Re: system monitoring

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Lloyd <lloydkl@xxxxxxxxx>
Date: Fri, 15 May 2009 02:17:14 -0700 (PDT)

You do not want kernel hooking since it cannot be done on 64-bit systems and
on 32-bit your software will be flagged by malware scanners. If you want
to see file operations, you need a file system filter, go tohttp://www.osronline.comand join NTFSD that is where the file system folks
hang out. This is tough stuff and is hard to do right.

Is hooking not possible on 64bit systems? (applicable to 64bit Linux
as well?). What alternative does they provide? Whether "filter
drivers" are the plausible solution? Can I use filter drivers for
monitoring whole system activities ?(like network, filesystem, new
application installation, external devices...)

Thanks,
Lloyd
.

Follow-Ups:
- Re: system monitoring
  - From: Volodymyr Shcherbyna
- Re: system monitoring
  - From: daniel

References:
- system monitoring
  - From: Lloyd
- Re: system monitoring
  - From: Kerem Gümrükcü
- Re: system monitoring
  - From: Lloyd
- Re: system monitoring
  - From: Don Burn

Prev by Date: Re: system monitoring
Next by Date: Re: system monitoring
Previous by thread: Re: system monitoring
Next by thread: Re: system monitoring
Index(es):
- Date
- Thread

Relevant Pages

Re: USB device driver
... Rajeev Nagar's book, Windows NT File System Internals, while older and does nto contain info on file system manager filters, is a great place to start. ... Please do not send e-mail directly to this alias. ... system filters managed by the FS filter manager. ...
(microsoft.public.development.device.drivers)
Re: Synchronising read and write ops
... Third consider using a mini-filter model filter driver. ... I am writing a very basic on the fly encryption file system filter driver ... Reading and writing the header as part of non-cached and paging ...
(microsoft.public.development.device.drivers)
Re: USB device driver
... I am new to file system concepts.I think I have to go back to wdk doc. ... if you are below the FS you can easily encrypt the MBR or ... Please do not send e-mail directly to this alias. ... Do you mean to say that I should write a upper filter driver for file ...
(microsoft.public.development.device.drivers)
Re: how to modify Irp in IRP_MJ_CREATE?
... that a filter does not have, this call is really for File Systems. ... and file system filter questions. ... I am wondering if there is something else I should do after modifying the ... I tried to use the IoUpdateShareAccess() with the following values ...
(microsoft.public.development.device.drivers)
Re: Filter driver for CD Read/Write activity
... > My objective is to prevent user to burn certain files into CD .For this I ... > need to find out the way of monitoring CD burn.I have written file system ... > filter driver.But writes/burns to CD are not passing through file system ... >>> by writing a kind of filter driver? ...
(microsoft.public.development.device.drivers)