can i read file when this file is processing IRP_MJ_WRITE

feizzer 120 Reputation points
2023-08-23T08:08:58.82+00:00

How do I monitor a file and achieve that whenever a IRP_MJ_WRITE is completed, I immediately get the contents of the current file

Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,604 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2023-09-18T09:08:27.9+00:00

    Hello

    Yes, you can read a file while it’s being processed for IRP_MJ_WRITE. However, you need to be careful as the code running at DPC/dispatch level can’t wait on an object.

    To monitor a file and get its contents immediately after an IRP_MJ_WRITE is completed, you could try building an IRP with major code IRP_MJ_READ and send it to the underlying driver.

    You might also want to consider using a minifilter. In a minifilter, you can monitor for file writes and test file data before and after a write. For example, when looking at a mapped file, you could first monitor IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and check the data in the file, then monitor IRP_MJ_CLEANUP and check for a change in the file data.

    Remember that Windows kernel may not write file data immediately to the disk in/after IRP_MJ_CLOSE, so you might not see changes immediately.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.