c:[["$","$Ld",null,{"page":"page"}],["$","$Le",null,{}],["$","div",null,{"className":"container shadow-4 rounded mt-3 mb-3 p-3 border border-primary","children":[[["$","$Lf","0",{"href":"../windows","className":"badge badge-primary m-1","children":"windows"}],["$","$Lf","1",{"href":"../profiling","className":"badge badge-primary m-1","children":"profiling"}],["$","$Lf","2",{"href":"../ntfs","className":"badge badge-primary m-1","children":"ntfs"}]],["$","h1",null,{"className":"h1","dangerouslySetInnerHTML":{"__html":"Record and capture NTFS activity"}}],["$","hr",null,{}],["$","div",null,{"dangerouslySetInnerHTML":{"__html":"

Good day.\nSay, please, is there any chance to intercept and record NTFS activity? \nProcmon records system actions on NTFS (create, open, delete, etc.), but does not show the body of blocks that placed on files while saving them.

\n\n

Thanks!

\n"}}],["$","hr",null,{}],["$","div",null,{"className":"h3","children":["Solution ",["$","li",null,{"className":"h3 fa fa-arrow-down"}]]}],["$","hr",null,{}],["$","div",null,{"dangerouslySetInnerHTML":{"__html":"

You will need to write a file system filter driver. Here's a very good tutorial on it:

\n\n

File System Filter Driver Tutorial

\n"}}],["$","br",null,{}],["$","ul",null,{"className":"list-group","children":[]}],["$","br",null,{}],["$","$L10",null,{}],["$","br",null,{}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","div",null,{"className":"container ftr1","children":[["$","hr",null,{}],["$","footer",null,{"className":"bg-body-tertiary text-center text-lg-start","children":["$","div",null,{"className":"text-center p-3","children":["Content Source :",["$","a",null,{"className":"text-body","href":"https://stackoverflow.com","rel":"nofollow noreferrer noopener","id":"ftlk","style":{"color":"black"},"children":"Stackoverflow"}]," | ",["$","$Lf",null,{"href":"/privacy-policy","style":{"color":"blue !important"},"children":"Privacy Policy"}]," | ",["$","$Lf",null,{"href":"/terms-and-condition","style":{"color":"blue !important"},"children":"Terms and Condition"}]," | ",["$","$Lf",null,{"href":"/contact-us","style":{"color":"blue !important"},"children":"Contact Us"}]]}]}]]}],["$","$L14",null,{}],["$","$L15",null,{}]]