Spying a file system

Yep, you are rigth. I also know no API to do that. As far as sysinternals, they have removed their sources from the web... Frown | :(

never mind, I still have them Smile | :)

Thank you for your answer,
Regards,
Adrian Korsuas

Dear Adrian Korsuas,
Could you pleasee help me by sending me the source?
Thanhks,
Wall

Sure, but remember they are from an old version. It will take a few days to find them on my PCs Smile | :)

. In the mean time, please leave your mail address so I know where to send them.

Regards,
Adrian Korsuas

Dear collegue, Huang,

I will find out some info specially for you on the
next week.

--- hzd85 <hzd85@sina.com> wrote:

> Hi!
> I am a programmer from China. I read the article
> "Spying a File System" you wrote and find it very
> useful.
> I have a question on file reading and writing. Most
> antivirus softwares do virus scan while the file is
> being read, how
> can they do that? Is there any way or function to
> realize this?
> Thank you!
>
> 　　　　　　　　hzd85
> 　　　　　　　　hzd85@sina.com
> 　　　　　　　　　　2004-09-03
>

_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush

rancher110

Virus scanners use a file system "filter driver" to monitor disk accesses. Writing such a driver is a quite a bit more complicated and is very prone to destabilizing the system if done incorrectly. Many system stability problems have been attributed to buggy virus scanner filter drivers.

One thing that I don't see there is a way to cancel the operation and free the hDir handle. It looks to me like this app exits the application and assumes the system will clean up the hanging call and the allocated directory handle.

Am I missing something? I ask because I am looking for a *proper* way to cancel a synchronous ReadDirectoryChangesW call and there is no documented way to do so and closing the directory handle just hangs the app.

Thanks.

Hi TwoBit,

You can use BOOL TerminateThread to terminate thread with ReadDirectoryChangesW call. You can also use ExitThread (inside the thread). And of course CloseHandle. More other CloseHandle can close following
objects:
- Access token
- Communications device
- Console input
- Console screen buffer
- Event
- File
- File mapping
- Job
- Mailslot
- Mutex
- Named pipe
- Process
- Semaphore
- Socket
- Thread

Hope this will helpful. Smile | :)

Vitali

modified on Tuesday, June 3, 2008 10:22 AM

Vitali Halershtein wrote:
You can use BOOL TerminateThread to terminate thread with ReadDirectoryChangesW call.

TerminateThread is not a good way to handle this! From the MSDN documentation:

TerminateThread is used to cause a thread to exit. When this occurs, the target thread has no chance to execute any user-mode code and its initial stack is not deallocated. DLLs attached to the thread are not notified that the thread is terminating. <br />
<br />
TerminateThread is a dangerous function that should only be used in the most extreme cases. You should call TerminateThread only if you know exactly what the target thread is doing, and you control all of the code that the target thread could possibly be running at the time of the termination. For example, TerminateThread can result in the following problems: <br />
<br />
   - If the target thread owns a critical section, the critical section will not be released.<br />
   - If the target thread is executing certain kernel32 calls when it is terminated, the kernel32 state for the thread's process could be inconsistent.<br />
   - If the target thread is manipulating the global state of a shared DLL, the state of the DLL could be destroyed, affecting other users of the DLL.<br />

Vitali Halershtein wrote:
You can also use ExitThread (inside the thread)

Not if the thread is blocked by the synchronous call... Smile | :)

Vitali Halershtein wrote:
And of course CloseHandle

CloseHandle has almost nothing to do with terminating a thread. I say "almost" because, quoting from MSDN: "The thread object remains in the system until the thread has terminated and all handles to it have been closed through a call to CloseHandle."

Let's look at an example:

   void func()<br />
   {<br />
      DWORD dwId = 0;<br />
      HANDLE hThread = CreateThread( NULL, 0, ThreadProc, NULL, 0, &dwID );<br />
<br />
      if( hThread )<br />
         CloseHandle( hThread );<br />
   }<br />

A common misconception is the belief that the CloseHandle call above will cause the thread to exit immediately. And I have seen many programs that never close the handle at all, resulting in a resource leak every time a new thread is created - since the resources allocated for the thread are never released until the application exits.

The reality is that by calling CloseHandle, we are allowing the resources for the thread to be freed when the thread procedure exits normally. For every successful call to CreateThread, there should be a corresponding call to CloseHandle.

So, to answer the original question: If you don't like the fact that the synchronous call to ReadDirectoryChangesW cannot be cancelled, use the asynchronous call instead. In fact, that sounds like what your application needs to do anyway. I haven't looked at it myself, but I did find a sample on MSDN that may be helpful:

Fwatch Sample: Using ReadDirectoryChangesW API
http://msdn.microsoft.com/library/en-us/vcsample98/html/vcsmpfwatchsamplereaddirectorychangeswapi.asp

Note: This link is valid as of 24-Jul-2004, but Microsoft tends to move things around from time to time. If the link doesn't resolve for you, try searching for "ReadDirectoryChangesW" on MSDN.

consist@netvision.net.il

There is a way to do what you want but this solution is UNDOCUMENTED and tested on WIN2000 only.
The solution is as follow: use the handle you get from CreateFile and use it in WaitForMultipleObjects or MsgWaitForMultipleObjects and at last call to ReadDirectoryChangesW

Look at the code fragment replace the code of ThreadRoute1 including fixing the bug of reading the information

void ThreadRoute1( void* arg )
{
USES_CONVERSION;

HANDLE hDir = CreateFile( CString(":\\Program Files "),
FILE_LIST_DIRECTORY, // access (read/write) mode
FILE_SHARE_READ|FILE_SHARE_DELETE, // share mode
NULL, // security descriptor
OPEN_EXISTING, // how to create
FILE_FLAG_BACKUP_SEMANTICS, // file attributes
NULL // file with attributes to copy
);

char Buffer[0x1000];
char* CurrentBuffPtr;
FILE_NOTIFY_INFORMATION* pEileNotifyInfo;
DWORD BytesReturned;
while( true)
{
WaitForMultipleObjects(1,&hDir, FALSE, INFINITE);
//*****************************************************
// You can do hear every thing you want
// ***************************************************
CTime tm = CTime::GetCurrentTime();
CString helper_txt;

CurrentBuffPtr = Buffer;

ReadDirectoryChangesW(
hDir, // handle to directory
Buffer, // read results buffer
sizeof(Buffer), // length of buffer
FALSE, // monitoring option
FILE_NOTIFY_CHANGE_CREATION|
FILE_NOTIFY_CHANGE_LAST_WRITE|
FILE_NOTIFY_CHANGE_SIZE|
FILE_NOTIFY_CHANGE_DIR_NAME|
FILE_NOTIFY_CHANGE_FILE_NAME, // filter conditions
&BytesReturned, // bytes returned
NULL, // overlapped buffer
NULL// completion routine
);

// This loop is fix the reading information bug
do
{
pEileNotifyInfo = (FILE_NOTIFY_INFORMATION*)CurrentBuffPtr;
switch(pEileNotifyInfo->Action)
{
case FILE_ACTION_ADDED: helper_txt = "The file was added to the directory";
break;
case FILE_ACTION_REMOVED: helper_txt = "The file was removed from the
directory"; break;
case FILE_ACTION_MODIFIED: helper_txt = "The file was modified. This can be a
change in the time stamp or attributes."; break;
case FILE_ACTION_RENAMED_OLD_NAME: helper_txt = "The file was renamed and
this is the old name."; break;
case FILE_ACTION_RENAMED_NEW_NAME: helper_txt = "The file was renamed and
this is the new name."; break;
}
m_Sec.Lock();
int item = pList1->InsertItem(pList1->GetItemCount(), CString(pEileNotifyInfo->FileName).Left(pEileNotifyInfo->FileNameLength / 2) + " - " + helper_txt );
pList1->SetItemText(item, 1, tm.Format("%Y/%m/%d/ - %H:%M:%S"));
m_Sec.Unlock();
CurrentBuffPtr += pEileNotifyInfo->NextEntryOffset;

}
while (pEileNotifyInfo->NextEntryOffset);
FindNextChangeNotification(file);

}
FindCloseChangeNotification(file);

}

Good luck

Boaz Rozmarin
boaz_ro@netvision.net.il

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/obtaining_directory_change_notifications.asp[^]

.............................
There's nothing like the sound of incoming rifle and mortar rounds to cure the blues. No matter how down you are, you take an active and immediate interest in life.

Fiat justitia, et ruat cælum

folks,

As I experiment with ReadDirectoryChangesW method, i notice that FILE_ACTION_RENAMED_NEW_NAME Action never fires. Renaming a file causes FILE_ACTION_RENAMED_OLD_NAME action alone. I am looking for both events in the Buffer array so that i can retreive the old name and the new one.

Any ideas would be greatly appreciated.

thanks
Rao

Rao,

Can you provide some details on this situation?
What OS are you using, do you login with admin privelegies?

Hi,

thanks for responding. I am using XP and I use an account that has full admin privs.

thanks
Rao

FILE_ACTION_RENAMED_NEW_NAME action does occur. It happens at the same time when FILE_ACTION_RENAMED_OLD_NAME action and it is stored as a next entry of a buffer to which results of ReadDirectoryChangesW are written. There is a litte error in a code and moving throug the buffer is not correct ( actually only the first record is read). Correct version :

FILE_NOTIFY_INFORMATION arrchBuffer[10];

BOOL ReadDirectoryChangesW(
hDirectory,
arrchBuffer
.
.
.
);

FILE_NOTIFY_INFORMATION * pInfo;
pInfo = (FILE_NOTIFY_INFORMATION *) arrchBuffer;

do
{
DWORD action = pInfo->Action;
CString fileName = CString(pInfo->FileName,pInfo->FileNameLength / sizeof(WCHAR));
.
.
.
//check if there were more records returned
if (pInfo->NextEntryOffset > 0)
{
// move to the next record
pInfo = (FILE_NOTIFY_INFORMATION *)
(((CHAR *) pInfo) + pInfo->NextEntryOffset);
}
else
pInfo = NULL;
}
while(NULL != pInfo);

Kijanka

Excellent, I've had a dir-monitoring app in use for some time here, but I ran into this problem recently with an app that people started using here that saved to a temp name then renamed afterwards, instead of saving to the dest name immediately. It was driving me bats as to why it didn't show up. Thanks very much!

do {
m_Sec.Lock();
int item = pList1->InsertItem(pList1->GetItemCount(), CString(Buffer[i].FileName).Left(Buffer[i].FileNameLength / 2) + " - " + helper_txt );
pList1->SetItemText(item, 1, tm.Format("%Y/%m/%d/ - %H:%M:%S"));

//check if there were more records returned , especially for FILE_ACTION_RENAMED_OLD_NAME => FILE_ACTION_RENAMED_NEW_NAME
if (Buffer[i].NextEntryOffset > 0)
{

FILE_NOTIFY_INFORMATION * pInfo;
pInfo = (FILE_NOTIFY_INFORMATION *) Buffer;
// move to the next record
pInfo = (FILE_NOTIFY_INFORMATION *)(((CHAR *) pInfo) + pInfo->NextEntryOffset);

helper_txt = "The file was renamed and this is the new name.";

int item = pList1->InsertItem(pList1->GetItemCount(), CString(pInfo->FileName).Left(pInfo->FileNameLength / 2) + " - " + helper_txt );
pList1->SetItemText(item, 1, tm.Format("%Y/%m/%d/ - %H:%M:%S"));

}

i++;
m_Sec.Unlock();
}
while (!Buffer[i].NextEntryOffset);
}

hi,
If I am monitoring multiple directories, then will it be fisible to use the WaitforMultipleObjects and the single thread? As I can have concurrent operations such as copying on both the directories at a time.

Hi,

Thanks for the question.

The WaitForMultipleObjects function returns when one of the following occurs:
- Either any one or all of the specified objects are in the signaled state.
- The time-out interval elapses.

The WaitForMultipleObjects function can use handles of any of the following object types in the lpHandles array:

-Change notification
-Console input
-Event
-Job
-Mutex
-Process
-Semaphore
-Thread
-Waitable timer

Just gain an understanding with lpHandles parammeter.
Hope this will helpful.

Vitali

modified on Tuesday, June 3, 2008 10:23 AM

You could do something like this. Note that I'm assuming that this function would be called from a separate thread, and that you're using a named event ("Cancel_Event") to signal the thread when the cancel button has been pressed, etc.

BTW - It would be a good idea to use SHGetSpecialFolderPath instead of hard-coding the paths, and you might want to throw some error checking in there, too... Smile | :)

<br />
void SomeFunc( BOOL bWatchSubDir, DWORD dwFilter )<br />
{<br />
   // Specify the paths we want to watch...<br />
   //<br />
   const DWORD NUM_PATHS = 2;<br />
<br />
   LPCTSTR arPaths[ NUM_PATHS ] =<br />
   {<br />
      "C:\\My Documents",<br />
      "C:\\Program Files"<br />
   };<br />
<br />
   // Create an array of handles, one for each path plus an<br />
   // additional handle that we will use to cancel the search.<br />
   // Note that we're using the "Cancel" event handle as the<br />
   // first element in this array...<br />
   //<br />
   HANDLE arHandles[ NUM_PATHS + 1 ] =<br />
   {<br />
      CreateEvent( NULL, FALSE, FALSE, "Cancel_Event" )<br />
   };<br />
<br />
   // Initialize the rest of the array...<br />
   //<br />
   for( int i = 1; i <= NUM_PATHS; i++ )<br />
   {<br />
      arHandles[i] = FindFirstChangeNotification( arPaths[ i - 1 ],<br />
         bWatchSubDir, dwFilter );<br />
   }<br />
<br />
   // Now let's start watching for changes...<br />
   //<br />
   BOOL bContinue = TRUE;<br />
<br />
   do<br />
   {<br />
      DWORD dwWait = WaitForMultipleObjects( NUM_PATHS + 1,<br />
         arHandles, FALSE, INFINITE );<br />
<br />
      if( WAIT_OBJECT_0 == dwWait )<br />
      {<br />
         // Cancelled!<br />
         bContinue = FALSE;<br />
      }<br />
      else<br />
      {<br />
         // If dwWait is not between WAIT_OBJECT_0 + 1 and<br />
         // WAIT_OBJECT_0 + NUM_PATHS, then an error has<br />
         // occurred...<br />
         //<br />
         bContinue = ( dwWait > WAIT_OBJECT_0 && <br />
            dwWait <= ( WAIT_OBJECT_0 + NUM_PATHS ) );<br />
<br />
         if( bContinue )<br />
         {<br />
            // Notification received - do something...<br />
            DoSomethingFool();<br />
<br />
            // ...and then wait for the next notification(s)<br />
            bContinue = FindNextChangeNotification(<br />
               arHandles[ dwWait - WAIT_OBJECT_0 ] );<br />
         }<br />
      }<br />
   }<br />
   while( bContinue );<br />
<br />
   // Close the "Cancel" event handle<br />
   CloseHandle( arHandles[ 0 ] );<br />
<br />
   // Close the notification handles...<br />
   //<br />
   for( i = 1; i <= NUM_PATHS; i++ )<br />
   {<br />
      FindCloseChangeNotification( arHandles[i] );<br />
   }<br />
}<br />

look at my reply in Re: No way to exit ReadDirectoryChangesW

How can I capture the output in a txt file for later analysis?

Thanks for the question.

Just open text file at the begin of thread route
and write messages(each time as InsertItem and SetItemText are called) to it.

CStdioFile f(file_name, openflags);
...
f.WriteString(message);
...
f.Close();

Vitali

modified on Tuesday, June 3, 2008 10:23 AM

Will it be possible to extract file location?

For example, we already knew there is a file called "explore.exe" be modified. But how to get the file location, such as the full path of directory. e.g. c:\Program file\Microsoft

Yes, this is simple. Just add to strings "Watched directory" and
Buffer[i].FileName in ThreadRoute1.

Vitali

modified on Tuesday, June 3, 2008 10:23 AM

Hi,
Is it possible to find out exactly when a file is copied. Now the demo project says that the file was modified when the file is copied to other location . But also if I open and close the file it says the same thing.

Is it posible to exactly find out file copy?

Rgds

`FILE_NOTIFY_CHANGE_FILE_NAME`	Any file name change in the watched directory or subtree causes a change notification wait operation to return. Changes include renaming, creating, or deleting a file.
`FILE_NOTIFY_CHANGE_DIR_NAME`	Any directory-name change in the watched directory or subtree causes a change notification wait operation to return. Changes include creating or deleting a directory.
`FILE_NOTIFY_CHANGE_ATTRIBUTES`	Any attribute change in the watched directory or subtree causes a change notification wait operation to return.
`FILE_NOTIFY_CHANGE_SIZE`	Any file-size change in the watched directory or subtree causes a change notification wait operation to return. The operating system detects a change in file size only when the file is written to the disk. For operating systems that use extensive caching, detection occurs only when the cache is sufficiently flushed.
`FILE_NOTIFY_CHANGE_LAST_WRITE`	Any change to the last write-time of files in the watched directory or subtree causes a change notification wait operation to return. The operating system detects a change to the last write-time only when the file is written to the disk. For operating systems that use extensive caching, detection occurs only when the cache is sufficiently flushed.
`FILE_NOTIFY_CHANGE_LAST_ACCESS`	Any change to the last access time of files in the watched directory or subtree causes a change notification wait operation to return.
`FILE_NOTIFY_CHANGE_CREATION`	Any change to the creation time of files in the watched directory or subtree causes a change notification wait operation to return.
`FILE_NOTIFY_CHANGE_SECURITY`	Any security-descriptor change in the watched directory or subtree causes a change notification wait operation to return.

Spying a file system

Introduction

How to create

Sample

Conclusion

License

Comments and Discussions