Message 2 of 3
03 Jan 17 09:47
Join Date: 10 Jul 2002
Posts To This List: 920
FS_FILTER_CALLBACKS via Mini-Filters
FsRtlRegisterFileSystemFilterCallbacks is only for legacy file system
filters (and file systems, if they so choose). Filter Manager provides its
own abstractions for these callbacks in the form of pseudo IRP operations
wrote in message news:101991@ntfsd...
I am fairly new to actually writing file system related code.
Though i have been doing a fair bit of studying for sometime on the subject
to get started.
Here is some piece of code to deny a process by capturing acquire for
section sync callback.
This seems to be work fine and denies when i launch calc.exe for testing
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
if (Data->Iopb->MajorFunction ==
FS_FILTER_SECTION_SYNC_TYPE SyncType =
ULONG PageProtection =
if (SyncType == SyncTypeCreateSection && PageProtection & PAGE_EXECUTE)
if (FltObjects && FltObjects->FileObject)
&FltObjects->FileObject->FileName, TRUE) == 0)
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
return FLT_PREOP_COMPLETE; // this doesn't allow this I/O to be send
down the stack to file system and hence fails it right away
I also tried to register FS_FILTER_CALLBACKS in my driver entry.
The call for registration succeeds without any problem but i don't get any
callbacks via this mechanism.
Is it expected to not get called in the case of mini-filter (works only for
I had followed some previous forum links , where it was suggested that
process execution could be denied in the very initial phase via
fsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(fsFilterCallbacks);
status = FsRtlRegisterFileSystemFilterCallbacks(DriverObject,
Is there a difference between the two mechanism ?
Thanks for this community, it has been really helpful in learning.