开发者

Windows Filesystem Minifilter Drivers: can I monitor and prevent FS operations using them?

开发者 https://www.devze.com 2022-12-30 07:58 出处：网络

I need to: 1. Monitor operations on certain drives/paths 2. Prevent read and/or write operations on certain drives/paths

相关专题：driver filesystems minifilter winapi

I need to:

1. Monitor operations on certain drives/paths

2. Prevent read and/or write operations on certain drives/paths

For example:

C://Users
D:

Can this be done using Windows Filesystem Minifilter Drivers ?

I am mostly intere开发者_StackOverflow中文版sted in step 2. In other words can a minifilter cancel a IRP ?

Yes this is all possible with a filesystem mini filter driver.

For #1 you don't need a mini filter driver you could use a Win32 API like ReadDirectoryChangesW.

For #2 you can not only do that but you can also modify what gets read/written, even of different size.

You can get started here.

Raymond Chen, who is a long-time Windows developer, addressed a version of this question on his blog - he would recommend using ACLs for preventing operations rather than trying to get code to run to stop it. See his post on this for some thoughts...

I would suggest using Detours library to handle this task.