I need to detect only User initiated i/o activities. When I say User I actually mean User (double click to open file, enter, etc).
Data->RequestorMode == 1, prints only User mode and I need User initiated actions.
So, I need to know how to print only transactions made by user itself. (Open file, double click, enter, etc... as said before)
Any suggestions?
Thanks!
When you double-click a file, you are asking Explorer to take an action on your behalf. Explorer does so by examining the file's extension, looking up the application associated with that extension, and launching it with instructions to open the file.
The Windows loader is responsible for loading the application into memory and setting it running. In order to do so it must open at least the executable and usually one or more DLLs. Once the application starts up, it might also open some configuration files before it opens the file the user asked for.
All of these open operations are performed in the same context. The kernel knows which process initiated the file open, but it has no way to tell whether it was opened by the Windows loader or by the application itself, or to distinguish between a configuration file and the file the user double-clicked. So you are not going to be able to detect user-initiated file open operations from a file system filter driver.
It might instead be possible to use a Windows Explorer extension, although this will only work for files that are opened using Explorer or one of the standard dialogs, i.e., for most but not all applications.