Hi all,
I am trying to identify file read operations with missing files in a particular folder. For that I am using IRP_MJ_CREATE and I am performing the following logic in the FLT_PREOP_CALLBACK:
I call the functions FltGetFileNameInformation(), FltParseFileNameInformation() and verify if the path of the object belongs to my desired folder, if so I call FltCreateFile().
Now, I assume three possible status for the FltCreateFile() method: SUCCESS, everything is fine; STATUS_OBJECT_NAME_NOT_FOUND, the file does not exists in the file system so I print a message informing that the file is missing; And finally, any other error, I simply print a message informing that an error ocurred.
My question is: is this the correct approach?
The reason why I ask this is because I am having some problems.
For instance, if I create a folder “New folder” inside my watched directory, I get several events for the objects “New folder\desktop.ini”, “folder.jpg” and “folder.gif” that when opened return STATUS_OBJECT_NAME_NOT_FOUND, so I flag them as missing files. In order to solve this when I verify the path of the object, I simply verify if the final component corresponds to “desktop.ini”, “folder.jpg” and “folder.gif”, and if so I ignore it.
Other problem I have is when opening a file that exists, I get an event for an object with the name “test.txt:Zone.Identifier”, again, to solve this I am ignoring files with the string “:Zone.Identifier” in the final component.
When I also create a file in the folder (by copy/pasting or right click > new > file) I also get some events that later, when opening the file get STATUS_OBJECT_NAME_NOT_FOUND…
Is this the correct way to do this? or there is a better approach?
Thanks for any input.