windows-xp/Source/XPSP1/NT/base/fs/fltsamples/filespy/docs/usrguide.htm

<html xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 10">
<meta name=Originator content="Microsoft Word 10">
<link rel=File-List href="usrGuide_files/filelist.xml">
<title>FileSpy Documentation</title>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;
	mso-font-charset:2;
	mso-generic-font-family:auto;
	mso-font-pitch:variable;
	mso-font-signature:0 268435456 0 0 -2147483648 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin-top:0in;
	margin-right:0in;
	margin-bottom:12.0pt;
	margin-left:0in;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
h1
	{mso-style-next:Normal;
	margin-top:12.0pt;
	margin-right:0in;
	margin-bottom:3.0pt;
	margin-left:0in;
	mso-pagination:widow-orphan;
	page-break-after:avoid;
	mso-outline-level:1;
	font-size:16.0pt;
	font-family:Arial;
	mso-font-kerning:16.0pt;}
h2
	{mso-style-next:Normal;
	margin-top:12.0pt;
	margin-right:0in;
	margin-bottom:3.0pt;
	margin-left:0in;
	mso-pagination:widow-orphan;
	page-break-after:avoid;
	mso-outline-level:2;
	font-size:14.0pt;
	font-family:Arial;
	font-style:italic;}
h3
	{mso-style-next:Normal;
	margin-top:12.0pt;
	margin-right:0in;
	margin-bottom:3.0pt;
	margin-left:0in;
	mso-pagination:widow-orphan;
	page-break-after:avoid;
	mso-outline-level:3;
	font-size:13.0pt;
	font-family:Arial;}
h4
	{mso-style-next:Normal;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:12.0pt;
	margin-left:0in;
	mso-pagination:widow-orphan;
	page-break-after:avoid;
	mso-outline-level:4;
	font-size:12.0pt;
	font-family:"Times New Roman";
	font-style:italic;}
h5
	{mso-style-next:Normal;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:12.0pt;
	margin-left:0in;
	mso-pagination:widow-orphan;
	page-break-after:avoid;
	mso-outline-level:5;
	font-size:12.0pt;
	font-family:"Times New Roman";
	font-weight:normal;
	font-style:italic;}
p.MsoList, li.MsoList, div.MsoList
	{margin-top:0in;
	margin-right:0in;
	margin-bottom:12.0pt;
	margin-left:.25in;
	text-indent:-.25in;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
p.MsoListBullet, li.MsoListBullet, div.MsoListBullet
	{mso-style-update:auto;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:12.0pt;
	margin-left:.25in;
	text-indent:-.25in;
	mso-pagination:widow-orphan;
	mso-list:l1 level1 lfo2;
	tab-stops:list .25in;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
p.MsoListNumber, li.MsoListNumber, div.MsoListNumber
	{margin-top:0in;
	margin-right:0in;
	margin-bottom:12.0pt;
	margin-left:.25in;
	text-indent:-.25in;
	mso-pagination:widow-orphan;
	mso-list:l0 level1 lfo1;
	tab-stops:list .25in;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
p.MsoTitle, li.MsoTitle, div.MsoTitle
	{margin-top:12.0pt;
	margin-right:0in;
	margin-bottom:3.0pt;
	margin-left:0in;
	text-align:center;
	mso-pagination:widow-orphan;
	mso-outline-level:1;
	font-size:16.0pt;
	font-family:Arial;
	mso-fareast-font-family:"Times New Roman";
	mso-font-kerning:14.0pt;
	font-weight:bold;}
p.MsoSubtitle, li.MsoSubtitle, div.MsoSubtitle
	{margin-top:0in;
	margin-right:0in;
	margin-bottom:3.0pt;
	margin-left:0in;
	text-align:center;
	mso-pagination:widow-orphan;
	mso-outline-level:2;
	font-size:12.0pt;
	font-family:Arial;
	mso-fareast-font-family:"Times New Roman";}
span.SpellE
	{mso-style-name:"";
	mso-spl-e:yes;}
span.GramE
	{mso-style-name:"";
	mso-gram-e:yes;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:-120;
	mso-list-type:simple;
	mso-list-template-ids:-1758042056;}
@list l0:level1
	{mso-level-style-link:"List Number";
	mso-level-tab-stop:.25in;
	mso-level-number-position:left;
	margin-left:.25in;
	text-indent:-.25in;}
@list l1
	{mso-list-id:-119;
	mso-list-type:simple;
	mso-list-template-ids:51275690;}
@list l1:level1
	{mso-level-number-format:bullet;
	mso-level-style-link:"List Bullet";
	mso-level-text:\F0B7;
	mso-level-tab-stop:.25in;
	mso-level-number-position:left;
	margin-left:.25in;
	text-indent:-.25in;
	font-family:Symbol;}
@list l2
	{mso-list-id:199903965;
	mso-list-type:hybrid;
	mso-list-template-ids:-1574410710 67698693 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Wingdings;}
@list l3
	{mso-list-id:209002705;
	mso-list-type:hybrid;
	mso-list-template-ids:1497250904 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.25in;
	mso-level-number-position:left;
	margin-left:.25in;
	text-indent:-.25in;
	font-family:Symbol;}
@list l4
	{mso-list-id:395669747;
	mso-list-type:hybrid;
	mso-list-template-ids:-718649080 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l5
	{mso-list-id:831259755;
	mso-list-type:hybrid;
	mso-list-template-ids:1497250904 67698703 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l5:level1
	{mso-level-tab-stop:.25in;
	mso-level-number-position:left;
	margin-left:.25in;
	text-indent:-.25in;}
@list l6
	{mso-list-id:859125810;
	mso-list-type:hybrid;
	mso-list-template-ids:765208850 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l6:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
@list l7
	{mso-list-id:1931545850;
	mso-list-type:hybrid;
	mso-list-template-ids:-42197664 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l7:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:39.0pt;
	mso-level-number-position:left;
	margin-left:39.0pt;
	text-indent:-.25in;
	font-family:Symbol;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */
 table.MsoNormalTable
	{mso-style-name:"Table Normal";
	mso-tstyle-rowband-size:0;
	mso-tstyle-colband-size:0;
	mso-style-noshow:yes;
	mso-style-parent:"";
	mso-padding-alt:0in 5.4pt 0in 5.4pt;
	mso-para-margin:0in;
	mso-para-margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=EN-US style='tab-interval:.5in'>

<div class=Section1>

<p class=MsoTitle>FileSpy Project</p>

<p class=MsoTitle>User Guide</p>

<p class=MsoTitle>Last updated: <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style='mso-spacerun:yes'>�</span>TIME \@ &quot;MMMM
d, yyyy&quot; <span style='mso-element:field-separator'></span><![endif]--><span
style='mso-no-proof:yes'>April 6, 2001</span><!--[if supportFields]><span
style='mso-element:field-end'></span><![endif]--></p>

<p class=MsoTitle><o:p>&nbsp;</o:p></p>

<h1>Overview</h1>

<p class=MsoNormal>FileSpy is a tool that aids Installable File System (IFS)
filter driver writers in understanding the I/O that is occurring in the
system.<span style='mso-spacerun:yes'>� </span>It allows the user to monitor
both local and network drives to see what types of IRP and Fast I/O operation
are executing in the system.</p>

<p class=MsoNormal>FileSpy was also developed as a useful example of how to
write an IFS filter driver.<span style='mso-spacerun:yes'>� </span>This driver
sits in the I/O stack and records the relevant information for the I/O
operations that are happening, such as the starting time, the completion time,
return status, etc.<span style='mso-spacerun:yes'>� </span>The filter driver
was developed using the <span class=SpellE>sfilter</span> example code as a
base, so you should see some similarity in their structure.<span
style='mso-spacerun:yes'>� </span>The main differences between these two
example filters are:</p>

<p class=MsoListNumber><![if !supportLists]><span style='mso-list:Ignore'>1.<span
style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span><![endif]>The
<span class=SpellE>sfilter</span> example consists of only a kernel mode
driver.<span style='mso-spacerun:yes'>� </span>FileSpy has both user mode and
kernel mode components.<span style='mso-spacerun:yes'>� </span>The kernel mode
driver watches and records the meaningful I/O activity and then passes up to
the user mode application when data is requests.<span
style='mso-spacerun:yes'>� </span>The user mode application then displays this
data to the user through the screen or by writing the log data to a file.</p>

<p class=MsoListNumber><![if !supportLists]><span style='mso-list:Ignore'>2.<span
style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span><![endif]>Sfilter
connects to all devices in the system as soon as the device is created and stay
connected for as long as the system is running.<span style='mso-spacerun:yes'>�
</span>FileSpy connects to a device only when directed to by the user
application or through a parameter in the registry.<span
style='mso-spacerun:yes'>� </span>It disconnects from the device when told to
do so by the I/O Manager.<span style='mso-spacerun:yes'>� </span>Do to the
design of the I/O architecture, the user cannot directly tell the FileSpy
driver to detach from the device.<span style='mso-spacerun:yes'>� </span>When
the kernel driver receives the command to disconnect, it just stops logging
information for that device.<span style='mso-spacerun:yes'>� </span>FileSpy can
only truly detach from a device when commanded to do so by the I/O Manager.</p>

<p class=MsoListNumber><![if !supportLists]><span style='mso-list:Ignore'>3.<span
style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span><![endif]><span
class=SpellE>Sfilter</span> doesn�t actually do anything � it just shows a
driver writer how to hook into all the possible places to watch IRP and Fast
I/O communication.<span style='mso-spacerun:yes'>� </span>FileSpy logs the I/O
communication traffic in the system while trying to minimize its affect on the
performance of the system.<span style='mso-spacerun:yes'>� </span>The user
application works with the kernel mode driver to display the I/O traffic to the
user.</p>

<h1>Code Structure</h1>

<h2>Overview</h2>

<p class=MsoNormal>The FileSpy project can be broken down into four components:</p>

<p class=MsoListNumber style='margin-bottom:0in;margin-bottom:.0001pt;
mso-list:l0 level1 lfo3'><![if !supportLists]><span style='mso-list:Ignore'>1.<span
style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span><![endif]>Kernel-mode
filter driver, <span class=SpellE><span style='font-family:"Courier New"'>FileSpy.sys</span></span></p>

<p class=MsoListNumber style='margin-bottom:0in;margin-bottom:.0001pt;
mso-list:l0 level1 lfo3'><![if !supportLists]><span style='mso-list:Ignore'>2.<span
style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span><![endif]>User-mode
application, <span style='font-family:"Courier New"'>FileSpy.exe</span></p>

<p class=MsoListNumber style='margin-bottom:0in;margin-bottom:.0001pt;
mso-list:l0 level1 lfo3'><![if !supportLists]><span style='mso-list:Ignore'>3.<span
style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span><![endif]>Install
method, <span class=SpellE><span style='font-family:"Courier New"'>FileSpy.inf</span></span></p>

<h2>Kernel-mode Filter Driver</h2>

<p class=MsoNormal style='page-break-after:avoid'>The kernel-mode filter driver
is responsible for monitoring all the activity in the I/O subsystem and
recording information on the activity along the IRP and Fast I/O paths for
specified devices.<span style='mso-spacerun:yes'>� </span>The filter driver
maintains a list of log records for each of the I/O operations it sees and
then, at the request of the user <span class=GramE>application,</span> passes
the log data up to the user application.</p>

<p class=MsoNormal style='page-break-after:avoid'>The filter driver consists of
the following files:</p>

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
 style='border-collapse:collapse;mso-padding-alt:0in 5.4pt 0in 5.4pt'>
 <tr style='mso-yfti-irow:0'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span class=SpellE><span style='font-family:"Courier New"'>FileSpy.h</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'>Contains all the structures, types and constant
  definitions that are shared between the kernel mode driver, <span
  class=SpellE><span style='font-family:"Courier New"'>FileSpy.sys</span></span>,
  and the user mode executable, <span style='font-family:"Courier New"'>FileSpy.exe</span>.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:1'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span class=SpellE><span style='font-family:"Courier New"'>FspyKern.h</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'>Contains all the structures, types, constants, global
  variables, and function prototypes that are only visible within the kernel
  mode driver.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:2'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span class=SpellE><span style='font-family:"Courier New"'>FileSpy.c</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'>Contains the implementation for the driver entry
  point and all the callback routines this driver registers so that it is
  notified of I/O activity while the system is running.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:3'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span class=SpellE><span style='font-family:"Courier New"'>FSpyLib.c</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'>Contains the
  implementation for the FileSpy helper routines.<span
  style='mso-spacerun:yes'>� </span>The routines provide the functionality of:</p>
  <p class=MsoListBullet style='margin-bottom:0in;margin-bottom:.0001pt'><![if !supportLists]><span
  style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
  Symbol'><span style='mso-list:Ignore'>�<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  </span></span></span><![endif]>Attaching to a device</p>
  <p class=MsoListBullet style='margin-bottom:0in;margin-bottom:.0001pt'><![if !supportLists]><span
  style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
  Symbol'><span style='mso-list:Ignore'>�<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  </span></span></span><![endif]>Detaching from a device</p>
  <p class=MsoListBullet style='margin-bottom:0in;margin-bottom:.0001pt'><![if !supportLists]><span
  style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
  Symbol'><span style='mso-list:Ignore'>�<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  </span></span></span><![endif]>Listing all the devices we are currently
  monitoring</p>
  <p class=MsoListBullet style='margin-bottom:0in;margin-bottom:.0001pt'><![if !supportLists]><span
  style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
  Symbol'><span style='mso-list:Ignore'>�<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  </span></span></span><![endif]>Manage the cache of filenames we keep while
  the system is monitoring I/O activity.</p>
  <p class=MsoListBullet style='margin-bottom:6.0pt'><![if !supportLists]><span
  style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
  Symbol'><span style='mso-list:Ignore'>�<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  </span></span></span><![endif]>Create, pass up and delete log records
  containing relevant information on the I/O activity seen.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:4'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span class=SpellE><span style='font-family:"Courier New"'>makefile</span></span><span
  style='font-family:"Courier New"'>,<br>
  sources<o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'>Files used to tell the build tool how to create <span
  class=SpellE><span style='font-family:"Courier New"'>FileSpy.sys</span></span>.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:5;mso-yfti-lastrow:yes'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span style='font-family:"Courier New"'>params.txt<o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'>Input file for <span style='font-family:"Courier New"'>regini.exe</span>
  to set the registry settings appropriately for communicating application
  parameters to the kernel mode driver.</p>
  </td>
 </tr>
</table>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<h2>User-mode Application</h2>

<p class=MsoNormal style='mso-pagination:widow-orphan lines-together;
page-break-after:avoid'>The user-mode application is responsible for
controlling the kernel-mode filter driver and translating the log records that
are returned by the driver to the user in a human-readable way (either to the
screen or to a file).<span style='mso-spacerun:yes'>� </span>The user
application uses a simple command shell to allow the user to communicate he/her
directions to the driver.</p>

<p class=MsoNormal style='mso-pagination:widow-orphan lines-together;
page-break-after:avoid'>The user application consists of the following files:</p>

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
 style='border-collapse:collapse;mso-padding-alt:0in 5.4pt 0in 5.4pt'>
 <tr style='mso-yfti-irow:0;page-break-inside:avoid'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span class=SpellE><span style='font-family:"Courier New"'>fSpyLog.h</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'>Contains the structures, prototypes and constant
  definitions that are visible only to the user application.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:1;page-break-inside:avoid'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span class=SpellE><span style='font-family:"Courier New"'>fSpyLog.c</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'>Contains the implementation for retrieving the log
  records from the kernel driver and displaying the log records to the user
  either through the screen or through a file.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:2;page-break-inside:avoid'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span class=SpellE><span style='font-family:"Courier New"'>FSpyUser.c</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'>Contains the implementation for the main function of
  the user application that opens the FileSpy device, starts up the thread that
  continually queries the kernel mode driver for new log records, and
  interprets the user�s commands to the application.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:3;mso-yfti-lastrow:yes;page-break-inside:avoid'>
  <td width=115 valign=top style='width:1.2in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><span class=SpellE><span style='font-family:"Courier New"'>makefile</span></span><span
  style='font-family:"Courier New"'>,<br>
  sources<o:p></o:p></span></p>
  </td>
  <td width=468 valign=top style='width:351.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal>Files used to tell the build tool how to create <span
  style='font-family:"Courier New"'>FileSpy.exe</span>.</p>
  </td>
 </tr>
</table>

<h3>Running the user-mode application</h3>

<p class=MsoNormal>To run the user application:</p>

<p class=MsoListBullet style='margin-bottom:6.0pt'><![if !supportLists]><span
style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
Symbol'><span style='mso-list:Ignore'>�<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]>Build the user application�s executable, <span
style='font-family:"Courier New"'>FileSpy.exe</span>.</p>

<p class=MsoListBullet style='margin-bottom:6.0pt'><![if !supportLists]><span
style='font-family:Symbol;mso-fareast-font-family:Symbol;mso-bidi-font-family:
Symbol'><span style='mso-list:Ignore'>�<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]>The application has to modes, running mode and
command mode.<span style='mso-spacerun:yes'>� </span>In running mode, the
application prints any log output that it has collected to the screen if it is
supposed to be outputting information to the screen.<span
style='mso-spacerun:yes'>� </span>In command mode, the user is able to direct
the behavior of the kernel driver through a series of command switches defined
below.<span style='mso-spacerun:yes'>� </span>When the application begins, it
is in running mode.<span style='mso-spacerun:yes'>� </span>To change to command
mode when currently in running mode, hit <span style='font-family:"Courier New"'>Enter</span>.<span
style='mso-spacerun:yes'>� </span>A <span style='font-family:"Courier New"'>&gt;</span>
prompt should appear to signify the application is in command mode.</p>

<p class=MsoListBullet style='mso-pagination:widow-orphan lines-together;
page-break-after:avoid'><![if !supportLists]><span style='font-family:Symbol;
mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol'><span
style='mso-list:Ignore'>�<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]>The following commands are available at the
command line or in command mode.</p>

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=552
 style='width:5.75in;margin-left:23.4pt;border-collapse:collapse;mso-padding-alt:
 0in 5.4pt 0in 5.4pt'>
 <tr style='mso-yfti-irow:0'>
  <td width=163 valign=top style='width:1.7in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'><span style='font-family:
  "Courier New"'>/a &lt;drive&gt;<o:p></o:p></span></p>
  </td>
  <td width=389 valign=top style='width:4.05in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'>Attaches monitor to <span
  style='font-family:"Courier New"'>&lt;drive&gt;</span>, where <span
  style='font-family:"Courier New"'>&lt;drive&gt;</span> is a valid drive
  letter in the system (e.g., <span class=GramE><span style='font-family:"Courier New"'>C:</span></span>).</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:1'>
  <td width=163 valign=top style='width:1.7in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'><span style='font-family:
  "Courier New"'>/d &lt;drive&gt;<o:p></o:p></span></p>
  </td>
  <td width=389 valign=top style='width:4.05in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'>Detaches monitor to <span
  style='font-family:"Courier New"'>&lt;drive&gt;</span>, where <span
  style='font-family:"Courier New"'>&lt;drive&gt;</span> is a valid drive
  letter in the system (e.g., <span class=GramE><span style='font-family:"Courier New"'>C:</span></span>)
  that the monitor has previously attached to.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:2;page-break-inside:avoid'>
  <td width=552 colspan=2 valign=top style='width:5.75in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-top:0in;margin-right:0in;margin-bottom:0in;
  margin-left:.5in;margin-bottom:.0001pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><i>Note:</i><span style='mso-spacerun:yes'>�
  </span>The monitor may not truly detach from the device when it receives the <span
  style='font-family:"Courier New"'>/d</span> command because a filter driver
  can only detach from a device when it can guarantee that it is on the top of
  the I/O stack.<span style='mso-spacerun:yes'>� </span>This is only going to
  occur when the filter driver receives the detach command from the I/O Manager.<span
  style='mso-spacerun:yes'>� </span>When the user application tells the kernel
  driver to detach from a device, the kernel monitor stops logging the data for
  that device.</p>
  <p class=MsoNormal style='margin-top:0in;margin-right:0in;margin-bottom:0in;
  margin-left:.5in;margin-bottom:.0001pt;mso-pagination:widow-orphan lines-together;
  page-break-after:avoid'><i>Also note:</i><span style='mso-spacerun:yes'>�
  </span>Shutting down the user application does <i>not</i> cause the kernel
  monitor to detach from all the drives.<span style='mso-spacerun:yes'>�
  </span>The kernel driver will stop logging the I/O operations that it is
  seeing, but if the user restarts the user application, the kernel monitor
  will continue logging to the devices that it was attached to when the user
  application last stopped.<span style='mso-spacerun:yes'>� </span>The kernel
  driver will only reset these attachments to system devices when the system is
  rebooted.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:3'>
  <td width=163 valign=top style='width:1.7in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'><span style='font-family:
  "Courier New"'>/h<o:p></o:p></span></p>
  </td>
  <td width=389 valign=top style='width:4.05in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'>Lists statistics on hash
  table used to store file names.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:4'>
  <td width=163 valign=top style='width:1.7in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'><span style='font-family:
  "Courier New"'>/l<o:p></o:p></span></p>
  </td>
  <td width=389 valign=top style='width:4.05in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'>Lists all the drives that
  the kernel driver is monitoring.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:5'>
  <td width=163 valign=top style='width:1.7in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'><span style='font-family:
  "Courier New"'>/s<o:p></o:p></span></p>
  </td>
  <td width=389 valign=top style='width:4.05in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'>Toggles on and off
  showing the logging output to the screen.<span style='mso-spacerun:yes'>�
  </span>When the application is started, the default behavior is to show
  logging output to the screen.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:6'>
  <td width=163 valign=top style='width:1.7in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'><span style='font-family:
  "Courier New"'>/f [&lt;filename&gt;]<o:p></o:p></span></p>
  </td>
  <td width=389 valign=top style='width:4.05in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'>Toggles on and off
  writing the logging output to a file.<span style='mso-spacerun:yes'>�
  </span>If issuing the <span style='font-family:"Courier New";mso-bidi-font-family:
  "Times New Roman"'>/f</span> command will toggle on writing output to a file,
  the required <span style='font-family:"Courier New"'>&lt;filename&gt;</span>
  specifies the output file name.<span style='mso-spacerun:yes'>� </span>If the
  <span style='font-family:"Courier New";mso-bidi-font-family:"Times New Roman"'>/f</span>
  command will toggle off the writing output to a file, the <span
  style='font-family:"Courier New"'>&lt;filename&gt;</span> is ignored and not
  required.<span style='mso-spacerun:yes'>� </span>By default, the logging
  output is <i>not</i> stored to a file.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:7'>
  <td width=163 valign=top style='width:1.7in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'><span class=SpellE><span
  style='font-family:"Courier New"'>go|g</span></span><span style='font-family:
  "Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=389 valign=top style='width:4.05in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;mso-pagination:
  widow-orphan lines-together;page-break-after:avoid'>Exits the user from
  command mode and will allow the user application to show logging output on
  the screen again if the program is set to do so.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:8;mso-yfti-lastrow:yes'>
  <td width=163 valign=top style='width:1.7in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt'><span
  style='font-family:"Courier New"'>Exit<o:p></o:p></span></p>
  </td>
  <td width=389 valign=top style='width:4.05in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt'>Shuts down
  the user application.</p>
  </td>
 </tr>
</table>

<h3>Logging Output Format</h3>

<p class=MsoNormal>The logging information that is output either to the screen
and/or to a file (as specified by the user commands) is the same.<span
style='mso-spacerun:yes'>� </span>(<i>Note:<span style='mso-spacerun:yes'>�
</span></i>We do log different information for I/O operations along the Irp
path versus I/O operations along the Fast I/O path.)<span
style='mso-spacerun:yes'>� </span>The only difference is that the fields are
tab-delimited when writing to file to make the data easier to analyze.<span
style='mso-spacerun:yes'>� </span>The data written to the screen has been
compacted to make it easier to read (although you still want your Command
Window to be extra wide).</p>

<p class=MsoNormal>If the memory limit is hit when logging I/O operations, a
message saying that the system is out of memory will appear in the log.<span
style='mso-spacerun:yes'>� </span>The user can see how many I/O operations were
not logged by looking at the sequence numbers of the log records once the
memory pressure has been relieved.</p>

<p class=MsoNormal>The exact format of the data output in each case is
described below:</p>

<h4>Output Format for Irp Operations</h4>

<p class=MsoNormal style='page-break-after:avoid'>These fields appear from left
to right, across the screen.</p>

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
 style='border-collapse:collapse;mso-padding-alt:0in 5.4pt 0in 5.4pt'>
 <tr style='mso-yfti-irow:0'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>I</p>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>Designates that this is an
  I/O operation along the Irp path.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:1'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Sequence Number</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>The sequence number for
  this operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:2'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Originating Time</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>The time this I/O operation
  began.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:3'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Completion Time</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>The time this I/O operation
  ended.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:4'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Processes Id and Thread Id</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  process and thread id for the thread that originated this I/O operation.<span
  style='mso-spacerun:yes'>� </span>These values are in <span class=SpellE><i>processId.threaded</i></span><i>
  </i>format.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:5'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Irp Major Code and Irp Minor Code Names</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  name of the Irp major code for this operation.<span
  style='mso-spacerun:yes'>� </span>The name of the Irp minor code for this
  operation, if there is one (the screen display has this on a separate line).</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:6'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>DeviceObject</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  pointer value representing the Device Object for this operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:7'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5><span class=SpellE>FileObject</span></h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  pointer value representing the File Object for this operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:8'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Return Status and Information</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  numeric values for both the return status and return Information fields (look
  in <span class=SpellE>ntstatus.h</span> to see the description for the return
  value).<span style='mso-spacerun:yes'>� </span>These values are in the <span
  class=SpellE><i>status<span class=GramE>:information</span></i></span>
  format.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:9'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Irp Flags</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  numeric value for the Irp flags</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:10'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Interpretation of Common Irp flags</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>Four
  columns with either a letter or a �-� to designate different Irp flags being
  set;</p>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;page-break-after:
  avoid'>N � <span class=SpellE>NoCache</span> flag was set</p>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;page-break-after:
  avoid'>P � Paging IO flag was set</p>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;page-break-after:
  avoid'>S � Synchronous <span class=SpellE>Api</span> flag was set</p>
  <p class=MsoNormal style='page-break-after:avoid'>Y � Synchronous Paging IO
  flag was set</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:11;mso-yfti-lastrow:yes'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5 style='page-break-after:auto'>Name</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt'>If available, the name of the
  file.</p>
  </td>
 </tr>
</table>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<h4>Output Format for Fast I/O Operations</h4>

<p class=MsoNormal style='page-break-after:avoid'>These fields appear from left
to right, across the screen.</p>

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
 style='border-collapse:collapse;mso-padding-alt:0in 5.4pt 0in 5.4pt'>
 <tr style='mso-yfti-irow:0'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>F</p>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>Designates that this is an
  I/O operation along the FastIO path.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:1'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Sequence Number</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>The sequence number for
  this operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:2'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Originating Time</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>The time this I/O operation
  began.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:3'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Completion Time</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>The time this I/O operation
  ended.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:4'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Processes Id and Thread Id</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  process and thread id for the thread that originated this I/O operation.<span
  style='mso-spacerun:yes'>� </span>These values are shown in the format <span
  class=SpellE><i>processId.threadId</i></span>.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:5'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Fast I/O Operation Name</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  name type of Fast I/O operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:6'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>DeviceObject</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>If
  available, the pointer value representing the Device Object for this
  operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:7'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5><span class=SpellE>FileObject</span></h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>If
  available, the pointer value representing the File Object for this operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:8'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Return Status</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  numeric value for the return status for this operation (look in <span
  class=SpellE>ntstatus.h</span> to see the description for the return value).</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:9'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Wait</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>If available, �T� if this
  Fast I/O operation was called with the <i>Wait</i> parameter set to <span
  class=GramE>TRUE, and �F�</span> if the <i>wait</i> parameter was set to
  FALSE.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:10'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Length</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>If available, the number of
  bytes in the operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:11'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>File Offset</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>If available, the offset
  into the file for this operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:12;mso-yfti-lastrow:yes'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5 style='page-break-after:auto'>Name</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt'>If available, the name of the
  file.</p>
  </td>
 </tr>
</table>

<h4>Output Format for <span class=SpellE>FsFilter</span> Operations</h4>

<p class=MsoNormal style='page-break-after:avoid'>These fields appear from left
to right, across the screen.</p>

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
 style='border-collapse:collapse;mso-padding-alt:0in 5.4pt 0in 5.4pt'>
 <tr style='mso-yfti-irow:0'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>O</p>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>Designates that this is an
  operation along the <span class=SpellE>FsFilter</span> Operation path.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:1'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Sequence Number</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>The sequence number for
  this operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:2'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Originating Time</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>The time this I/O operation
  began.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:3'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Completion Time</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='page-break-after:avoid'>The time this I/O operation
  ended.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:4'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Processes Id and Thread Id</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  process and thread id for the thread that originated this I/O operation.<span
  style='mso-spacerun:yes'>� </span>These values are shown in the format <span
  class=SpellE><i>processId.threadId</i></span>.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:5'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5><span class=SpellE>FsFilter</span> Operation Name</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  name type of <span class=SpellE>FsFilter</span> operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:6'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>DeviceObject</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>If
  available, the pointer value representing the Device Object for this
  operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:7'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5><span class=SpellE>FileObject</span></h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>If
  available, the pointer value representing the File Object for this operation.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:8'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Return Status</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt;page-break-after:avoid'>The
  numeric value for the return status for this operation (look in <span
  class=SpellE>ntstatus.h</span> to see the description for the return value).</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:9;mso-yfti-lastrow:yes'>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <h5 style='page-break-after:auto'>Name</h5>
  </td>
  <td width=295 valign=top style='width:221.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:6.0pt'>If available, the name of the
  file.</p>
  </td>
 </tr>
</table>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<h2>Filter Driver Install Program</h2>

<p class=MsoNormal>FileSpy now comes with an INF that will install the filter
driver and the user mode control program.<span style='mso-spacerun:yes'>�
</span>To install, do the following:</p>

<ul style='margin-top:0in' type=square>
 <li class=MsoNormal style='margin-bottom:6.0pt;mso-list:l2 level1 lfo9;
     tab-stops:list .5in'>Make sure that <span style='font-family:"Courier New"'>filespy.exe</span>,
     <span class=SpellE><span style='font-family:"Courier New";mso-bidi-font-family:
     "Times New Roman"'>filespy.sys</span></span> and <span class=SpellE><span
     style='font-family:"Courier New";mso-bidi-font-family:"Times New Roman"'>filespy.inf</span></span>
     are all in the same directory.</li>
 <li class=MsoNormal style='margin-bottom:6.0pt;mso-list:l2 level1 lfo9;
     tab-stops:list .5in'>Right-click on the <span class=SpellE><span
     style='font-family:"Courier New"'>filespy.inf</span></span> through
     Explorer.</li>
 <li class=MsoNormal style='mso-list:l2 level1 lfo9;tab-stops:list .5in'>Select
     the Install option.</li>
</ul>

<p class=MsoNormal>This will make the necessary registry updates to register
the FileSpy service, place <span class=SpellE><span style='font-family:"Courier New";
mso-bidi-font-family:"Times New Roman"'>filespy.sys</span></span> in the <span
style='font-family:"Courier New";mso-bidi-font-family:"Times New Roman"'>%SystemRoot%\system32\drivers</span>
directory, place <span style='font-family:"Courier New";mso-bidi-font-family:
"Times New Roman"'>filespy.exe</span> in <span style='font-family:"Courier New";
mso-bidi-font-family:"Times New Roman"'>%<span class=SpellE>SystemRoot%\filespy</span></span>
directory and add the following registry entries:</p>

<p class=MsoNormal><span style='font-size:10.0pt;mso-bidi-font-size:12.0pt;
font-family:"Courier New"'>[HKEY_LOCAL_MACHINE]\System\<span class=SpellE>CurrentControlSet\Services\FileSpy</span><o:p></o:p></span></p>

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
 style='border-collapse:collapse;mso-padding-alt:0in 5.4pt 0in 5.4pt'>
 <tr style='mso-yfti-irow:0'>
  <td width=139 valign=top style='width:1.45in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt'><span
  class=SpellE><span style='font-family:"Courier New"'>MaxRecords</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=108 valign=top style='width:81.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt'><span
  style='font-family:"Courier New"'>DWORD<o:p></o:p></span></p>
  </td>
  <td width=343 valign=top style='width:257.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt'>The
  maximum number of log records to have outstanding at any one time.<span
  style='mso-spacerun:yes'>� </span>Default=500.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:1'>
  <td width=139 valign=top style='width:1.45in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt'><span
  class=SpellE><span style='font-family:"Courier New"'>MaxNames</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=108 valign=top style='width:81.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt'><span
  style='font-family:"Courier New"'>DWORD<o:p></o:p></span></p>
  </td>
  <td width=343 valign=top style='width:257.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt'>The
  maximum number of name buffers to have outstanding at any one time.<span
  style='mso-spacerun:yes'>� </span>Default=500.</p>
  </td>
 </tr>
 <tr style='mso-yfti-irow:2;mso-yfti-lastrow:yes'>
  <td width=139 valign=top style='width:1.45in;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span class=SpellE><span style='font-family:"Courier New"'>AttachMode</span></span><span
  style='font-family:"Courier New"'><o:p></o:p></span></p>
  </td>
  <td width=108 valign=top style='width:81.0pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Courier New"'>DWORD<o:p></o:p></span></p>
  </td>
  <td width=343 valign=top style='width:257.4pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal>Specify how you want FileSpy to attach to volumes.</p>
  <p class=MsoList style='mso-list:l5 level1 lfo8;tab-stops:list .25in'><![if !supportLists]><span
  style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  </span></span><![endif]>Attach on demand.</p>
  <p class=MsoList style='mso-list:l5 level1 lfo8;tab-stops:list .25in'><![if !supportLists]><span
  style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  </span></span><![endif]>Attach to ALL volumes when the filter loads.<span
  style='mso-spacerun:yes'>� </span>This does <b>not</b> mean that volumes are
  being logged, that happens when a user explicitly requests it.<span
  style='mso-spacerun:yes'>� </span>This is used to control attachment order
  with other filters.</p>
  <p class=MsoNormal>Default=2</p>
  </td>
 </tr>
</table>

<h2>Filter Driver Uninstall</h2>

<p class=MsoNormal>To uninstall the kernel-mode driver for FileSpy, you need to
run �<b>sc delete <span class=SpellE>filespy</span></b>�.<span
style='mso-spacerun:yes'>� </span>This will remove the service from the
system.<span style='mso-spacerun:yes'>� </span>After running this program, you
will need to reboot the machine to complete the removal of FileSpy.</p>

</div>

</body>

</html>