Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Get response from user in driver

santosh_menonsantosh_menon Member Posts: 7

iam creating a real time mini filter driver for a anti-virus
these are the events i have registered

{ IRP_MJ_CREATE,
0,
ScannerPreCreate,
ScannerPostCreate},

{ IRP_MJ_WRITE,
0,
NULL,
PostOperationIrpWrite },

{ IRP_MJ_SET_INFORMATION,
0,
PreOperationIrpInfo,
NULL },

{ IRP_MJ_CLEANUP,
0,
PreOperationIrpCleanup,
PostOperationIrpCleanup },

{ IRP_MJ_OPERATION_END}

is it possible to find from driver that user is going to delete file ?.
like if there is a user prompt for delete file ,
i want to ignore that file, plz help

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    You have no visibility on what the user does or sees.

    You can find out if the file is marked for delete (FileStandardInformation) but there are many ways to delete a file which do not involve marking for delete. I believe that there is a sample which demonstrates this.

  • santosh_menonsantosh_menon Member Posts: 7

    @rod_widdowson said:
    You have no visibility on what the user does or sees.

    You can find out if the file is marked for delete (FileStandardInformation) but there are many ways to delete a file which do not involve marking for delete. I believe that there is a sample which demonstrates this.

    Hi Rod,

    Thanks for sharing information.

    Actually I am developing an "on access driver" for our anti malware application.

    What exactly we need is when user access file, we will scan with our engine and if found malware do quarantine operation.

    Now in case I shared, even when I press Shift+Delete, driver give file access notification and my engine quarantine that particular file.

    I want to ignore this step as if user is going to delete any file it is no harmful action, this is the common behavior of all antiviruses real time protection.

    Can you please help me to achieve same. Thanks.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,299

    It's complicated...Play with the Delete sample that Rod mentioned to start understanding the problems:

    https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/delete

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA