Filtering the I/O requests sent by non-system applications in a file

HI,
I'm a newbie in the world of drivers. I'm developing a file system
filter driver that needs to process all I/O requests sent in by user
mode applications eg; MS Word, Excel etc; I don't want to do any sort
of processing on IRPs generated on behalf of the Windows OS itself
( I'm not sure I'm using the correct words here :) ).

To put it simple, I want to distinguish between IRPs generated on
behalf of the OS processes and those generated on behalf of user mode
applications.

Could anybode tell me the easiest mechanism to achieve this?

Thanks in advance,
Shaji.

David
Wed Apr 30 01:37:10 CDT 2008

This is the wrong group. Try ntfsd on osronline.com.

"shaji" <shajiparemmal@gmail.com> wrote in message
news:f54062ad-0b05-4911-8f72-4bf0c1023d8e@n1g2000prb.googlegroups.com...
> HI,
> I'm a newbie in the world of drivers. I'm developing a file system
> filter driver that needs to process all I/O requests sent in by user
> mode applications eg; MS Word, Excel etc; I don't want to do any sort
> of processing on IRPs generated on behalf of the Windows OS itself
> ( I'm not sure I'm using the correct words here :) ).
>
> To put it simple, I want to distinguish between IRPs generated on
> behalf of the OS processes and those generated on behalf of user mode
> applications.
>
> Could anybode tell me the easiest mechanism to achieve this?
>
> Thanks in advance,
> Shaji.

Eugene
Wed Apr 30 01:49:14 CDT 2008

Hello!
You wrote on Tue, 29 Apr 2008 22:31:03 -0700 (PDT):

s> To put it simple, I want to distinguish between IRPs generated on
s> behalf of the OS processes and those generated on behalf of user mode
s> applications.

There are cases when the OS issues requests on behalf of the application (or
it's needs). Examples: if the application accesses the file via MMF, or when
cache manager accesses the file (I am not 100% sure about the latter case).

With best regards,
Eugene Mayevski
http://mayevski.blogspot.com/

shaji
Wed Apr 30 04:14:15 CDT 2008

Hi Eugene Mayevski,

> There are cases when the OS issues requests on behalf of the application (or
> it's needs). Examples: if the application accesses the file via MMF, or when
> cache manager accesses the file (I am not 100% sure about the latter case).

Thanks a lot for that reply. I know that IoGetRequestorProcess will
give me the process which requested the I/O. If the application uses
MMF to access the file, will this function return the system process
that issues MMF request?
Shaji.

Maxim
Thu May 01 04:21:17 CDT 2008

Impossible. The kernel does not know the difference between, say,
OS-provided svchost.exe and the user-installed winword.exe

Also note that some work initiated by apps like Word will be executed in
System process context - cache flushes and read-aheads.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

"shaji" <shajiparemmal@gmail.com> wrote in message
news:f54062ad-0b05-4911-8f72-4bf0c1023d8e@n1g2000prb.googlegroups.com...
> HI,
> I'm a newbie in the world of drivers. I'm developing a file system
> filter driver that needs to process all I/O requests sent in by user
> mode applications eg; MS Word, Excel etc; I don't want to do any sort
> of processing on IRPs generated on behalf of the Windows OS itself
> ( I'm not sure I'm using the correct words here :) ).
>
> To put it simple, I want to distinguish between IRPs generated on
> behalf of the OS processes and those generated on behalf of user mode
> applications.
>
> Could anybode tell me the easiest mechanism to achieve this?
>
> Thanks in advance,
> Shaji.