FltSetInformationFile return STATUS_INVALID_PARAMETER

Hi , i`m a beginner of minifilter. I want to change file size. I have searched many topic?but still get nothing

First, in IRP_MJ_SET_INFORMATION pre function,
ntst = FltCreateFileEx(FltObjects->Filter,

and then,

these two functions work fine, I can get the standard information, such as, the EndOfFile.QuadPart. But the strange thing is the Directory is TRUE. The file is a txt, not a directory. then, I allocate a pointer :
size_t totalSize = sizeof(FILE_STANDARD_INFORMATION);
myStan = (FILE_STANDARD_INFORMATION *)ExAllocatePool(PagedPool, totalSize);

i put everything into myStan from stFileInfo,then :

the function return 0xC000000DL STATUS_INVALID_PARAMETER.
My os is vmware win7_32, NTFS,and the file is a txt. I really don`t konw why.
Could somebody help me? Thanks!

FileStandardInformation can not be set - this is only for Query info class.

Thanks , rbmm!
If i want to change the file size that can be seen , which infomation I can modify?

you need use FileEndOfFileInformation - look https://msdn.microsoft.com/en-us/library/windows/hardware/ff544516(v=vs.85).aspx


  • FileStandardInformation
  • FileAllInformation


    – FileDirectoryInformation
    – FileFullDirectoryInformation
    – FileIdFullDirectoryInformation
    – FileBothDirectoryInformation
    – FileIdBothDirectoryInformation
    – FileIdGlobalTxDirectoryInformation

My answer was for a case when a filter changes a file size visible to applications without modifying an actual file size on a file system. It was not clear what you were actually asking for.

Thank you, rbmm, i have changed the file size .
Thank you, Slava, i always get your help,thank you very much?

Here are some other questions irrelevant to the title:

I have seen a driver,which can encryption and decryption file, like, txt. When a txt is created in my computer, I can see the normal txt. But if I copy the file to another computer, I just see the encrypted content.

Here is my thought:

  1. In my computer, when the current process is “notepad.exe”, if the action is IRP_MJ_WRITE, a txt will be written with ciphertext. If the action is IRP_MJ_READ, a txt will be read, then decryption, and write the plaintext into this txt, so I can read the plaintxt in my computer.
  2. When a txt is copied to another computer, the driver intercepts the copy action(actually, I dont know how to do this), encrypt the txts content. I just read ciphertext in this computer because there is no driver , so the ciphertext can`t be decrypted into plaintext.

Am I right ?
If I`m wrong, please point out .Thanks!

What did you mean by “copy the file to another computer”. There are two options

  • copy by network
  • copy to a removable drive, unplug it and plug in another PC

In the former case the driver attached a filter to network redirectors(aka network file system drivers) and encrypted outbound data. In the latter case the driver attached a filter to a file system mounted to a removable driver volume.

There is no “copy” API in FSD. The copying is performed by read/write APIs.

Thanks for your patience, Slava !

It is the second situation. I have searched the ntfsd list, and i know i need to read a file, then write the data to another file.

These are my step:
1.In the IRP_MJ_WRITE, I read the txt, encrypt the data, write data to the target file
2.Read the target file, and I can get a ciphertext

Here is my question:

  1. In order to get plaintext in my computer, I read the target file, decrypte the data and write data back to the target file. In this situation, I can use notepad.exe to read the target with plaintext.

But, the file become a plaintxt in usb, I can see plaintxt in other computers.

I don’t completely understand what you are trying to achieve. If you are developing an encryption software there are a lot of information on this.

If you do develop an encryption software and you are a beginner for kernel development then you better start with user a mode file systems like winfsp ( https://github.com/billziss-gh/winfsp ) or Dokan ( https://dokan-dev.github.io ) . You will map a “network drive”(it is not a network it is just a common name) which will provide an encryption functionality for applications. With a user mode FS you will implement all encryption/decryption in the user mode which is a way easier than trying to do this in the kernel mode that requires an intricate knowledge of file systems, the Memory Manager and Cache Manager.

There are better choices that provide transparent enterprise like functionality with an isolation filter, like OSR’s DMK ( https://www.osr.com/dmk ). The only disadvantage is a prohibitive price. This is an enterprise class solution which you might not need.