Hello,
I am working on a quite general filter driver and would like to monitor requests sent by file system drivers to devices representing individual volumes (partitions). Because the terminology here is not so clear, I try to explain the problem in more detail.
When an application attempts to perform a file operation, the kernel creates a requexst (IRP for example) and sends it to a device object representing a file system, mounted on certain volume (such a device object is called a volume device object[*b] (VDO) in MSDN). The file system driver that owns the device object does some processing and may do some communication with a device representing underlying volume (called a storage device object and handled by volmgr.sys for example). I would like to monitor the communication between the file system and the underlying volume.
It is quite easy to monitor requests sent to a VDO. The filter driver just attaches its device object to the stack of the file system device and it sees the requests. Or the FltMgr approach can be used. The same approach does not work for the devices representing volumes because the file system communicates directly with them and does not pass its requests down the their storage stack.
Is there a way to solve the problem (to instruct the file system not to send its request directly to the storage device object but rather send them to some other device)?
Thanks in advance
Vrtule
I am working on a quite general filter driver and would like to monitor requests sent by file system drivers to devices representing individual volumes (partitions). Because the terminology here is not so clear, I try to explain the problem in more detail.
When an application attempts to perform a file operation, the kernel creates a requexst (IRP for example) and sends it to a device object representing a file system, mounted on certain volume (such a device object is called a volume device object[*b] (VDO) in MSDN). The file system driver that owns the device object does some processing and may do some communication with a device representing underlying volume (called a storage device object and handled by volmgr.sys for example). I would like to monitor the communication between the file system and the underlying volume.
It is quite easy to monitor requests sent to a VDO. The filter driver just attaches its device object to the stack of the file system device and it sees the requests. Or the FltMgr approach can be used. The same approach does not work for the devices representing volumes because the file system communicates directly with them and does not pass its requests down the their storage stack.
Is there a way to solve the problem (to instruct the file system not to send its request directly to the storage device object but rather send them to some other device)?
Thanks in advance
Vrtule
