Shadow Copy IRPs

Dear all,

I’m working on intercepting IRPs IRP_MJ_CREATE to filter some file access. I realized that Shadow Copy on Windows does not trigger any IRP when backing up my files. I’m a bit curious; How can Shadow Copy access my files without triggering this IRP ? Is there a way to catch the file interactions of Shadow Copy from a minifilter driver ?

Thanks for your help !

Shadow sets (as per VSS) are a device level (I’m guessing a block level copy on write but I’ve never bothered to look) thing so you’ll never see the “backup”.

When the shadow set is surfaced (e.g. to list or restore files) you do see a volume mounted upon a device with an obvious name.