Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Identifying a set of operations
Hi all,
Let's say I have a set of operations for deleting a file - that is create, setfileinformation and close. What is the best way to uniquely identify this flow in my mini-filter? is there sort of a unique id?
Thanks in advance.
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | Kernel Debugging | 30 Mar 2020 | OSR Seminar Space |
| Developing Minifilters | 15 Jun 2020 | LIVE ONLINE |
| Writing WDF Drivers | 22 June 2020 | LIVE ONLINE |
| Internals & Software Drivers | 28 Sept 2020 | Dulles, VA |
Comments
No.
You can look for all sorts of heuristics (thread Id and File Object or FsContext2 might be somewhere to start), but nothing is guaranteed.
And of course there are many other ways that a file can be deleted..
Check out the delete sample from microsoft.
https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/delete
Cheers,
Gabriel