Hello everyone:
I want to distinguish the two conditions of deletion in Windows NT
The first condition is to delete a file in the recycle bin.I know it will send 3 IRPs:
IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile TRUE
IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile FALSE
IRP_MJ_SET_INFORMATION/FileRenameInformation
The second condition is to delete a file use "Shift + del ",in this case,it will only send:
IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile TRUE
so we can see in the two conditions,I want to know how to distinguish the two conditions by using the source code of filemon or sfilter.
thank you!
You can just monitor IRPs to test for these conditions but maybe you should
explain what is your goal and what you wish to use this information for. Are
you looking for file protection or undelete functionality ? Note that there
are other ways to delete a file such as a create with FILE_DELETE_ON_CLOSE
in the create options.
//Daniel
wrote in message news:xxxxx@ntfsd…
> Hello everyone:
>
> I want to distinguish the two conditions of deletion in Windows NT
>
> The first condition is to delete a file in the recycle bin.I know it will
> send 3 IRPs:
>
> IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile TRUE
> IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile FALSE
> IRP_MJ_SET_INFORMATION/FileRenameInformation
>
> The second condition is to delete a file use "Shift + del ",in this
> case,it will only send:
>
> IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile TRUE
>
> so we can see in the two conditions,I want to know how to distinguish the
> two conditions by using the source code of filemon or sfilter.
>
> thank you!
>
My goal is to detect the two conditions and log them differently,
for example,c:\1.txt was deleted to the recycle bin, I want to log it as:“c:\1.txt ->del”
or c:\1.txt was deleted by using “shift + del”, I want to log it as:“c:\1.txt ->shift + del”
I want use file system filter driver:sfilter or filemon to log them.
Can I check the fileobject in IRP_MJ_CLOSE?
Or there is other solution?
I know FILE_DELETE_ON_CLOSE in IRP_MJ_CREATE would cause a deletion.
What are you intending doing about non explorer applications which issue
these functions?
Anyway, as Daniel said, there is no reason why you shouldn’t put a little
state into a stream context (or perhaps a stream handle context might be
better) and then do the logging later (possibly in the cleanup). So long as
you realize that the logging is most indicative of what might have
happened…
Rod
wrote in message news:xxxxx@ntfsd…
>
> My goal is to detect the two conditions and log them differently,
> for example,c:\1.txt was deleted to the recycle bin, I want to log it
> as:“c:\1.txt ->del”
> or c:\1.txt was deleted by using “shift + del”, I want to log it
> as:“c:\1.txt ->shift + del”
> I want use file system filter driver:sfilter or filemon to log them.
> Can I check the fileobject in IRP_MJ_CLOSE?
> Or there is other solution?
>
> I know FILE_DELETE_ON_CLOSE in IRP_MJ_CREATE would cause a deletion.
>
>
>
“Delete to Recycle Bin” is actually move to the Recycler folder.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Hello everyone:
>
> I want to distinguish the two conditions of deletion in Windows NT
>
> The first condition is to delete a file in the recycle bin.I know it will send 3 IRPs:
>
> IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile TRUE
> IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile FALSE
> IRP_MJ_SET_INFORMATION/FileRenameInformation
>
> The second condition is to delete a file use "Shift + del ",in this case,it will only send:
>
> IRP_MJ_SET_INFORMATION/FileDispositionInformation DeleteFile TRUE
>
> so we can see in the two conditions,I want to know how to distinguish the two conditions by using the source code of filemon or sfilter.
>
> thank you!
>