I am developing a basic file system minifilter. I have two questions
- How to detect if a new file created was manually created (by right clicking the mouse and creating) or programmatically created (using CreateFile()).
- Once a file is created there are lots of IRP_MJ_CREATE requests raised (about 4-5) what is the concept behind what do they signify?
What you call a manual create still becomes a CreateFile so you cannot tell. The reason there are so many IRP_MJ_CREATE’s is that in many circumstances the program doing the create wants to set attributes, and in many cases this is done in a standalone model that assumes that takes a pathname, rather than a handle.
When your right click in explorer then it is the program calling CreateFile() so your first question makes no sense…
As for your second, you can look in the debugger and see who is calling you. I’d bet that one is explorer and another is antivirus but you’ll only find out by looking…