I’ve seen in MSDN that minifilter can intercept SET_INFORMATION events, but from scouring GitHub and other source repos I didn’t find any use cases
from what the FILE_INFORMATION_CLASS suggests this event can do many things like set rename information (maybe rename a file?)
would really appreciate if someone can enlighten me on this (maybe you got some source code example?)
Microsoft provides a large collection of driver samples: https://github.com/microsoft/Windows-driver-samples
For example: https://github.com/microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/delete
The delete minifilter illustrates how to detect deletion of files and streams.
It monitors IRP_MJ_CREATE requests for the FILE_DELETE_ON_CLOSE flag. Also, it detects IRP_MJ_SET_INFORMATION
requests for setting FileDispositionInformation/FileDispositionInformationEx
FYI for future folks
this is an example of a minifilter used to detect renames using FileRenameInformation
As you said, in this case IRP_MJ_SET_INFORMATION callback will be invoked . you don’t need complete source code example, you just need check that
Data->Iopb->Parameters.SetFileInformation.FileInformationClass == ClassType in a if condition and then switch between all fields of the FileInformationClass