Question
I've written a simple filter driver that only cares about writes. The filter registers only IRP_MJ_WRITEs.
The filter driver whittles away writes it does not care about:
What I want to capture is all writes that would actually be written to disk.
Which writes should I care about?
Currently I am capturing all IRP and FAST_IO. But capturing both yields some duplication. Capturing just IRPs, I seem to miss some data, as does capturing only FAST_IO.
I've read http://msdn.microsoft.com/en-us/library/ff548576.aspx ("IRPs Are Different From Fast I/O"), but this did not clarify my empirical data.
What I am attempting to do is to perform the equivalence of "tee" at the filter driver level.
Solution
It appears that I misunderstood the relationship between the packets coming through the filter driver and what ultimately gets written to disk.
The solution here is to addend the packet being sent to user mode with more information like offset -- and then apply some dedup detection on the resulting writes. It is also possible for the packets to come out of order; so some care was necessary to handle this situation as well.
https://stackoverflow.com/questions/17538014
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian