Is there any sample code of link that I can use to sparse the MFT record in kernel mode.

Question

0.00/5 (No votes)

See more:

Hello folks,

I am trying to track certain files attributes modification at sector level in kernel mode. I choose this because I had troubles getting them from mini filter and also because mini filter deal with files and not sectors.
So I would really appreciate if anyone here could help me with anything to parse the MFT in kernel mode.

Any hint?

Thank you.

What I have tried:

I have tried the following.
1) In a mini filter through the use of file stream context, tried to retrieve a context that I have allocate in post write when the file was successfully open for write access, I wasn't able to see R/W targeting the MFT (maybe there is a problem with my design, I will continue trying fixing it.)

2) I have also tried to retrieve the cluster list of the MFT in my driver but It gave me access denied error

Posted 20-Apr-16 22:07pm

Wshwilfried

Add a Solution

Comments

enhzflep 21-Apr-16 13:27pm

What are you actually trying to achieve by doing this? I can't think of a valid reason for it at the moment. Everything I can think of is undesirable from a users point of view.

Wshwilfried 21-Apr-16 20:11pm

Hello,
My end goal is to track modifications made on certain set of files that I monitor in a mini filter and track their respective sectors at disk level with another driver. I have started to implement it but I had some failure to track sectors of resident files this including file attributes etc that are embedded within the base file record. So I came to the conclusion that If I found a way to track the sectors representing those file's attributes that would satisfy me, thus the post.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)