Hi,
What is the best way to detect the type of file access
in a filter driver (read file, read directory, create
new file, failed access).
Is there any way to get this information the very
first time that a file is accessed?
Thanks
Krishna Monian
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
You are mixing two terms.
To determine if open, create new or supersede
file, you must look to
IO_STACK_LOCATION in the IRP.
IrpSp->Parameters.Create.Options >> 24
(upper 8 bits) may be
FILE_OPEN, FILE_OPEN_IF, FILE_OVERWRITE,
FILE_OVERWRITE_IF, FILE_SUPERSEDE.
To determine if it is read access, write access,
look at the IrpSp->Parameters.Create.SecurityContext->DesiredAccess,
which can be combination of one or more flags
like FILE_READ_DATA, FILE_WRITE_DATA
etc.
Look at the IFS Kit, fo the information about IRP_MJ_CREATE,
you will find more information about this.
L.