监控文件系统用得到的API 流沙

 http://msdn.microsoft.com/en-us/library/aa302237.aspx

NT_TRANSACT_NOTIFY_CHANGE

The NT_TRANSACT_NOTIFY_CHANGE command notifies the client when the directory specified by Fid is modified. It also returns the names of any files that changed. Parameters for the command are encoded in NT_TRANSACT command subheader fields as shown.

                    Field name               Displacement        Length
                                                (bytes)         (bytes)
ClientRequestSetupWordsEncoding
                    CompletionFilter               0               4
                    Fid                            4               2
                    WatchTree                      6               1
                    Reserved                       7               1
  ServerResponseParameterEncoding
                    ParameterCount                 0               1
                    FileNotifyInformation          1            Variable
                    NextEntryOffset                *               4
                    Action                         *               4
                    FileNameLength                 *               4
                    FileName                       *            Variable

 

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1

Fields

ClientRequestSetupWordsEncoding

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
CompletionFilter																																Fid																WatchTree								Reserved

Encoded in SetupWords[] in the client request.

CompletionFilter

Data type: ULONG

Type of operation to monitor. The value is the sum of any of the following flags.

Name	Value
FILE_NOTIFY_CHANGE_FILE_NAME	0x00000001
FILE_NOTIFY_CHANGE_DIR_NAME	0x00000002
FILE_NOTIFY_CHANGE_NAME	0x00000003
FILE_NOTIFY_CHANGE_ATTRIBUTES	0x00000004
FILE_NOTIFY_CHANGE_SIZE	0x00000008
FILE_NOTIFY_CHANGE_LAST_WRITE	0x00000010
FILE_NOTIFY_CHANGE_LAST_ACCESS	0x00000020
FILE_NOTIFY_CHANGE_CREATION	0x00000040
FILE_NOTIFY_CHANGE_EA	0x00000080
FILE_NOTIFY_CHANGE_SECURITY	0x00000100
FILE_NOTIFY_CHANGE_STREAM_NAME	0x00000200
FILE_NOTIFY_CHANGE_STREAM_SIZE	0x00000400
FILE_NOTIFY_CHANGE_STREAM_WRITE	0x00000800

Fid

Data type: USHORT

File identifier or handle of the directory to monitor.

WatchTree

Data type: BOOLEAN

If TRUE, all subdirectories will be watched; otherwise, FALSE.

Reserved

Data type: UCHAR

Reserved. This value must be 0 (zero).

ServerResponseParameterEncoding

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
ParameterCount

File notification packet.

ParameterCount

Number of bytes of change data.

FileNotifyInformation

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
NextEntryOffset																																Action																																FileNameLength																																FileName1

Data type: struct

The response contains FILE_NOTIFY_INFORMATION structures, as defined below. The NextEntryOffset field of the structure specifies the offset, in bytes, from the start of the current entry to the next entry in the list. If this is the last entry in the list, this field is zero. Each entry in the list must be longword aligned, so NextEntryOffset must be a multiple of four.

NextEntryOffset

Data type: ULONG

Offset, in bytes, from the start of the current entry to the next entry in the list. Each entry in the list must be 4-byte aligned, so NextEntryOffset must be a multiple of four. If this is the last entry in the list, the value is 0 (zero).

Action

Data type: ULONG

Action taken for the specified file name.

Name	Value
FILE_ACTION_ADDED	0x00000001
FILE_ACTION_REMOVED	0x00000002
FILE_ACTION_MODIFIED	0x00000003
FILE_ACTION_RENAMED_OLD_NAME	0x00000004
FILE_ACTION_RENAMED_NEW_NAME	0x00000005
FILE_ACTION_ADDED_STREAM	0x00000006
FILE_ACTION_REMOVED_STREAM	0x00000007
FILE_ACTION_MODIFIED_STREAM	0x00000008

FileNameLength

Data type: ULONG

File name length of the changed file.

FileName1

Data type: WCHAR

Name of file for which a change is notified.

Remarks

This command notifies the client when the directory specified by Fid is modified. It also returns the name(s) of the file(s) that changed. The command completes once the directory has been modified based on the supplied CompletionFilter. The command is a "single shot" and therefore needs to be reissued to watch for more directory changes.

When a change that is in the CompletionFilter field is made to the directory, the command completes. The names of the files that have changed since the last time the command was issued are returned to the client. The ParameterCount field of the server response indicates the number of bytes that are being returned. If too many files have changed since the last time the command was issued, then zero bytes are returned and an alternate status code is returned in the Status field of the server response header.

A directory file must be opened before this command may be used. After the directory is open, this command may be used to begin watching files and subdirectories in the specified directory for changes. The first time the command is issued, the MaxParameterCount field in the packet header determines the size of the buffer that will be used at the server to buffer directory change information between issuances of the notify change commands.