Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Help on IRP_MJ_WRITE Minifilter.
I am Working on a minifilter to detect files write by some process in the PreWrite callback of IRP_MJ_WRITE. It works great when some files content is modified. But not getting PreWrite callback when the file content is modified and made to zero sizes. i.e select all then clear out the content and finally save the file. it is also kind of writing so why not getting a PreWrite callback?
How to prevent File writing(clear all content & save the file)?
or what callback do we get when file content is cleared(i.e becomes empty) and the file is saved?
As a beginner in minifilter, am I missing something or unaware of some concept?
Please guide/help me.
I will be very thankful to the OSR community.
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Internals & Software Drivers | 7 February 2022 | Live, Online |
| Kernel Debugging | 21 March 2022 | Live, Online |
| Developing Minifilters | 23 May 2022 | Live, Online |
| Writing WDF Drivers | 12 September 2022 | Live, Online |
Comments
You probably want to be filtering on many (if not all)
MJ_SET_INFORMATION_FILEoperations. I'd also be looking at section creation (open a file for write, map a section write to it, exit).But the "correct" place to do access checking is when the file is opened. Doing this at any other time is much much more complicated.
... Which in turn begs the question as to why ACL's won't cut it. But I completely understand that I am not privvy to your requirements.
Finally, I got it with some help. Thanks, everyone.
Here is the answer to it.
https://stackoverflow.com/questions/69052691/what-callback-do-we-get-when-file-is-cleared-i-e-made-empty-and-saved-in-mini/69053870?noredirect=1#comment122046508_69053870