EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Monitoring a DIR for File IO

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
Posted: 08/07/2008 04:03:10
by Vladimir Cherniga (EldoS Corp.)

Developer Amit wrote:
We get the Filename correctly but the position is always returned as 0 (zero).

This is happend because of data file changes was applied into the range of 0 - 4095 bytes, if write will be done somewhere into the 4096-8191 position you will always catch Position = 4096 in the write callback. So you cannot know what actual data was modified from this range( it may be 1 byte or 4096 bytes totally changed) if only you compare manualy the data came from callback and the data stored on the disk( additional read/write requests may be done from callback only with special handle obtained from CallbackFilter.OpenFile() method). If you don't need to do such detail comparison you may backup whole bytes range with exception of last bytes that exeed the end of file(EOF) value. I have mentioned how to obtain the EOF value in previous message.
Posted: 08/07/2008 08:37:29
by Developer Amit (Basic support level)
Joined: 07/03/2008
Posts: 11

Hi Vladimir,

I have tried writing to different sized files ranging to less than 4K to more than 10K. I am writing in all parts of the file, while tracing the callback. By all parts, I mean at the beginning, in the middle, at the end or randomly any where in the file.

But the Position variable is always 0 (zero). Position is a __int64 type parameter returned by the callback. We are printing i by converting it to ascii using...

itoa((int)Position, &temp[0], 10);

where, temp is a defined as "char temp[128]"

Irrespective to what file size we write (> 4k or < 4k), 'Position' parameters value is always 'zero'. Even if I write somewhere in between 4096 - 8191 position, it will still return back 'zero' only. I have tried this with diff file sizes. It never returns 4096 (4K) or 8194 (4K x 2) or 12288 (4K x 3).

There is other parameter by the name 'BytesToWrite' of DWORD type. This parameter's value changes depending up on the file size. If we write anything to a file whose size is less than 8K, it will always give 8K.

Could you please clarify, if we are doing anything wrong.


Posted: 08/08/2008 02:36:21
by Vladimir Cherniga (EldoS Corp.)

Hi Amit,
Sorry for misleading you.In the previous description i supposed that monitored file was opened with FILE_FLAG_NO_BUFFERING. This flag prevents from file contents being cached. Typically the WriteFile function write data to an internal buffer that the operating system writes to a disk on a regular basis.
So this nothing wrong with callback parameters. Such behaviour depends on system caching mechanism. When cache manager desides to flush internally stored data to the disk, he sends request to the file system driver and this request interrupted by our filter driver. Also some win32 api causes all buffered data to be written to a file( e.g. FlushFileBuffers)



Topic viewed 11404 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!