Tracking Minifilter Operation

I wanna know which filter driver has passed or denied specific operation? i’m looking for filter driver that returned with access_denied the operation.

This appears some kind of general. Do you have any specific operation?

looking for access_denied on PreCreate Operation

What comes to my mind, but hopefully someone with more experience can point you in a better direction, are two possible approaches.
I am not aware of tracking functions, especially for other filter drivers which are out of your control, but this does not mean they do not exist.

So I would try to

  1. Disabling minifilters using the fltmgr command to identify the culprit. This only works if the minifilter in question can be disabled on your target system and is not mandatory for the OS.

or a little more drastic:
2) If you are able in your minifilter, I assume in your PostCreate Operation, to detect that the PreCreate operation was terminated with a “access_denied”, you could trigger now a BSOD and create a kernel dump. In the kernel dump you should have the stack of the called functions and might be able to determine the minifilter which blocked the operation.

I hope that this helps you. Maybe someone else here has a better idea.

2 Likes

Is this a reproducible test case and you’re trying to debug it? Or are you asking in general?

No, it’s not a special case. I’m developing a product and I want to know how other products work.
I used the @blange method before, but I did not get a general and precise answer.