I am developing an upper volume filter driver, it monitors the read/write blocks of volume. I am getting the volume offset and 1st sector(LBA) from it when any read/write happens. How can I obtain the file name from volume offset or 1st sector using C/C++? Any kind of help appreciated. Thanks in advance.
Obtain file name from volume offset or sector(Windows)
1.7k Views Asked by Jorge Chon At
2
There are 2 best solutions below
Related Questions in WINDOWS
- Get Maximum Log Size
- Debugging Windows Services while starting
- Possible consequences of duplicate ProgId for different classes
- How to chain BCryptEncrypt and BCryptDecrypt calls using AES in GCM mode?
- mingw-64 conflicting declarations when cross-compiling
- I run an EXE program from a Windows Service but I can't see form C#?
- Why is PowerShell "not recognized" when installing Chocolatey?
- How to check if Windows device is phone or tablet/pc?
- How to add directories to Cygwin gcc default search path
- Can't install anything with pip2 on Windows 7 due to UnicodeDecodeError
- Active directory and linux nslcd binding without extending the AD schema
- How To Prevent Over Scrolling in Scroll Viewer Windows Phone 8.1
- Unicode error from pip install
- Where is the 'EnablePinning' property in the ribbon framework's recent items?
- How can I implement the same models and data across ASP.NET and Windows Apps
Related Questions in FILENAMES
- Saving multiple files with same name
- Calling a variable in Matlab without using the full name?
- Remove part of filename of files that are in different folders
- VBA – print file name in each row until the file closes
- Tail command - follow by name on Solaris
- Why the names of some css, js files have random numbers in them?
- How to capture a photo and immediately put it into an existing pdf?
- Get fileName property of PharFileInfo Object
- PHP - Find File in Directory By File Name
- Issue creating .txt file with long name
- Rename files if already exists centos7
- Only convert files with the string "DUPLICATE" in the name
- Database Table Path Combinations
- how to get the filename from the mentioned list
- Batch-Script: Replace every "@" in file name with "_" in network drive including subfolders
Related Questions in OFFSET
- How to detect which element is on the center of the screen with scroll position?
- onscroll event executes only once
- VBA to copy multiple offset cells
- Is there a Byte Offset in FFmpeg for source Files?
- Copy/Paste dynamic range
- ClEnqueueCopyBuffer with offset 1
- Inconsistent member offset computation in MFC class
- How to get memory offset?
- Scroll to id script, scrolls window to wrong position if I use sticky menu
- Kafka Error fetching offset data. Reason: 1
- SplFileObject + LimitIterator + offset
- Is there a way to query MongoDB collection with an embedded array to return the element's offset within the array
- How to use OFFSET and Fetch without Order by in SQL Server
- Raphael-js drag and click events inaccurate after browser resize
- Pseudo R² for a Poisson GLM with offset
Related Questions in VOLUME
- Android control music with headset buttons in a service
- Detect volume mount and get its path
- How can I find a common volume of three cones intersecting each other in MATLAB?
- Volume of a part of a sphere cutted using 3 planes using R-Language (integral)
- RawSourceWaveStream volume control and playback time estimation with Naudio
- How can I write a script to use an application
- How to control master volume with c# wpf applications?
- How can I execute a method when the volume button is pressed?
- How can I detect volume change while screen is off in iOS?
- control volume and play .mp3 on click (div)
- How can we have the volume level automatically change to a set level (that the user picks during app setup) when the app opens?
- AWS mounting old volume from old instance to new instance
- Android: music volume stays low after audio focus gained
- Docker compose named volume: find volume on host machine
- Detecting video volume
Related Questions in SECTOR
- file system recognition on Windows and BIOS parameter block position
- gcc linker to combine memory blocks into one sector
- How to get total disc sectors in medium?
- Creating a QSector Class (using Qt and QPaint)
- Sectors written when over-writing a file?
- how can i read first sector of a USB flash connected to a android device?
- mapbox-gl-js create a sectoraround a lat/lng?
- load 2nd sector from bootloader
- Recently, i am on a project which needs raw read / write sector of drives
- Obtain file name from volume offset or sector(Windows)
- How to I access a drive at the block/sector level using C#?
- Copy files from VSS
- Why do you need blocks when you have sectors and why is the block size a multiple of sector size?
- FSCTL_GET_RETRIEVAL_POINTERS fails for small files
- assign a sector to an angle in R
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
It is almost possible, sort of. You can enumerate all the files on a volume using this code. (Warning: some of the printf functions use
%luwhen they should be using%I64u, so some of the information being printed is wrong, most notably the file reference numbers; I believe the main logic is OK though.)For each file you find, you can use
FSCTL_GET_RETRIEVAL_POINTERSto find its location on disk.So you could build a database ahead of time. You could keep it mostly up to date using
FSCTL_READ_USN_JOURNALrather than having to constantly rescan the entire disk.However, even having identified the file that used to be at a given location, you would then need to check it again in case it has been moved. The USN journal probably does not record when files are relocated on the disk without being logically modified.
And, even then, there's no guarantee that the file wasn't moved away and then moved back before you checked it. Or a file might be created and then deleted again before you have a chance to collect any data for it at all.
So, basically: No. You can't do that.
(There may be some scenarios where another solution is possible. For example, if your driver can snapshot the contents of the volume at the point of interest, you could examine the snapshot to determine the file in question. You'd have to include your own NTFS stack, though. You might be able to borrow the NTFS code from Linux. Basically still more effort than it is likely to be worth.)