Dear all,
Following my previous post about minifilter performances, I realized I have bad results when my driver is registering a callback to the IRQ IRP_MJ_READ. The purpose of this callback is an authorization filter, which determines whether the content of the file can be read. In case where the read of the file is granted, the logic is still executed on each IRQ of that type, which is not efficient and result in a performance drop.
I realized that I wanted to filter the initial opening of the file, such as registering a callback of the IRQ IRP_MJ_CREATE. My question is: does the operating system require to perform an IRQ of type IRP_MJ_CREATE before subsequent IRP_MJ_READ to access a file ? In other words, is the IRQ IRP_MJ_CREATE a good way to implement file authorization ?
Many thanks !
Keterna
Yes applications need to open a file before they read it and yes IRP_MJ_CREATE is a good way.
Hey Scott ! Thanks for your reply.
I faced a very interesting case when some users tested my application! I prevent the access to some kind of types by listening the IRP IRP_MJ_CREATE and checking whether the path of the file matches a set of forbidden paths. This works fine, except that that IRP is not triggered when a parent folder of the files is renamed (or moved). Apparently, no IRP are created for each file in the renamed folder. This means one can rename a parent folder to change the path which the minifilter is checking.
Is there another IRP which I can detect that a parent directory of a file is renamed, or must I watch all the parent folders to prevent their manipulations ?
Thanks !
Right, you can rename a directory without having to rename each file under it. If this case matters you need to monitor renames and see if the rename is a prefix match for your directories/files of interest (RtlPrefixUnicodeString helps).