#ifndef _NTIOAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
NtNotifyChangeDirectoryFile(
    _In_ HANDLE FileHandle,
    _In_opt_ HANDLE Event,
    _In_opt_ PIO_APC_ROUTINE ApcRoutine,
    _In_opt_ PVOID ApcContext,
    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
    _Out_writes_bytes_(Length) PVOID Buffer, // FILE_NOTIFY_INFORMATION
    _In_ ULONG Length,
    _In_ ULONG CompletionFilter,
    _In_ BOOLEAN WatchTree
    );

#endif
View code on GitHub

#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwNotifyChangeDirectoryFile(
    _In_ HANDLE FileHandle,
    _In_opt_ HANDLE Event,
    _In_opt_ PIO_APC_ROUTINE ApcRoutine,
    _In_opt_ PVOID ApcContext,
    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
    _Out_writes_bytes_(Length) PVOID Buffer, // FILE_NOTIFY_INFORMATION
    _In_ ULONG Length,
    _In_ ULONG CompletionFilter,
    _In_ BOOLEAN WatchTree
    );

#endif
View code on GitHub

NtNotifyChangeDirectoryFile is used to process changes to directory File Object. Because function returns immediately with STATUS_PENDING, you must decide to use Event Object or APC routine as notification form.

FileHandle

HANDLE to File Object opened with SYNCHRONIZE access and FILE_DIRECTORY_FILE option set.

Event

HANDLE to Event Object. Event can be created as NotificationEvent or SynchronizationEvent, but second one is better in this situation.

ApcRoutine

Address of user's APC routine, queued when change complete.

ApcContext

Optional parameter for ApcRoutine.

IoStatusBlock

IO result of call. Status member in IoStatusBlock can result STATUS_NOTIFY_ENUM_DIR when Buffer was to small.

Buffer

User's allocated buffer for change information. It contains one or more of FILE_NOTIFY_INFORMATION structures.

BufferSize

Size of Buffer, in bytes.

CompletionFilter

Mask specifying what sort of changes should be monitored. Can be combination of:

WatchTree

If set, all subdirectories of specified directory will be also monitored.

Documented by

Tomasz Nowak
Bo Branten

NtNotifyChangeDirectoryFile - NtDoc