EldoS | Feel safer!

Software components for data protection, secure storage and transfer

windows callback message change

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#28817
Posted: 03/18/2014 05:24:21
by RD-Agent Team  (Standard support level)
Joined: 07/02/2008
Posts: 11

Dear Sirs,

We use callbackfilter to monitor all file access.
After windows update recently, many callback notify was lost, espcially like "ReadNotify" event.
Do you have any information about this change or solution for it.


Eric
#28818
Posted: 03/18/2014 05:30:22
by Eugene Mayevski (EldoS Corp.)

I am not sure that I understood your problem correctly. Are you saying that after some Windows update (hotfix or Windows 8.x update) your application started missing notifications about some file operations?


Sincerely yours
Eugene Mayevski
#28819
Posted: 03/18/2014 05:47:17
by RD-Agent Team  (Standard support level)
Joined: 07/02/2008
Posts: 11

Yes, after some windows update our application missing many notifycations about some file operations. For example, I open a .doc file using winword.exe it just notify "OpenNotify" event and didn't notify "ReadNotify" event.

Eric
#28820
Posted: 03/18/2014 05:56:34
by Eugene Mayevski (EldoS Corp.)

This is a strange behavior that needs reproducing and narrowing down.

Here are several questions that we need to be answered in order to narrow down the problem:

1) Does the problem happen on some particular system or set of systems? Is there anything common between the systems where the issue happens (eg. they all run Windows 8.1 with certain KB fix installed)?

2) Does the issue happen only with notifications or with synchronous callbacks as well?

3) is there specific set of notifications that is missing, OR any notification can be omitted?
Eg. it can be that all read notifications are missing OR that some read notifications are missing OR that some open and some read notifications are missing.

Finally, try to reproduce the issue with FileMon sample projects and see what conclusions you can make. Eg. you can see that notifications start to disappear after some time (say 5 minutes) after you run the sample, or that they are not reported immediately.


Sincerely yours
Eugene Mayevski
#28850
Posted: 03/19/2014 23:00:57
by RD-Agent Team  (Standard support level)
Joined: 07/02/2008
Posts: 11

I use FileMon to monitor all open files event(using winword.exe,notepad.exe)in Win7 x64 & XP x32.

When open the files over the network or netdrive, it got the open & read notifications. But in local machine c drive or d drive, it just got the open notifications and some read notifications are missing.


Eric
#28851
Posted: 03/20/2014 02:59:21
by Eugene Mayevski (EldoS Corp.)

Unfortunately provided information doesn't shed any light on the problem. Please try to investigate the issue and answer the questions I asked in the previous message. Maybe you find out the reason of the problem yourself during investigation.


Sincerely yours
Eugene Mayevski
#28854
Posted: 03/20/2014 04:08:20
by Vladimir Cherniga (EldoS Corp.)

Quote
RD-Agent Team wrote:
When open the files over the network or netdrive, it got the open & read notifications. But in local machine c drive or d drive, it just got the open notifications and some read notifications are missing.

Some of the read/write requests may come out of normal Irp path, through the fastIO path to the cache manager directly, and that is not filtered. You may force system to process requests with Irp by setting property ProcessCachedReadWriteCallbacks = true. In any case you will get all read/write callbacks associated with backup storage, but some of them came from/to the system cache, that keeps recently used data in virtual memory.
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 2357 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!