Information from IoStatusBlock at Post Create is able to show when files are being opened giving the FILE_OPENED value. When a file is being clicked on in Windows File Explorer, opened up on Notepad, closed on Notepad, etc they all return the FILE_OPENED value. If it is the case of a directory, typing "dir" on the command line will also cause a FILE_OPENED.
What I am trying to do is to differentiate each of the above events in more detail. Eg when a user simply clicks on the file on Windows File Explorer, I'd like to know that this is the case, and it is not because he/she opened the file on Notepad. A more critical scenario is to audit when the user had opened a file, and not happened to just clicked on the file in Explorer.
I had tried placing debug messages in the Pre and Post Operations of IRP_MJ_CREATE, IRP_MJ_WRITE, IRP_MJ_CLOSE, IRP_MJ_CLEANUP, IRP_MJ_READ, IRP_MJ_SET_INFORMATION and IRP_MJ_QUERY_INFORMATION to detect any patterns of callbacks that can tell the difference of the events I stated earlier. However, I was not able to spot anything telling.
I am perceiving that this is because the kernel level is only able to detect when files are being opened, and not how. Should Notepad open or close a text file, it does not make any difference to the kernel. If this is correct, can I still achieve what I am trying to? Would appreciate any direction that anyone can point me towards.