRegistry

; Registry Modifications


; Copy Files


WegsFsFilter.sys = 1,,

1 = %DiskId1%,,,

;; String Section

; TODO - Add your manufacturer
ManufacturerName = "Wega Driver"
ServiceDescription = "WegsFsFilter Mini-Filter Driver"
ServiceName = "WegsFsFilter"
DriverName = "WegsFsFilter"
DiskId1 = "WegsFsFilter Device Installation Disk"

;Instances specific information.
;DefaultInstance = "WegsFsFilter - Top Instance"
;Instance1.Name = "WegsFsFilter Middle Instance"
; TODO - Change the altitude value, see
;Instance1.Altitude = "370030"
;Instance.Altitude = "_TODO_Change_Altitude_appropriately_"
;Instance1.Flags = 0x0 ; Allow all attachments

DefaultInstance = "WegsFsFilter - Top Instance"
Instance1.Name = "WegsFsFilter - Middle Instance"
Instance1.Altitude = "370000"
Instance1.Flags = 0x1 ; Suppress automatic attachments
Wshwilfried 27-May-15 2:05am View
Okay Thanks.
Wshwilfried 26-May-15 4:24am View