Filesystem minifilter and Zone.Identifier

In my filesystem minifilter I intercept opening a file downloaded from the Internet (on disk file has Zone.Identifier Stream Name) and that has a write flags (FILE_WRITE_DATA & FILE_WRITE_ATTRIBUTES…),
though it is not written anything (no IRP_MJ_WRITE callback), file also does not have identification file stream (Zone.Identifier). I want handle this situation and not process this file.
How I can determine in my minifilter that file have Zone.Identifier Stream (download from internet)?

You could enumerate the streams (via IRP_MJ_QUERY_INFORMATION) and look at it to see if the stream is there or you could try to open it and see if it is there.


If you use FltParseFileNameInformation then you could look at
FLT_FILE_NAME_INFORMATION->UNICODE_STRING Stream; or more precisesly at “nameInfo->Stream.Length”

If that is >0 then you have an ADS. You can investigate from here since you have the parsed ADS name in that Unicode string.

Gabriel Bercea,in pre-create callback FLT_FILE_NAME_INFORMATION->UNICODE_STRING Stream = NULL.

Why don’t you do the processing in POST create ?
There if you want to deny anything you just use FltCancelFileOpen and use the appropiate status codes to deny the access to the file.
But already I am assuming you want to deny.
I did not really understand very well from your initial post what you really want to do .