Hi Guys,
How to monitor when a USB device mounts and unmounts. I want to write a driver that monitors and logs when a USB device mounts and ability to deny or allow that operation.
You cannot stop a device from being dismounted. If the user yanks out the plug, what do you think you're going to do about it?
Although I have long railed against software with the primary purpose of preventing the normal operation of my computer, it is possible to write a filter above the USB host controller or hub drivers and trap the PNP messages creating a new device.
- If you want to monitor and prevent USB storage mount - a file system filter for IRP_MJ_FILE_SYSTEM_CONTROL / IRP_MN_MOUNT_VOLUME . The only complication here is to infer if a volume device object is for a USB device. There is no direct connection between these objects that can be traversed like a list. This is a tree of busses with PDOs connected through different BusRelation properties.
- If you need to control any USB device - IRP_MJ_PNP / IRP_MN_START_DEVICE at the level you want to control, most likely this would be a filter attached to PDOs created by a USBHUB or USBCCGP (for composite USB devices) bus driver.
thanks @Slava_Imameev will look into this.