Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

How can I scan every file accessed from kernel to user mode ?

jay96612jay96612 Member Posts: 57

I am working on a minifilter. I am making a program that checks whether a file is malicious or not on access. I know I can do it by using minifilter but not sure about how to do it effectively because the file is accessed too frequently in a system. Whenever a file is being accessed send the file path to user-mode and then the user-mode application will respond after checking the file. I want to know from your experience and understanding as I am not much familiar with it.

Very curious to know from your experience.
Thanks & regards,


  • jay96612jay96612 Member Posts: 57
    edited July 2022

    @Scott_Noone_(OSR) How can I ignore file open in kernel minifilter when user-mode takes too much time for scanning part. Once the scanning part is complete then if someone accesses the file again then allows or blocks based on the result.
    While scanning if someone accesses the file then just block or ignore it silently.

    I will make a hash of which path is currently being scanned/done scanning when first time someone accesses the file.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,631
    edited July 2022

    Your design is wrong.

    Have you gone through the avscan sample? If you're trying to learn you should install that, set breakpoints, and learn what it's doing. You'll learn a lot more that way than feeling around in the dark.


  • jay96612jay96612 Member Posts: 57

    @Scott_Noone_(OSR) Thank you so much. I will go through it and ask if anything I didn't understand. Thank you very much for the help & support. :)

  • jay96612jay96612 Member Posts: 57

    @Scott_Noone_(OSR) I came across about avscan. It basically examines data in a file. I followed the code and executed both the user mode and filter part. It basically checks for the string "message to be found" in a file. if it is found then block the opening of the file.

    It works fine for text files but when I open a pdf file with the same string then it doesn't block. I don't understand why?

    Could you please help me out?
    Will be very thankful :)

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,631

    Sorry, are you asking how to interpret the content of a PDF? Or are you blocking the open but Acrobat can read the file anyway?


  • jay96612jay96612 Member Posts: 57

    @Scott_Noone_(OSR) The way we are checking msg in the text file, can't check the same way in every file?

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,631

    A PDF file is often a combination of vector graphics, text, and bitmap graphics. The basic types of content in a PDF are

    Typeset text stored as content streams (i.e., not encoded in plain text);


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 16-20 October 2023 Live, Online
Developing Minifilters 13-17 November 2023 Live, Online
Internals & Software Drivers 4-8 Dec 2023 Live, Online
Writing WDF Drivers 10-14 July 2023 Live, Online