I am working on a an FS minifilter registered for IRP_MJ_WRITE with SKIP_CACHED_IO. I am returning status_access_denied in preoperation callback. This works fine but for very small files, like < 100 bytes, the block operation doesnt prevent the update to the disk. After rebooting the server the contents of the file are seen. I saw some earlier threads and it appears that for very small files the content is stored in the MFT itself. When I use ProcessMonitor, I see a write success for the application and access denied for all subsequent paging IOs. Is there any other way to block the small write ?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|