Hi, I'm a newbie to ASM and could do with some help getting my first project going.
I'm trying to monitor file changes per drive and get the filenames of those files which have been modified, created or deleted. In the MSDN Library there are 2 functions discussed which should achieve this. One polls for changes to the drive, the other enumerates the changes.
Could anybody please tell me how to use these examples from MSDN in a working example? I can't figure it out.
The URLs are these, but I have copied the info in below too.
http://msdn.microsoft.com/library/en-us/win32/95func_9s14.asp
http://msdn.microsoft.com/library/en-us/win32/95func_9s2w.asp
Here's function 1:
-------------------------------------------
Interrupt 21h Function 440Dh Minor Code 6Ch
Polls the state of the access flag on a volume to determine if a write operation (for example, deleting or renaming a file or writing to a file) or a new file mapping has occurred since the last poll.
mov ax, 440Dh ; generic IOCTL
mov bl, DriveNum ; see below
mov ch, 08h ; device category (must be 08h)
mov cl, 6Ch ; Get Lock Flag State
int 21h
jc error
mov , ax ; state of access flag
Parameters
DriveNum Drive to poll. This parameter can be 0 for the default drive, 1 for A, 2 for B, and so on.
Return Values
Clears the carry flag and sets the AX register to one of the following values if successful.
Value Meaning
0 No write operations or file mappings have occurred since the last poll.
1 A write operation has occurred since the last poll (clears the volume access flag).
2 A file mapping has occurred since the last poll, or a 32-bit Windows-based DLL or executable has been opened (clears the volume access flag).
Otherwise, the function sets the carry flag and sets the AX register to an error value.
Remarks
Only the current lock owner may poll the access flag. The system fails other processes with ERROR_ACCESS_DENIED error value. Write operations performed by the lock owner do not cause a change in the state of the access flag.
When a lock is obtained that allows write operations or new file mappings, the system sets a flag whenever one of these operations happens on the volume. If a write operation or new file mapping has occurred since the last poll, Get Lock Flag State returns 1 or 2 respectively in the AX register and clears the volume access flag. If the swap file has grown or shrunk since the last poll, Get Lock Flag State returns 1. Note that write operations to the swap file that do not cause a change in size do not cause a change in the state of the access flag. If a 32-bit Windows-based DLL or executable has been opened since the last poll, Get Lock Flag State returns 2.
----------------------------------------------------------
and this is 2:
------------------------------------------
Interrupt 21h Function 440Dh Minor Code 6Dh
Enumerates open files on the specified drive.
mov ax, 440Dh ; generic IOCTL
mov bx, DriveNum ; see below
mov ch, 08h ; device category (must be 08h)
mov cl, 6Dh ; Enumerate Open Files
mov dx, seg PathBuf ; see below
mov ds, dx
mov dx, offset PathBuf
mov si, FileIndex ; see below
mov di, EnumType ; see below
int 21h
jc error
mov , ax ; mode file was opened in
mov , cx ; normal file or memory-mapped file
Parameters
DriveNum Drive on which to enumerate the files. This parameter can be 0 for the default drive, 1 for A, 2 for B, and so on. PathBuf Pointer to a buffer that receives the path of the open file. The length of the buffer varies depending on the volume. Get Volume Information (Interrupt 21h Function 71A0h) is used to determine the maximum allowed length of a path for the volume. FileIndex Index of the file to retrieve the path for. EnumType Kind of file to enumerate. This parameter can be 0 to enumerate all open files or 1 to enumerate only open unmovable files, including open memory-mapped files and other open unmovable files (32-bit Windows-based DLLs and executables).
Return Values
Clears the carry flag, copies the path of an open file to the given buffer, and sets the AX and CX registers to the following values if successful:
Register Value
AX Mode that the file was opened in, which is a combination of access mode, sharing mode, and open flags. It can be one value each from the access and sharing modes and any combination of open flags.
Access modes
OPEN_ACCESS_READONLY (0000h)
OPEN_ACCESS_WRITEONLY (0001h)
OPEN_ACCESS_READWRITE (0002h)
OPEN_ACCESS_RO_NOMODLASTACCESS (0004h)
Share modes
OPEN_SHARE_COMPATIBLE (0000h)
OPEN_SHARE_DENYREADWRITE (0010h)
OPEN_SHARE_DENYWRITE (0020h)
OPEN_SHARE_DENYREAD (0030h)
OPEN_SHARE_DENYNONE (0040h)
Open flags
OPEN_FLAGS_NOINHERIT (0080h)
OPEN_FLAGS_NO_BUFFERING (0100h)
OPEN_FLAGS_NO_COMPRESS (0200h)
OPEN_FLAGS_ALIAS_HINT (0400h)
OPEN_FLAGS_NOCRITERR (2000h)
OPEN_FLAGS_COMMIT (4000h)
CX File type. It can be one of the following values:
0 For normal files
1 For a memory-mapped files (memory-mapped files are unmovable)
2 For any other unmovable files (32-bit Windows-based DLLs and executables)
4 For the swap file
Note that if a memory-mapped file is returned (CX = 1), the value returned in the AX register is limited to the following values:
OPEN_ACCESS_READONLY (0000h)
OPEN_ACCESS_READWRITE (0002h)
Otherwise, the function sets the carry flag and sets the AX register to the following error value.
Value Meaning
ERROR_ACCESS_DENIED The value of FileIndex exceeds the number of open files on the drive.
Remarks
This function returns information about one file at a time. To enumerate all open files, the function must be called repeatedly with FileIndex set to a new value for each call. FileIndex should be set to zero initially and then incremented by one for each subsequent call. The function returns the ERROR_NO_MORE_FILES error value when all open files on the volume have been enumerated.
This function may return inconsistent results when used to enumerate files on an active volume ? that is, on a volume where other processes may be opening and closing files. Applications should use Lock Logical Volume (Interrupt 21h Function 440Dh Minor Code 4Ah) to take a level 3 lock before enumerating open files.
Platform SDK Release: November 2001
---------------------------------------------------------
Many Thanks,
nibl~
I'm trying to monitor file changes per drive and get the filenames of those files which have been modified, created or deleted. In the MSDN Library there are 2 functions discussed which should achieve this. One polls for changes to the drive, the other enumerates the changes.
Could anybody please tell me how to use these examples from MSDN in a working example? I can't figure it out.
The URLs are these, but I have copied the info in below too.
http://msdn.microsoft.com/library/en-us/win32/95func_9s14.asp
http://msdn.microsoft.com/library/en-us/win32/95func_9s2w.asp
Here's function 1:
-------------------------------------------
Interrupt 21h Function 440Dh Minor Code 6Ch
Polls the state of the access flag on a volume to determine if a write operation (for example, deleting or renaming a file or writing to a file) or a new file mapping has occurred since the last poll.
mov ax, 440Dh ; generic IOCTL
mov bl, DriveNum ; see below
mov ch, 08h ; device category (must be 08h)
mov cl, 6Ch ; Get Lock Flag State
int 21h
jc error
mov , ax ; state of access flag
Parameters
DriveNum Drive to poll. This parameter can be 0 for the default drive, 1 for A, 2 for B, and so on.
Return Values
Clears the carry flag and sets the AX register to one of the following values if successful.
Value Meaning
0 No write operations or file mappings have occurred since the last poll.
1 A write operation has occurred since the last poll (clears the volume access flag).
2 A file mapping has occurred since the last poll, or a 32-bit Windows-based DLL or executable has been opened (clears the volume access flag).
Otherwise, the function sets the carry flag and sets the AX register to an error value.
Remarks
Only the current lock owner may poll the access flag. The system fails other processes with ERROR_ACCESS_DENIED error value. Write operations performed by the lock owner do not cause a change in the state of the access flag.
When a lock is obtained that allows write operations or new file mappings, the system sets a flag whenever one of these operations happens on the volume. If a write operation or new file mapping has occurred since the last poll, Get Lock Flag State returns 1 or 2 respectively in the AX register and clears the volume access flag. If the swap file has grown or shrunk since the last poll, Get Lock Flag State returns 1. Note that write operations to the swap file that do not cause a change in size do not cause a change in the state of the access flag. If a 32-bit Windows-based DLL or executable has been opened since the last poll, Get Lock Flag State returns 2.
----------------------------------------------------------
and this is 2:
------------------------------------------
Interrupt 21h Function 440Dh Minor Code 6Dh
Enumerates open files on the specified drive.
mov ax, 440Dh ; generic IOCTL
mov bx, DriveNum ; see below
mov ch, 08h ; device category (must be 08h)
mov cl, 6Dh ; Enumerate Open Files
mov dx, seg PathBuf ; see below
mov ds, dx
mov dx, offset PathBuf
mov si, FileIndex ; see below
mov di, EnumType ; see below
int 21h
jc error
mov , ax ; mode file was opened in
mov , cx ; normal file or memory-mapped file
Parameters
DriveNum Drive on which to enumerate the files. This parameter can be 0 for the default drive, 1 for A, 2 for B, and so on. PathBuf Pointer to a buffer that receives the path of the open file. The length of the buffer varies depending on the volume. Get Volume Information (Interrupt 21h Function 71A0h) is used to determine the maximum allowed length of a path for the volume. FileIndex Index of the file to retrieve the path for. EnumType Kind of file to enumerate. This parameter can be 0 to enumerate all open files or 1 to enumerate only open unmovable files, including open memory-mapped files and other open unmovable files (32-bit Windows-based DLLs and executables).
Return Values
Clears the carry flag, copies the path of an open file to the given buffer, and sets the AX and CX registers to the following values if successful:
Register Value
AX Mode that the file was opened in, which is a combination of access mode, sharing mode, and open flags. It can be one value each from the access and sharing modes and any combination of open flags.
Access modes
OPEN_ACCESS_READONLY (0000h)
OPEN_ACCESS_WRITEONLY (0001h)
OPEN_ACCESS_READWRITE (0002h)
OPEN_ACCESS_RO_NOMODLASTACCESS (0004h)
Share modes
OPEN_SHARE_COMPATIBLE (0000h)
OPEN_SHARE_DENYREADWRITE (0010h)
OPEN_SHARE_DENYWRITE (0020h)
OPEN_SHARE_DENYREAD (0030h)
OPEN_SHARE_DENYNONE (0040h)
Open flags
OPEN_FLAGS_NOINHERIT (0080h)
OPEN_FLAGS_NO_BUFFERING (0100h)
OPEN_FLAGS_NO_COMPRESS (0200h)
OPEN_FLAGS_ALIAS_HINT (0400h)
OPEN_FLAGS_NOCRITERR (2000h)
OPEN_FLAGS_COMMIT (4000h)
CX File type. It can be one of the following values:
0 For normal files
1 For a memory-mapped files (memory-mapped files are unmovable)
2 For any other unmovable files (32-bit Windows-based DLLs and executables)
4 For the swap file
Note that if a memory-mapped file is returned (CX = 1), the value returned in the AX register is limited to the following values:
OPEN_ACCESS_READONLY (0000h)
OPEN_ACCESS_READWRITE (0002h)
Otherwise, the function sets the carry flag and sets the AX register to the following error value.
Value Meaning
ERROR_ACCESS_DENIED The value of FileIndex exceeds the number of open files on the drive.
Remarks
This function returns information about one file at a time. To enumerate all open files, the function must be called repeatedly with FileIndex set to a new value for each call. FileIndex should be set to zero initially and then incremented by one for each subsequent call. The function returns the ERROR_NO_MORE_FILES error value when all open files on the volume have been enumerated.
This function may return inconsistent results when used to enumerate files on an active volume ? that is, on a volume where other processes may be opening and closing files. Applications should use Lock Logical Volume (Interrupt 21h Function 440Dh Minor Code 4Ah) to take a level 3 lock before enumerating open files.
Platform SDK Release: November 2001
---------------------------------------------------------
Many Thanks,
nibl~
I think you should be writing vxd's or similar to that. You can't do interrupts on purely win32asm. Oops, maybe i'm wrong. Check Iczelions tuts on vxd's. :)
nibl,
Look at FindFirstChangeNotification in the SDK or win32.hlp It may be what you're looking for.
hth
farrier
Look at FindFirstChangeNotification in the SDK or win32.hlp It may be what you're looking for.
hth
farrier
Look at FindFirstChangeNotification in the SDK or win32.hlp It may be what you're looking for.
I have used FindFirstChangeNotification, but the problem is that it only tells you there was a change, but does not report the file. Getting the filename then requires checking every file. If you watch the C: drive, then you have to traverse all subdirectories checking the archive attribute to find out which file(s) changed.
So, speed is the main problem here. Any suggestions?
I guess an ASM routine to do the above would help alot, but I'd need to ask for help on that.
Thanks,
nibl
The links you gave are to be used for windows-aware dos applications.
And they're 9x-only, as far as I can tell.
An ASM routine to scan your harddrive for changed files wont be
any faster than a C routine, as you're limited by IO speed and not
processor speed.
I think the File*ChangeNotification are mainly to be used in things
like exlorer windows, where you just need to refresh the view, but
don't need to get filenames and such.
I don't really know how to watch and get filenames... perhaps you
have to code a VxD/KMD after all...
And they're 9x-only, as far as I can tell.
An ASM routine to scan your harddrive for changed files wont be
any faster than a C routine, as you're limited by IO speed and not
processor speed.
I think the File*ChangeNotification are mainly to be used in things
like exlorer windows, where you just need to refresh the view, but
don't need to get filenames and such.
I don't really know how to watch and get filenames... perhaps you
have to code a VxD/KMD after all...
So, basically you would need a VxD for 9x and a KMD for NT,XP etc, right? Is it a difficult task?
Do you know where I can find more info on the subject, hopefully examples, a how-to?
Thanks,
nibl
Do you know where I can find more info on the subject, hopefully examples, a how-to?
Thanks,
nibl
If you're lucky, you can find the information in the freely available
9x, 2k and XP DDK's. If you're unlucky, you need to get the IFS kit,
which costs big money.
9x, 2k and XP DDK's. If you're unlucky, you need to get the IFS kit,
which costs big money.
there is an undocumented API called SHChangeNotifyRegister
do a search on google or check my post in the COM section related to OLE DragDrop and how to retrieve the destination directory of a drop
cheers
Random
do a search on google or check my post in the COM section related to OLE DragDrop and how to retrieve the destination directory of a drop
cheers
Random
Thanks Random, that's good news :-)
I tried your getdropdir proggy and it worked great (NT).
Is this a GUI only function or would this API call also pick up file actions by applications or from the command line?
I need it to sit in the background and monitor any type of change.
I'm quite new to Win API stuff, so excuse if this seems obvious.
Thanks,
nibl
I tried your getdropdir proggy and it worked great (NT).
Is this a GUI only function or would this API call also pick up file actions by applications or from the command line?
I need it to sit in the background and monitor any type of change.
I'm quite new to Win API stuff, so excuse if this seems obvious.
Thanks,
nibl
http://www.sysinternals.com
Here is a site that has source code for 'Filemon'
Although it is written in C, it should help some :)
Here is a site that has source code for 'Filemon'
Although it is written in C, it should help some :)