I am trying to write a auditing minifilter that tracks file & directory open/close/read/write/delete/rename operations on a volume. Minispy on github seems to have most of what I need but then I noticed that MSFT has also released delete minifilter specifically to track file deletes.
can I deduce file deletes from user-space based on information captured by minispy minifilter driver ?
I will check if file is deleted from user-space for each of the above 3 cases to deduce deletes.
I am primarily a Linux developer though I have done some windows user-space coding. so I prefer to do as little of windows kernel coding as possible and I don't want to maintain two drivers if I don't have to. will it work or are there cases that the delete minifilter catches that minispy doesn't ??
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|