Home/ Questions/Q 8086081
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T18:20:34+00:00

I have a software that is tracking an NTFS volume changes on a Windows

  • 0

I have a software that is tracking an NTFS volume changes on a Windows OS using volume filter driver. I need to handle a condition when the volume gets mounted and modified outside of the OS where my driver is installed.

Is it possible to figure out the “last mount time” of the volume? or any other parameter allowing me to tell if the volume has been mounted outside of my driver control?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I don’t know of a “last mount time”, but there is a “log file open count”. If you look at http://www.opensource.apple.com/source/ntfs/ntfs-64/kext/ntfs_logfile.h, you will see a RESTART_AREA structure like this:

    /* 40*/ le32 restart_log_open_count;/* A counter that gets incremented every
                                     time the logfile is restarted which happens
                                     at mount time when the logfile is opened.
                                     When creating set to a random value.  Win2k
                                     sets it to the low 32 bits of the current
                                     system time in NTFS format (see time.h). */
/* 44*/ le32 reserved;      /* Reserved/alignment to 8-byte boundary. */
/* sizeof() = 48 (0x30) bytes */
} __attribute__((__packed__)) RESTART_AREA;

    You can see that near the end of it is a restart_log_open_count that you can use to keep track of mounts. You would look at the value and compare it to a saved value. It should be equal to the saved value plus one. If so, it hasn’t been mounted since you last had control.

    • 0