Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Filtering file reading

KeternaKeterna Member Posts: 18

Dear all,

Following my previous post about minifilter performances, I realized I have bad results when my driver is registering a callback to the IRQ IRP_MJ_READ. The purpose of this callback is an authorization filter, which determines whether the content of the file can be read. In case where the read of the file is granted, the logic is still executed on each IRQ of that type, which is not efficient and result in a performance drop.

I realized that I wanted to filter the initial opening of the file, such as registering a callback of the IRQ IRP_MJ_CREATE. My question is: does the operating system require to perform an IRQ of type IRP_MJ_CREATE before subsequent IRP_MJ_READ to access a file ? In other words, is the IRQ IRP_MJ_CREATE a good way to implement file authorization ?

Many thanks !


  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,299

    Yes applications need to open a file before they read it and yes IRP_MJ_CREATE is a good way.


  • KeternaKeterna Member Posts: 18
    edited January 20

    Hey Scott ! Thanks for your reply.

    I faced a very interesting case when some users tested my application! I prevent the access to some kind of types by listening the IRP IRP_MJ_CREATE and checking whether the path of the file matches a set of forbidden paths. This works fine, except that that IRP is not triggered when a parent folder of the files is renamed (or moved). Apparently, no IRP are created for each file in the renamed folder. This means one can rename a parent folder to change the path which the minifilter is checking.

    Is there another IRP which I can detect that a parent directory of a file is renamed, or must I watch all the parent folders to prevent their manipulations ?

    Thanks !

    Post edited by Keterna on
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,299

    Right, you can rename a directory without having to rename each file under it. If this case matters you need to monitor renames and see if the rename is a prefix match for your directories/files of interest (RtlPrefixUnicodeString helps).


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA