Hello, sergey77666, you wrote: S> Hello, _f_b_i _, you wrote:>> and most likely in NonPagedPool S> See a head subject. S> global variable UNICODE_STRING, each 5-30 mines is loaded in a broad gull and cleared. I PLAN to make so. Yet did not make. Here it is a question not of a method of representation of your buffer, and about a storage type which it will be used for storage: PagedPool or NonPagedPool> So that there was a broad gull. Called to replace a broad gull , at first, not to waste time on adjustment WinDbg (and setting generally),> secondly, less braked on feeble iron (without it is possible to live, without a broad gull is not present and for the sake of only one it it is necessary to suffer with WinDbg), thirdly in an amicable way the broad gull is all the same necessary. WinDbg the first that you should deliver and draw this productively to write and debug the driver. It is possible certainly and to write a broad gull, but efficiency of such debugging especially if falls in BSOD much more low, rather than to deliver WinDbg and to search for the reason on a place. And then with it especially also it is not necessary, if with a studio debugger you are on friendly terms - WinDbg it is possible to tell lite the version of that debugger though it is much more possibilities than at studio. S> and here... Well, in an ideal not to lose. But how? To write to a file directly in filters? Complicates architecture (to avoid the recursion), decelerates high-speed performance, especially on HDD. If it is a question about a broad gull - that is possible or DbgView - he is able to store a broad gull in storage and at BSOD to draw out it from MEMORY.DMP at the following loading. If all the same about a broad gull of events which need to be intercepted - that I think a variant with service would be extremely pertinent.>> consider a variant with working service S> the Customer rejected. Well your business is finite, simple you to it still such thing explain: now the broad gull of discoveries/closings of files is necessary to you only. Tomorrow that is required that still, then still as still... Accordingly the format of saving of a file or a condition of its saving on a disk most likely exchanges. All it can lead to unjustified complication of logic of operation of the driver and as result to possible errors and embarkations. And so wrote the driver the filter which only stores in storage and produces that that on demand, and the difficult logic of analysis, saving and whether a little that else does already user-mode application or service.>> so It will not occupy from you and the driver much NonPaged storage for events S> it and so it will not be strong to occupy much. Simply estimate an amount of events and necessary storage for 5-30 minutes a broad gull in storage selected with the driver.