Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.Identifying a set of operations
Hi all,
Let's say I have a set of operations for deleting a file - that is create, setfileinformation and close. What is the best way to uniquely identify this flow in my mini-filter? is there sort of a unique id?
Thanks in advance.
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
| Upcoming OSR Seminars | ||
|---|---|---|
| Writing WDF Drivers | 21 Oct 2019 | OSR Seminar Space & ONLINE |
| Internals & Software Drivers | 18 Nov 2019 | Dulles, VA |
| Kernel Debugging | 30 Mar 2020 | OSR Seminar Space |
| Developing Minifilters | 27 Apr 2020 | OSR Seminar Space & ONLINE |
Comments
No.
You can look for all sorts of heuristics (thread Id and File Object or FsContext2 might be somewhere to start), but nothing is guaranteed.
And of course there are many other ways that a file can be deleted..
Check out the delete sample from microsoft.
https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/delete
Cheers,
Gabriel