0

I've just started working on a file system filter driver that monitors for I/O writes to any file (listening for IRP_MJ_WRITE requests), and defragments the file transparently if it becomes fragmented.

Currently, I have code like this:

NTSTATUS FsFilterDispatchWrite(__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp)
{
    PFILE_OBJECT pFileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject;
    NTSTATUS result = FsFilterDispatchPassThrough(DeviceObject, Irp);
    //FltFsControlFile(???);
    return result;
}

in which I would need to issue the FSCTL_GET_RETRIEVAL_POINTERS I/O control code.

However, I'm rather new to the area of driver development... is FltFsControlFile the correct function for me to use here? If so, what does the Instance parameter represent? And if not, then how should I go about doing this?

user541686
  • 205,094
  • 128
  • 528
  • 886
  • If you are rather new to driver development, you should first take up some lighter stuff. However, I recommend to study the `filespy` and `sfilter` examples from the older IFS Kit if you are interested in legacy FSFDs and the minifilter examples in the newer ones if you are fine to have the filter manager as a prerequisite. – 0xC0000022L Apr 21 '11 at 12:54
  • @STATUS: Where do I find those examples? I took a look at other examples in the Windows 7 WDK, but I don't think that's what you were referring to... – user541686 Apr 22 '11 at 05:09
  • @Mehrdad: That one does not include legacy FSFD examples anymore. The best start would be either `7600.16385.1\src\filesys\miniFilter\passThrough` or `7600.16385.1\src\filesys\miniFilter\minispy` to get a feel for what they do. Let me know if you need the old examples from the IFS Kit. I'll see whether older WDKs have it and can otherwise probably upload the sample code from the 3790.1830 IFS Kit for you. – 0xC0000022L Apr 22 '11 at 05:13
  • @STATUS: Sure, I'll let you know, thanks very much for the offer. :-) Right now the problem I'm running into is that I tried compiling and installing the null filter example on a virtual machine, but whenever I start the driver, everything suddenly freezes and the CPU usage spikes. Any idea what might be going on? (For reference, I'm actually compiling with Visual Studio's compiler (!), but I don't believe that would be an issue, would it? I'm setting the `/DRIVER:WDM` flag and the correct library paths from the WDK and everything, so it should be fine...) – user541686 Apr 22 '11 at 05:17
  • @Mehrdad: sounds very odd indeed. What I'm wondering is whether you have a debugger attached to the VM and it breaks into that. Could that be? Can happen if you have a debugger attached, even if you tell it not to break under normal circumstances, any assertion etc would break into the debugger. – 0xC0000022L Apr 22 '11 at 05:20
  • @STATUS: I don't have any debugger attached to the VM, it's just a plain VirtualBox running an otherwise fine Windows 7 x64 system, with signature checking disabled and nothing attached. The funny thing is, after the freeze, I can't even do a hard reset on the virtual machine: it freezes every time after that on boot. I'm forced to close/stop *all* of VirtualBox (service, program, window, everything) and then start it again for it to be able to boot! – user541686 Apr 22 '11 at 05:21
  • @Mehrdad: out of ideas then. I've been using VirtualPC and VMware so far and never encountered a similar situation except for when it breaks into the debugger. Checked build of Windows in the VM, or Free build? Off to bed for now, though ;) – 0xC0000022L Apr 22 '11 at 05:24
  • @STATUS: It's a free build. And okay, good night! :) – user541686 Apr 22 '11 at 05:24
  • @Mehrdad: Free build means that it wouldn't break into the debugger for every other issue it encounters. I'm sorry, but I'm just puzzled as to what could be the problem here. Not much help, I'm afraid. – 0xC0000022L Apr 22 '11 at 13:10

1 Answers1

1

Merhad,

FltFsControlFile is the correct API to use, but rememeber its not worth doing defragmentation from a filter driver, doing defrag on IO path (or from a worker thread will be highly in-efficient) in kernel mode is highly in efficient.

Windows made most of the files defragable from user mode. check http://technet.microsoft.com/en-us/library/dd405526(VS.85).asp and http://technet.microsoft.com/en-us/library/aa364577(VS.85).aspx

To monitor the FS activities the better thing to do is using USN journal, which is very efficient. Does not impose any load to the system

http://technet.microsoft.com/en-us/library/aa365736(VS.85).aspx

Suresh
  • 183
  • 1
  • 1
  • 5
  • @Suresh: Thanks for the confirmation. As for the USN journal, the problem is that it's not always on, and I don't like turning it on because it gets fragmented and wastes disk space (sometimes even near a gigabyte or more)... so that's why I was thinking about making a driver. – user541686 Apr 27 '11 at 03:39
  • @Mehrdad - Other thing you can do is rgister for a direcotry change notification, you will get notififed what files get changed. You dont have to relay on USN for this. [link]http://msdn.microsoft.com/en-us/library/aa365261(VS.85).aspx – Suresh Apr 28 '11 at 22:07
  • @Suresh: The problem with that approach is that it can miss notifications, and that becomes likely when there are lots of notifications -- which is usually the *exact time* when defragmentation is most critical. – user541686 Apr 28 '11 at 23:10
  • @Merhrdad - I am not sure how you miss the notification. Can you explain little more? – Suresh May 02 '11 at 22:41
  • @Suresh: Take a look [here](http://stackoverflow.com/questions/57254/how-to-keep-readdirectorychangesw-from-missing-file-changes) and [this](http://esmithy.net/2006/07/21/file-system-monitoring/) might help: `changes can be missed if your application isn’t running, or if the buffer supplied to ReadDirectoryChangesW overflows.` – user541686 May 03 '11 at 06:36
  • @Merhrdad - Usually the monitoring is done in a service and accumulate to some data store and defrag while the system is idle. So the chance to miss the files will be less. There are many commercial product already uses this approch. – Suresh May 03 '11 at 16:47