1

Topic: How it is better to make in the driver-minifilter file recording on the timer?

while (true) and KeDelayExecutionThread in DriverEntry it is wrong, since service will be constant "is launched". But how to create a flow, and still how to be with the buffer? With it it is planned to make so: - the buffer is declared as global variable UNICODE_STRING out of functions and  L "" -  the filter  to it certain lines - on the timer is checked, whether the empty buffer still and if is not present - that forms and opens a file, the buffer registers in it, the file is closed, then the buffer is again initialized L "" Just in case, the code of creation of that file: OBJECT_ATTRIBUTES objAttr; InitializeObjectAttributes (&objAttr, &filePath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); return ZwCreateFile (hFile, GENERIC_ALL, &objAttr, ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);

2

Re: How it is better to make in the driver-minifilter file recording on the timer?

Hello, sergey77666, you wrote: S> - on the timer it is checked, whether the empty buffer still and if is not present - that forms and opens a file, the buffer registers in it, the file is closed, then the buffer is again initialized L "" What for to open/close a broad gull a file on each tic of the timer? Opened and write to proceeding from the logic of operation. + discovery / closing of the file again leads to pass through your driver the filter + superfluous check on the /  = as result superfluous operation and a procorf  systems.

3

Re: How it is better to make in the driver-minifilter file recording on the timer?

Hello, _f_b_i _, you wrote: ___> Hello, sergey77666, you wrote: S>> - on the timer it is checked, whether the empty buffer still and if is not present - that forms and opens a file, the buffer registers in it, the file is closed, then the buffer is again initialized L "" ___> What for to open/close a broad gull a file on each tic of the timer? Opened and write to proceeding from the logic of operation. + discovery / closing of the file again leads to pass through your driver the filter + superfluous check on the /  = as result superfluous operation and a procorf  systems. The timer will work rarely enough - minutes 5 can, and even 30, at this time it wants to look at a broad gull, and figs if it is opened. In this case check \another's is not necessary, to it  on this file as  only specific names of files, this file there will not be and if bring in a config, well let will be in a broad gull, I not in  write a file, therefore the recursion will not be.

4

Re: How it is better to make in the driver-minifilter file recording on the timer?

Hello, sergey77666, you wrote: ___>> What for to open/close a broad gull a file on each tic of the timer? Opened and write to proceeding from the logic of operation. + discovery / closing of the file again leads to pass through your driver the filter + superfluous check on the /  = as result superfluous operation and a procorf  systems. S> the timer will work rarely enough - minutes 5 can, and even 30, at this time it wants to look at a broad gull, and figs if it is opened. And you do not open it on record in an exclusive mode and it will be possible to look.

5

Re: How it is better to make in the driver-minifilter file recording on the timer?

Hello, m2l, you wrote: m2l> Hello, sergey77666, you wrote: ___>>> What for to open/close a broad gull a file on each tic of the timer? Opened and write to proceeding from the logic of operation. + discovery / closing of the file again leads to pass through your driver the filter + superfluous check on the /  = as result superfluous operation and a procorf  systems. S>> the timer will work rarely enough - minutes 5 can, and even 30, at this time it wants to look at a broad gull, and figs if it is opened. m2l> m2l> and you do not open it on record in an exclusive mode and it will be possible to look. Yes it all the same each time opens a new file, the Lord ! It has been written, "forms and opens".

6

Re: How it is better to make in the driver-minifilter file recording on the timer?

S> while (true) and KeDelayExecutionThread in DriverEntry it is wrong, since service will be constant "is launched". https://msdn.microsoft.com/en-us/librar … e/ff559932 (v=vs.85).aspx

7

Re: How it is better to make in the driver-minifilter file recording on the timer?

Hello, ononim, you wrote: S>> while (true) and KeDelayExecutionThread in DriverEntry it is wrong, since service will be constant "is launched". O> https://msdn.microsoft.com/en-us/librar … e/ff559932 (v=vs.85).aspx ^^ And it is necessary to complete the Short what answer at unload?

8

Re: How it is better to make in the driver-minifilter file recording on the timer?

Hello, sergey77666, you wrote: S> Hello, _f_b_i _, you wrote: S> the Timer will work rarely enough - minutes 5 can, and even 30, at this time it wants to look at a broad gull, and figs if it is opened. S> in this case check \another's is not necessary, to it  on this file as  only specific names of files, this file there will not be and if bring in a config, well let will be in a broad gull, I not in  write a file, therefore the recursion will not be. Here that that prompts to me, what the logic of your driver "suffers" a little, therefore as some subjects back you strongly worried that *WriteFile has not time to drop  the buffer on a disk if suddenly happens BSOD, and now you plan to store in the driver (and most likely in NonPagedPool) tons of events - which will be dropped on a disk of times 5-30 minutes? That is already we do not worry that the data will be lost? And still there is accurater with "white list" check in callas-bekah whom to write and whom is not present, for if , you will receive  productivity of a direct system. The driver they demand thought more over approach, to write by analogy as on  where anybody of what does not care, the main thing quickly to rivet - here does not turn out. Consider a variant with working service which communicates with the driver through IOCTL: waits for event from the driver and when that is ready to hand over the information in service, exposes event and transfers the data in service on demand of IOCTL. So and the driver will not occupy from you much NonPaged storage for events, and service will update almost instantly a broad gull a file.

9

Re: How it is better to make in the driver-minifilter file recording on the timer?

Hello, _f_b_i _, you wrote:> and most likely in NonPagedPool See a head subject. Global variable UNICODE_STRING, each 5-30 mines is loaded in a broad gull and cleared. I PLAN to make so. Yet did not make.> that is already it is not endured that the data will be lost? So that was the broad gull. Called to replace a broad gull , at first, not to waste time on adjustment WinDbg (and setting generally), secondly, less braked on feeble iron (without  it is possible to live, without a broad gull is not present and for the sake of only one it it is necessary to suffer with WinDbg), thirdly in an amicable way the broad gull is all the same necessary. And here... Well, in an ideal not to lose. But how? To write to a file directly in filters? Complicates architecture (to avoid the recursion), decelerates high-speed performance, especially on HDD.> Consider a variant with working service the Customer rejected.> so It will not occupy from you and the driver much NonPaged storage for events it and so it will not be strong to occupy much.

10

Re: How it is better to make in the driver-minifilter file recording on the timer?

Hello, sergey77666, you wrote: S> Hello, _f_b_i _, you wrote:>> and most likely in NonPagedPool S> See a head subject. S> global variable UNICODE_STRING, each 5-30 mines is loaded in a broad gull and cleared. I PLAN to make so. Yet did not make. Here it is a question not of a method of representation of your buffer, and about a storage type which it will be used for storage: PagedPool or NonPagedPool> So that there was a broad gull. Called to replace a broad gull , at first, not to waste time on adjustment WinDbg (and setting generally),> secondly, less braked on feeble iron (without  it is possible to live, without a broad gull is not present and for the sake of only one it it is necessary to suffer with WinDbg), thirdly in an amicable way the broad gull is all the same necessary. WinDbg the first that you should deliver and draw this productively to write and debug the driver. It is possible certainly and to write a broad gull, but efficiency of such debugging especially if falls in BSOD much more low, rather than to deliver WinDbg and to search for the reason on a place. And then  with it especially also it is not necessary, if with a studio debugger you are on friendly terms - WinDbg it is possible to tell lite the version of that debugger though it is much more possibilities than at studio. S> and here... Well, in an ideal not to lose. But how? To write to a file directly in filters? Complicates architecture (to avoid the recursion), decelerates high-speed performance, especially on HDD. If it is a question about  a broad gull - that is possible or  DbgView - he is able to store a broad gull in storage and at BSOD to draw out it from MEMORY.DMP at the following loading. If all the same about a broad gull of events which need to be intercepted - that I think a variant with service would be extremely pertinent.>> consider a variant with working service S> the Customer rejected. Well your business is finite, simple you to it still such thing explain: now the broad gull of discoveries/closings of files is necessary to you only. Tomorrow that is required that still, then still as still... Accordingly the format of saving of a file or a condition of its saving on a disk most likely exchanges. All it can lead to unjustified complication of logic of operation of the driver and as result to possible errors and embarkations. And so wrote  the driver the filter which only stores in storage and produces that that  on demand, and the difficult logic of analysis, saving and whether a little that else does already user-mode application or service.>> so It will not occupy from you and the driver much NonPaged storage for events S> it and so it will not be strong to occupy much. Simply estimate an amount of events and necessary storage for 5-30 minutes  a broad gull in storage selected with the driver.

11

Re: How it is better to make in the driver-minifilter file recording on the timer?

Hello, _f_b_i _, you wrote: ___> Here it is a question not of a method of representation of your buffer, and about a storage type which it will be used for storage: PagedPool or NonPagedPool Bufery UNICODE_STRING always select either in NonPagedPool, or in NonPagedPoolNx. I will make in the first. ___> WinDbg the first that you should deliver and draw this productively to write and debug the driver. A budgetary notebook + VirtualBox + WinDbg + record of video from the screen for the customer = pitch Ad and then in the editor to cut half an hour of brakes from video. Without WinDbg it is better.

12

Re: How it is better to make in the driver-minifilter file recording on the timer?

S> Hello, _f_b_i _, you wrote: ___>> Here it is a question not of a method of representation of your buffer, and about a storage type which it will be used for storage: PagedPool or NonPagedPool S> Bufery UNICODE_STRING always select either in NonPagedPool or in NonPagedPoolNx It who to you such bosh told?