What is the IRP message generated on file delete in a filter driver?

how can i block the file deletion using a mini filter driver ?
I worked with the code below; it works in windows 7 but not in windows version 8 or later

if (pIrp->MajorFunction==IRP_MJ_WRITE || pIrp>MajorFunction==IRP_MJ_SET_INFORMATION ||
pIrp>MajorFunction==IRP_MJ_SET_VOLUME_INFORMATION || pIrp->MajorFunction==IRP_MJ_SET_SECURITY ||
pIrp->MajorFunction==IRP_MJ_SET_QUOTA)
{
DbgPrint(“fdrv :Read only operation block”);
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;

}

i want to block the deltion operation in windows 7 and all later versions

> how can i block the file deletion using a mini filter driver ?

The three most usual ways that files are deleted are

  1. IRP_MJ_SET_INFORMATION with Information Classes
    FileDispositionInformation OR FIleDispositionInformationEx and the
    structure set up appropriately
    SO LONG as the file is not undeleted (same call, different settings
    of the structures) before that HANDLE is closed
  2. A create with DELETE_ON_CLOSE set
    SO LONG as the handle is not unset DELETE_ON_CLOSE
    (FIleDispositionInformationEx / FILE_DISPOSITION_ON_CLOSE +
    FILE_DISPOSITION_DO_NOT_DELETE)
  3. Another file is destructively renamed over the file.

I’d guess that you are missing (2), but you should bear in mind that
stopping deletion is quite hard and by denying a request which can be undone
((1) and (2) above) you may affect other operations.

thank you rod widdowson

as you mentioned above i modified the code with the below block of code

if(Irp->MajorFunction==IRP_MJ_CREATE)
{
if (irpSp->Parameters.Create.Options & FILE_DELETE_ON_CLOSE)
{

DbgPrint(“APFD FILE_DELETE_ON_CLOSE create while delete \n”);
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
Irp->IoStatus.Information = 0;

IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;
}
}
}

Is this code is perfect ?otherwise please help me.i am beginner to filter driver development

If you’re calling IoCompleteRequest then you’re working with a Legacy
Filter. This is a big mistake, you need to write a Filter Manager
Minifilter.

Only other comment: do you consider destructive opens (e.g.
TRUNCATE_EXISTING) to be deletes?

-scott
OSR
@OSRDrivers

thank you all

now its working