• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 766
  • Last Modified:

Hooking CreateFile()

Hello:
Is there any way my application can know what files are being opened by other applications that are currently running. I saw a sample in a DDJ CD that would give me a list of all currently open files. But some applications keep the document open even after that close the associated file. So somehow I need to get a notification when the file is initially opened so thatI can hold on to the filename even after it is closed.
--regards
Rajesh Vijayakumar
0
vijayk
Asked:
vijayk
  • 5
  • 4
  • 2
  • +1
1 Solution
 
nietodCommented:
Take a look at FindFirstChangeNotification().

Let me know if you have questions.
0
 
nietodCommented:
Sorry, I'm wrong about that.  I thought it was possible to monitor the opening of files with that.  It allows you to monitor changes to files, but not opening of files.  This probably is not what you need.  (Although you might want to look into it all the same.)
0
 
vijaykAuthor Commented:
FindFirstChangeNotification() is not what I am looking for. (Wouldn't it be great if it gave the file open notification also!). Another thing I forgot to mention is that the solution has to work with Windows NT4. I don't care if it works with Win95 or not.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
jkrCommented:
Well, there's an utility available at www.sysinternal.com that is named 'NTFilemon' which monitors the file system activity by hooking kernel device objects, e.g.:
        //
        // The file system's device hasn't been hooked already, so make a hooking device
        //  object that will be attached to it.
        //
        ntStatus = IoCreateDevice( DriverObject,
                    sizeof(HOOK_EXTENSION),
                    NULL,
                    fileSysDevice->DeviceType,
                    0,
                    FALSE,
                    &hookDevice );
        // Clear the device's init flag as per NT DDK KB article on creating device
        // objects from a dispatch routine
        //
        hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;

        //
        // Setup the device extensions. The drive letter and file system object are stored
        // in the extension.
        //
        hookExtension = hookDevice->DeviceExtension;
        hookExtension->LogicalDrive = 'A'+Drive;
        hookExtension->FileSystem   = fileSysDevice;

        //
        // Finally, attach to the device. The second we're successfully attached, we may
        // start receiving IRPs targetted at the device we've hooked.
        //
        ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );

The full source code is also available, but it is implemented as akernel driver - so if you don't mind that ;-)
0
 
vijaykAuthor Commented:
Hi,
I haven't written any kernel mode drivers yet so I feel a bit nervous about that. I am temporarily rejecting your answer so that other people get a change to give a simpler answer (if there is any). I was looking for something like the IFSMgr_InstallFileSystemApiHook() available in win95. If nobody gives a better answer within two days, I will accept your answer. Sorry about this but I want to make absolutely sure that there is no simpler way of doing this before writing a device driver.
--regards
Rajesh Vijayakumar
0
 
jkrCommented:
I can understand this - but as (IMHO) there is no method available, i think you'll have to follow this way...

Ooops, did i say there is _no_ other method... well, i can think of another one or 2 , but they _really_ are rude (and i don't even know if i'd want to follow it ;-) :
1. Replace kernel32.dll with your own version to intercept all incoming API calls and pass them through to the original DLL (lot's of work!)
2. create a DLL that is mapped into the address space of all running processes (see injlib.exe 'ftp://ftp.microsoft.com/softlib/mslfiles/INJLIB.EXE') and MS Systems Jounal May '94 'Load Your 32-bit DLL into Another Process's Address Space Using INJLIB' at http://www.microsoft.com/msj') and patch the function tables so that the 'CreateFile()' API call is redirected to one of your functions before you pass the through to the original function (If that is what you choose to do, i could even give you some code that illustrates this).
0
 
MirkwoodCommented:
Goto www.sysinternals.com and download filemon or ntfilemon. It comes with complete source and does what you want.
0
 
jkrCommented:
Mirkwood - didn't you read the question's history? I already suggested this .....
0
 
MirkwoodCommented:
Oeps, your so right. Well this basicly answers your question. I didn't read the history.
0
 
vijaykAuthor Commented:
hi, sorry for rejecting your correct answer but the points belong to jkr since he answered first. jkr: please post a dummy answer and claim your points. I downloaded the source code of FileMon and I think I don't have to write a device driver of my own. I could just use theirs. (provided the authors allow it).
thankyou all,
Rajesh Vijayakumar
0
 
jkrCommented:
Thanks Rajesh!
BTW: If you are interested in only some processes using 'CreateFile()', the 'INJLIB' method i mentioned earlier would be a really good idea - and i've got even a working sample that does exacly what you want (regarding the hooking of 'CreateFile()'), i just didn't think of it because of the 'global' hooking context. If you'd like to get the example, simply post your email and i'll send it to you...
0
 
vijaykAuthor Commented:
Hi jkr,
What I need is a system wide hook. Basically, the user will specify a set of files on their hard drive and my application has to get notified when any of these files are opened by any application. If the sample if applicable in such a situation, please send it to vijayk@cswl.com
Thanks once again for helping me out.
Rajesh Vijayakumar
0
 
jkrCommented:
OK Rajesh, you'll get it tomorrow, as i have to head home fast now (10pm here ;-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now