How to filter the NFS Request using WFP

I need to filter the access Network file system from client machine.
Mainly i need block the file creation and deletion operation
Is there way to do this .

That’s a pretty broad request, but you can create a File System Minifilter Driver (https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/file-system-minifilter-drivers), and on the Instance Setup callback (for attaching to a new volume), only attach if it is a network volume. Then any create or delete can be denied.

Deletes can happen on IRP_MJ_CREATE, with the create option of FILE_DELETE_ON_CLOSE, or an IRP_MJ_SET_INFORMATION with FileInformationClass of either FileDispositionInformation or FileDispositionInformationEx, with the delete flag on. Neither of those guarantees that a delete will occur, but they are requests.

Creates are more difficult. It will always be IRP_MJ_CREATE, with create disposition of FILE_OPEN_IF or FILE_OVERWRITE_IF, I think. But those are requests to create a file if it doesn’t exist, but does not yet know whether it does exist. Someone with more experience will need to tell you how to test that. I imagine you need to open the file yourself to see if it exists, or just change the caller’s create disposition to FILE_OPEN/FILE_OVERWRITE and let it fail naturally if the file doesn’t already exist.

@rstruempf thank you
Actually I tried with a minifilter .
but i don’t know how to find whether the IRP request is from NFS or not
following block of code is used for blocking creation of “text.txt” file from all the storage device volume .but i need to block the only in NFS .
how it is possible ?

FLT_PREOP_CALLBACK_STATUS MiniPreCreate(PFLT_CALLBACK_DATA Data,PCFLT_RELATED_OBJECTS FltObjects , PVOID * CompletionContext)
{

status=FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED|FLT_FILE_NAME_QUERY_DEFAULT,&FileNameInfos);
if(FileNameInfos->Name.MaximumLength<260)
{
RtlCopyMemory(Name,FileNameInfos->Name.Buffer,FileNameInfos->Name.MaximumLength);
if(wcsstr(Name,L"TEXT.TXT")!=NULL)
{
DbgPrint(" operation %ws blocked \n",Name);
Data->IoStatus.Status=STATUS_ACCESS_DENIED;
Data->IoStatus.Information=0;
FltReleaseFileNameInformation(FileNameInfos);
return FLT_PREOP_COMPLETE;
}
}
}

You can’t tell in PreCreate if the file is destined for NFS or not. In post create you can query which network provider ended up handling the open (FsRtlMupGetProviderInfoFromFileObject).