Hello All,
I need to write a tool that will monitor a particular file(the file path is parameter from the user).
I am a beginner with few experience on this.
My question is:
- which driver mode should I choose?
- I need the driver code in kernel mode starts as the Windows OS boot and ends while the OS shutdown
- how to monitor whether the customer or other software is trying to delete the assigned file
- in case the the driver code catches a event that a user or some software is trying to delete that file, how does the driver alert user?
Thanks in advance!
On Oct 9, 2016, at 3:21 AM, xxxxx@gmail.com wrote:
I need to write a tool that will monitor a particular file(the file path is parameter from the user).
I am a beginner with few experience on this.
My question is:
- which driver mode should I choose?
You don’t need a driver at all. The FindFirstChangeNotification API can do that.
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thank you very much for your tips. FindFirstChangeNotification can do that job. But, that requires my user mode application run every time OS boots, that means I need to set my program path to auto run registry or make it a service? I am in China, there are many malvare, that often mofity registry(like remove my application path from auto run registry, change my service from auto run to demand), that means my app might lost many opportunity to catch the remove event.
By the way, I don’t block the file delete operation. I just need to record, which process deleted the monitored files.
Thank you.
You need to run it in a service, not an user app.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: 10 October 2016 11:58
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Monitor file delete
Thank you very much for your tips. FindFirstChangeNotification can do that
job. But, that requires my user mode application run every time OS boots,
that means I need to set my program path to auto run registry or make it a
service? I am in China, there are many malvare, that often mofity
registry(like remove my application path from auto run registry, change my
service from auto run to demand), that means my app might lost many
opportunity to catch the remove event.
By the way, I don’t block the file delete operation. I just need to record,
which process deleted the monitored files.
Thank you.
—
NTDEV is sponsored by OSR
Visit the list online at:
http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>
xxxxx@gmail.com wrote:
Thank you very much for your tips. FindFirstChangeNotification can do that job. But, that requires my user mode application run every time OS boots, that means I need to set my program path to auto run registry or make it a service?
Make it a service. That is a certainly a far less onerous course than
writing a file system filter driver, as you originally proposed.
I am in China, there are many malvare, that often mofity registry(like remove my application path from auto run registry, change my service from auto run to demand), that means my app might lost many opportunity to catch the remove event.
True. You can certainly protect your registry key by changing its
permissions or setting a protected owner, but once malware has
administrative privileges, it’s game over. You’re screwed. There is no
foolproof solution. When you’re considering antimalware software, you
always have to be aware of what protection is possible, and what is
pointless.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thank you very much. Tim and Ged.
Thank you very much. Tim and Ged.