Identifying a set of operations

Hi all,

Let’s say I have a set of operations for deleting a file - that is create, setfileinformation and close. What is the best way to uniquely identify this flow in my mini-filter? is there sort of a unique id?

Thanks in advance.

No.

You can look for all sorts of heuristics (thread Id and File Object or FsContext2 might be somewhere to start), but nothing is guaranteed.

And of course there are many other ways that a file can be deleted…

Check out the delete sample from microsoft.
https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/delete