Hi,
I would like to cancel a delete operation in my minifilter. I’ve written the code that detects when a file is being deleted, but I’m unclear on how to actually cancel the operation. Can anyone help me out with this?
Here is my callback routine that detects for file deletion. Right now, all it does is send the file path to a user mode app.
FLT_POSTOP_CALLBACK_STATUS
PostProcessIrp (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__in_opt PVOID CompletionContext,
__in FLT_POST_OPERATION_FLAGS Flags
)
{
PFLT_FILE_NAME_INFORMATION nameInfo;
PFILE_DISPOSITION_INFORMATION fdi;
//BOOLEAN isDirectory;
FLT_FILE_NAME_OPTIONS nameOptions;
BOOLEAN scanFile;
NTSTATUS status;
PMDL *mdlAddress;
LOCK_OPERATION lockOp= IoReadAccess;
PVOID *buffer;
PULONG length;
UNICODE_STRING uniString;
FLT_PREOP_CALLBACK_STATUS cbStatus = FLT_POSTOP_FINISHED_PROCESSING;
UNREFERENCED_PARAMETER( CompletionContext );
UNREFERENCED_PARAMETER( Flags );
DbgPrint( “Scanner!PostProcessIrp Entered\n” );
if (!NT_SUCCESS( Data->IoStatus.Status ) || (STATUS_REPARSE == Data->IoStatus.Status))
{
return FLT_POSTOP_FINISHED_PROCESSING;
}
/* FltIsDirectory(Data->Iopb->TargetFileObject,FltObjects->Instance,&isDirectory);
if(isDirectory)
{
return FLT_POSTOP_FINISHED_PROCESSING;
}*/
switch(Data->Iopb->MajorFunction)
{
case IRP_MJ_SET_INFORMATION:
if (Data->Iopb->Parameters.SetFileInformation.FileInformationClass == FileDispositionInformation)
{
DbgPrint( “Scanner!PostProcessIrp FileDispositionInformation \n” );
status = FltDecodeParameters(Data, &mdlAddress, &buffer, &length, &lockOp);
DbgPrint( “Scanner!PostProcessIrp FileDispositionInformation buffer length: %d \n”, *length );
fdi = (PFILE_DISPOSITION_INFORMATION)(*buffer);
if (fdi->DeleteFile == TRUE)
{
status = FltGetFileNameInformation( Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo );
if (!NT_SUCCESS( status )) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
FltParseFileNameInformation( nameInfo );
//
// Check if the extension matches the list of extensions we are interested in
//
if (RtlPrefixUnicodeString ( &TargetFolder, &nameInfo->ParentDir, TRUE ) == TRUE) {
scanFile = ScannerpCheckExtension( &nameInfo->Extension );
if (scanFile)
{
ScannerpSendMessageToUserApp ( &nameInfo->Name, 0, 1 );
}
}
FltReleaseFileNameInformation( nameInfo );
}
}
//TODO: Handle FileSetNameInformation for file renames.
break;
default:
;
}
return cbStatus;
}