I don’t know why I cannot seem to find a straightforward answer to the question “How to determine file open event via mini filter?”
In Microsoft’s docs (https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create), it is explained that :
“The I/O Manager sends the IRP_MJ_CREATE request when a new file or directory is being created, or when an existing file, device, directory, or volume is being opened.”
In the same Microsoft doc on IRP_MJ_CREATE, it says:
"Irp->IoStatus Pointer to an IO_STATUS_BLOCK structure that receives the final completion status and information about the requested operation. The file system sets the Information member of this structure to one of the following values:
FILE_CREATED
FILE_DOES_NOT_EXIST
FILE_EXISTS
FILE_OPENED
FILE_OVERWRITTEN
FILE_SUPERSEDED"
How do I identify if the status of the event is FILE_OPENED? The question is, when IRP_MJ_CREATE is sent, can I determine if this is a result of an existing file being open? And if I can, can I therefore identify the name of the file that is being opened, and which AD account has opened it?
Thanks.