NT_TRANSACT_NOTIFY_CHANGE: Request Change Notification

Client Setup Words
==================================
Description
=================================
ULONG CompletionFilter; Specifies operation to monitor
USHORT Fid; Fid of directory to monitor
BOOLEAN WatchTree; TRUE = watch all subdirectories too
UCHAR Reserved; MBZ

This command notifies the client when the directory specified by Fid is modified. It also returns the name(s) of the file(s) that changed. The command completes once the directory has been modified based on the supplied CompletionFilter. The command is a "single shot" and therefore needs to be reissued to watch for more directory changes.

A directory file must be opened before this command may be used. Once the directory is open, this command may be used to begin watching files and subdirectories in the specified directory for changes. The first time the command is issued, the MaxParameterCount field in the transact header determines the size of the buffer that will be used at the server to buffer directory change information between issuances of the notify change commands.

When a change that is in the CompletionFilter is made to the directory, the command completes. The names of the files that have changed since the last time the command was issued are returned to the client. The ParameterCount field of the response indicates the number of bytes that are being returned. If too many files have changed since the last time the command was issued, then zero bytes are returned and an alternate status code is returned in the Status field of the response.

The CompletionFilter is a mask created as the sum of any of the following flags:

FILE_NOTIFY_CHANGE_FILE_NAME 0x00000001
FILE_NOTIFY_CHANGE_DIR_NAME 0x00000002
FILE_NOTIFY_CHANGE_NAME 0x00000003
FILE_NOTIFY_CHANGE_ATTRIBUTES 0x00000004
FILE_NOTIFY_CHANGE_SIZE 0x00000008
FILE_NOTIFY_CHANGE_LAST_WRITE 0x00000010
FILE_NOTIFY_CHANGE_LAST_ACCESS 0x00000020
FILE_NOTIFY_CHANGE_CREATION 0x00000040
FILE_NOTIFY_CHANGE_EA 0x00000080
FILE_NOTIFY_CHANGE_SECURITY 0x00000100
FILE_NOTIFY_CHANGE_STREAM_NAME 0x00000200
FILE_NOTIFY_CHANGE_STREAM_SIZE 0x00000400
FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800

Server Response
==================================
Description
==================================
ParameterCount # of bytes of change data
Parameters[ ParameterCount ] FILE_NOTIFY_INFORMATION structures

The response contains FILE_NOTIFY_INFORMATION structures, as defined below. The NextEntryOffset field of the structure specifies the offset, in bytes, from the start of the current entry to the next entry in the list. If this is the last entry in the list, this field is zero. Each entry in the list must be longword aligned, so NextEntryOffset must be a multiple of four.

typedef struct {
    ULONG NextEntryOffset;
    ULONG Action;
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_NOTIFY_INFORMATION;

Where Action describes what happened to the file named FileName:

FILE_ACTION_ADDED 0x00000001
FILE_ACTION_REMOVED 0x00000002
FILE_ACTION_MODIFIED 0x00000003
FILE_ACTION_RENAMED_OLD_NAME 0x00000004
FILE_ACTION_RENAMED_NEW_NAME 0x00000005
FILE_ACTION_ADDED_STREAM 0x00000006
FILE_ACTION_REMOVED_STREAM 0x00000007
FILE_ACTION_MODIFIED_STREAM 0x00000008