Windows explorer search handling from our Hook Method

NTFSD
1

Hello All,
We would like to handle the Windows explorer search as soon as user entered a single character. We found there is no single Win32 API to which we can hook into. Request you to share if we can handle Windows explorer search operation through Windows driver

The use case is as follows:

  1. Windows Explorer provides a search box for the currently opened folder.
  2. The user can type any string or pattern or a single character into the search box, and Windows OS will perform the default search operation.
  3. In our use case, if the user opens a mapped network folder (hosted on our Linux server) and initiates a search, we want to intercept and handle the search operation ourselves, returning the list of matched files.
  4. Currently, Windows handles the search operation on its own, opening and reading file contents one by one from our server.
    This impacts performance significantly, especially for large files. We are not able to attach the Wireshark packet log
  5. We intend to intercept the Windows Explorer search operation so that the search string entered by the user can be sent to our Linux server from our application. The server will then process the query and return the matched file list, which we would display directly in the Explorer view. This approach aims to avoid the current behavior where Windows opens, reads, and closes each file individually resulting in performance degradation, especially with large files.
  6. We would appreciate your guidance on how to achieve this.
  7. Specifically, we are looking for ways to hook into the Windows Explorer search operation, as we are currently unsure of the best mechanism to do so.
    Thank you very much
2

The standard way you get Explorer to stop opening and reading files is by setting FILE_ATTRIBUTE_RECALL_ON_OPEN and/or FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS. This lets Explorer/Search/AV/etc. know that touching these files may "take a while" so should only be done if absolutely necessary.

3

Subject: Handling Windows Explorer Search on Mapped Drive

Hello Scott_Noone_OSR,

Thank you very much for your reply.

As mentioned earlier, our goal is to open files normally, but to handle the Windows Explorer search operation ourselves when a user performs a search on a remote folder (via a mapped drive) .

We would appreciate your guidance on:

  • Whether it's possible to disable the default Windows Explorer search behavior.
  • How we can intercept or receive notifications for search operations initiated by Explorer, and handle them in our own custom or hook method.
  • Whether implementing a driver is a viable solution for this, and what type of driver would be appropriate.

Thank you again for your support.

Best regards,
Aditya

4

Honestly I have no idea, those are all Shell implementation questions...The only way I know to influence the Shell behavior from a file system filter is through those bits.

If you want to know exactly what's going on in Explorer you'll need to spelunk. I'd start by using Process Monitor and seeing where the client side opens/reads/etc. are coming from. Maybe there's some Shell extension/hook that allows you to plug in somewhere (but again I have no idea).

Good luck!