What is the sequence of firing of IRP_MJ callback events

iam new in driver development
i want to know what is the sequence of firing of these events/callbacks which i have declared, i want analaysis files in the directory as soon as user open directory

const FLT_OPERATION_REGISTRATION Callbacks = {

{ IRP_MJ_CREATE,
  FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
  ScannerPreCreate,
  ScannerPostCreate},

  { IRP_MJ_WRITE,
  0,
  NULL,
  PostOperationIrpWrite },

  { IRP_MJ_SET_INFORMATION,
  0,
  PreOperationIrpInfo,
  NULL },

  { IRP_MJ_CLEANUP,
  0,
  PreOperationIrpCleanup,
  PostOperationIrpCleanup },

{ IRP_MJ_OPERATION_END}

};

your question sort of makes so sense. You could say “Here are five cars, which one will come first?”. Callbacks are called in response to application activity.

In general an application will open a file (MJ_CREATE), perhaps do some stuff (MJ_WRITE, MJ_SET_INFO) then close the handle (MJ_CLEANUP) then maybe if it has a section or if the file was cached there may be some more activity (MJ_WRITE, MJ_SET_INFO) and finally when the OS gets bored you’ll see a MJ_CLOSE.

But of course there are multiple applications so “any order”.

you should start procmon and look at file activity since it is precisely reporting these activities.

1 Like