Hi!
I have a situation where I need to keep track of any reads / copy-paste
operations on a file, say c:\xyz.txt. Regarding read operations, I am using
a minifilter in conjunction with *FltGetFileNameInformation*. If needed I
can also get a pointer to the thread that initiated the I/O operation using
my minifilter.
Regarding copy-paste operations, I was planning to use the clipboard
functions (http://bit.ly/h7dJ2D). My plan is to keep track of any process
that copies data from xyz.txt; when data is pasted, I know that the data
originates from the previously saved process.
My questions:
-
when data is copied, is there a way to link it to the read operation
previously issued during fopen executed by notepad? This way I would know
that a particular object on the clipboard originates from the file named by
FltGetFileNameInformation. -
similarly to above, I would like to know where the data is being pasted /
written.
So in a nut-shell, I need to have the filenames of any files which contain
data originating from xyz.txt
Case scenario:
xyz.txt is opened in notepad.
FltGetFileNameInformation returns the name of the opened file which is
matched to xyz.txt
pointer to the thread (belongs to notepad, right?) that initiated the read
is linked to file xyz.txt and saved.
data is copied from notepad
notepad window handle is obtained using GetClipboardOwner (
http://bit.ly/gJsjMe)
window handle is somehow linked to notepad’s thread, so I get a link from a
clipboard item to xyz.txt
data is pasted to a new notepad, so when data is saved from notepad, I can
link the new file to xyz.txt
Do you think this is possible? If not is there any other way to get around
my problem?