Message 1 of 4
30 Jan 18 06:20
Join Date: 26 Jan 2018
Posts To This List: 4
Identify file operations with missing files
I am trying to identify file read operations with missing files in a particular
folder. For that I am using IRP_MJ_CREATE and I am performing the following
logic in the FLT_PREOP_CALLBACK:
I call the functions FltGetFileNameInformation(), FltParseFileNameInformation()
and verify if the path of the object belongs to my desired folder, if so I call
Now, I assume three possible status for the FltCreateFile() method: SUCCESS,
everything is fine; STATUS_OBJECT_NAME_NOT_FOUND, the file does not exists in
the file system so I print a message informing that the file is missing; And
finally, any other error, I simply print a message informing that an error
My question is: is this the correct approach?
The reason why I ask this is because I am having some problems.
For instance, if I create a folder "New folder" inside my watched directory, I
get several events for the objects "New folder\desktop.ini", "folder.jpg" and
"folder.gif" that when opened return STATUS_OBJECT_NAME_NOT_FOUND, so I flag
them as missing files. In order to solve this when I verify the path of the
object, I simply verify if the final component corresponds to "desktop.ini",
"folder.jpg" and "folder.gif", and if so I ignore it.
Other problem I have is when opening a file that exists, I get an event for an
object with the name "test.txt:Zone.Identifier", again, to solve this I am
ignoring files with the string ":Zone.Identifier" in the final component.
When I also create a file in the folder (by copy/pasting or right click > new >
file) I also get some events that later, when opening the file get
Is this the correct way to do this? or there is a better approach?
Thanks for any input.