How do I get a notification when user creates a mount point?

Question

First off, here are the constraints:

• Must run on XP
• Must notify of both drive letter assignments and mounting a volume to a folder
• Must not 'wake' a drive if it is sleeping.
• I'd really rather not polling the drive.

What I've tried:

1. Google
2. I've looked at WMI and the Win32_LogicalDisk class. I can determine which drives are mounted to a drive letter, but not those mounted to a folder. The Win32_Volume* and Win32_MountPoint classes would be perfect, but are not available on XP.
3. I've tried polling the drives using FindFirstVolume & GetVolumePathNamesForVolumeName (even though I'd rather not do that), but it appears that the drives must be spun up before it can give me the information. And again, ew, polling.

I was considering the possibility of using API hooking to hook calls to SetVolumeMountPoint and DeleteVolumeMountPoint but I don't think that would catch everything and it seems like that might be an ugly hack anyway.

So, yea, I'm looking for suggestions :)

Answer 1

API hooking on SetVolumeMountPoint should let you intercept volume mounts. I'm not sure about network shares though.

But it wouldn't be an 'ugly hack'. What you're trying to do is what hooking was built into Windows for. Codeproject.com has great tutorials on API hooking: http://www.codeproject.com/KB/system/hooksys.aspx

So you actually stated your own best solution. Remember, there's also a separate API for drive letters: http://nukz.net/reference/fileio/hh/winbase/fsys_6j8z.htm

Your project sounds interesting. Usually, trojans and anti-virus try to do this (and they also catch network shares.) I'm only casually familiar with the topic, so I hope this helps.

Answer 2

Thanks, I think that you are correct. I'm going to run with it :)