File system hooking

File system hooking

Post by TmFkYX » Thu, 30 Dec 2004 17:11:03


Hi,

I am writing some kind of a file-system monitor ( similar to an unvirus ),
this require optimal performance and minimal footprint so C++ is used, I need
to get indication of new files being written to the disk, currently I use the
FindFirstChangeNotification Api BUT this doesn tell me when file writing
operation completed ( when CloseHandle was called for that file ), I would
rather NOT getting in to the kernel as this will require file system filter
development which will take a considerable amount of time to develop.

So, Is there any way of getting indications concerning file write completion
without getting into the kernel ???

--
Nadav
http://www.yqcomputer.com/
 
 
 

File system hooking

Post by UGF2ZWwgQS » Fri, 31 Dec 2004 06:23:09

Look in MSDN about READ_USN_JOURNAL_DATA
(NTFS change journal)

--PA