Hide some Directory Change Notification

Hi !

When my minifilter apply change on file, obviously, the File System push some directory change notification,

  1. Is there a way to tell the File System that my action need to be hidden ? (I guess I already know the answer from the FastFAT sample …)

I think I could intercept IRP_MN_NOTIFY_CHANGE_DIRECTORY and try to remove my notifications, with countless difficulties , butI don’t like this idea as it is error-prone.
2) If the user buffer is too small to catch this notifications, in the post operation, will the returned buffer length be 0 like ReadDirectoryChangesW or could I remove some notifications before that ?

Thank you !

There’s one very narrow option in that GUID_ECP_ATOMIC_CREATE allows you to suppress directory change notifications (DCN) of the newly created file. AFAIK this is TH2 + NTFS only.

We once had a filter that triggered what I lovingly referred to as “DCN Hell”: the simple act of someone opening a file caused our filter to trigger a DCN. Some apps (e.g. Visual Studio) use the DCN to determine if the file has been modified, so this caused an infinite loop as the app kept opening the file, triggering the DCN, and then opening the file again.

Trying to parse the DCN buffer to remove the offending entry turned out to be a complete and total nightmare. The request comes in as METHOD_NEITHER and by the time it completes it can still be METHOD_NEITHER or converted to either METHOD_BUFFERED or METHOD_DIRECT by the FsRtl package (which was a big surprise). In the METHOD_NEITHER and METHOD_DIRECT cases you need to worry about TOCTOU as you walk the structure on completion. I definitely lost hairs over this…

Just looked and that was in 2011-2012. I would never resurrect or write this code again…So, my question would be: is the fact that this triggers the app’s DCN really that bad? Does the file look different from the app perspective after your modifications? If yes I’d say the DCN is a good thing.

Thank you Scott,

I was afraid of this reply, I will play with GUID_ECP_ATOMIC_CREATE to see if my freeze come from the DCN, and if it come from the DCN, it will be my turn to lost my hairs…

And another question GUID_ECP_ATOMIC_CREATE is used in case of create, in case of modifications (write/flush/attributes/…) is there a way to not trig DCN ?

My understanding is that it just doesn’t trigger the DCN on the create, so I don’t **think ** it hides further modifications to the file. I haven’t explored that particular case though so not sure.

Aside: we have a simple utility to watch DCNs on GitHub. Doesn’t do anything special but saves you from having to write it yourself.

Yep, I will play with it and see what I get.

Thank you Scott !