how can i block the file deletion using a mini filter driver ?
I worked with the code below; it works in windows 7 but not in windows version 8 or later
if (pIrp->MajorFunction==IRP_MJ_WRITE || pIrp>MajorFunction==IRP_MJ_SET_INFORMATION ||
pIrp>MajorFunction==IRP_MJ_SET_VOLUME_INFORMATION || pIrp->MajorFunction==IRP_MJ_SET_SECURITY ||
pIrp->MajorFunction==IRP_MJ_SET_QUOTA)
{
DbgPrint(“fdrv :Read only operation block”);
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;
}
i want to block the deltion operation in windows 7 and all later versions
> how can i block the file deletion using a mini filter driver ?
The three most usual ways that files are deleted are
- IRP_MJ_SET_INFORMATION with Information Classes
FileDispositionInformation OR FIleDispositionInformationEx and the
structure set up appropriately
SO LONG as the file is not undeleted (same call, different settings
of the structures) before that HANDLE is closed
- A create with DELETE_ON_CLOSE set
SO LONG as the handle is not unset DELETE_ON_CLOSE
(FIleDispositionInformationEx / FILE_DISPOSITION_ON_CLOSE +
FILE_DISPOSITION_DO_NOT_DELETE)
- Another file is destructively renamed over the file.
I’d guess that you are missing (2), but you should bear in mind that
stopping deletion is quite hard and by denying a request which can be undone
((1) and (2) above) you may affect other operations.
thank you rod widdowson
as you mentioned above i modified the code with the below block of code
if(Irp->MajorFunction==IRP_MJ_CREATE)
{
if (irpSp->Parameters.Create.Options & FILE_DELETE_ON_CLOSE)
{
DbgPrint(“APFD FILE_DELETE_ON_CLOSE create while delete \n”);
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;
}
}
}
Is this code is perfect ?otherwise please help me.i am beginner to filter driver development
If you’re calling IoCompleteRequest then you’re working with a Legacy
Filter. This is a big mistake, you need to write a Filter Manager
Minifilter.
Only other comment: do you consider destructive opens (e.g.
TRUNCATE_EXISTING) to be deletes?
-scott
OSR
@OSRDrivers