The IFS manager provides support for the Win32 apis: FindFirstChangeNotify(), FindNextChangeNotify() and FindCloseChangeNotify(). The support is done entirely in the IFS manager so that the individual FSDs do not each need to have code for change notifications. FSDs are not aware of the presence of change notification. The FindNextChangeNotify and FindCloseChangeNotify functions are sent down the hook before eventually being processed in the IFS manager. The FindFirstChangeNotify is not sent down the filesystem api hook. It is strongly recommended that filesystem api hookers do not attempt to hook these apis in any fashion. Since the notification event itself cannot be suppressed, it serves no purpose to hook these functions.
While the Win32 api is supported in toto for the most part, there are differences in the semantics of some filters. These are enumerated below.
1 The FILE_NOTIFY_CHANGE_SIZE and FILE_NOTIFY_CHANGE_LAST_WRITE filters are triggered only when the file is closed. In addition, the notification is done only for files that are opened in the specified path or subtree after the FindFirstChangeNotify is registered. Changes to files that were open prior to the FindFirstChangeNotify call will not trigger the above-mentioned notification events.
2 The FILE_NOTIFY_CHANGE_SECURITY filter is not supported.