I have a software that is tracking an NTFS volume changes on a Windows OS using volume filter driver. I need to handle a condition when the volume gets mounted and modified outside of the OS where my driver is installed.
Is it possible to figure out the "last mount time" of the volume? or any other parameter allowing me to tell if the volume has been mounted outside of my driver control?
I don't know of a "last mount time", but there is a "log file open count". If you look at http://www.opensource.apple.com/source/ntfs/ntfs-64/kext/ntfs_logfile.h, you will see a RESTART_AREA structure like this:
/* 40*/ le32 restart_log_open_count;/* A counter that gets incremented every time the logfile is restarted which happens at mount time when the logfile is opened. When creating set to a random value. Win2k sets it to the low 32 bits of the current system time in NTFS format (see time.h). */ /* 44*/ le32 reserved; /* Reserved/alignment to 8-byte boundary. */ /* sizeof() = 48 (0x30) bytes */ } __attribute__((__packed__)) RESTART_AREA;You can see that near the end of it is a
restart_log_open_countthat you can use to keep track of mounts. You would look at the value and compare it to a saved value. It should be equal to the saved value plus one. If so, it hasn't been mounted since you last had control.