How could I prevent a folder from being created using a windows service?

views:

207

answers:

+2 Q:

How could I prevent a folder from being created using a windows service?

I have users and processes on a web server. I'm looking to write a windows service that is capable of intercepting calls to create folders within a specific sub-directory. I've found several sources out there for reactively catching that a folder was created, but I want to create a windows service that will proactively intercept and pre-empt any unacceptable calls to create the folder.

Let me pre-empty the "why"-ers. Don't bother asking why. Suffice it to say I've been asked to do this, and I'm trying to find the simplest method of accomplishing the task in an automated way. I've already determined how to accomplish it if I let the folder get created then just follow along with my windows service and delete it (and its contents) after the fact. I really would like an event I could have the service listen to and pre-empt.

Not sure if you're gonna find a "precreate file" intercept point. If I were you I'd push back and just lock down the security settings on your folder. If it's really just one folder and you're running on windows, you can set up security to prevent everyone from creating folders in that directory. Just be sure that's what you want to do.

Then the OS will do it without you writing any code at all.

Maybe there's a call in the security path you can inject this code into if you really have to write it yourself for some reason.

No Refunds No Returns 2010-02-19 15:59:51

@NO Refunds: I thought about this, but I don't want to disable all creations, only creations that don't match business rules criteria as determined by a rules engine (that I don't control).

Joel Etherton 2010-02-19 16:07:42

I thought that perhaps failed creations would appear in the Event Log. (They don't seem to, at least by default.) If they did, you could lock them out with access control, monitor the log for failed attempts, and then your service could create the only the directories you wanted to allow. Oh well.

JeffH 2010-02-19 16:31:00

Use a FileSystemWatcher.

Rune 2010-02-19 16:07:01

@Rune: I like that link. Very informative, but it's still reactive. I'd have no real way of throwing out an UnauthorizedAccessException to the attempting party. It would still be an after-the-fact "clean up". Though, that looks better than my original idea so if I end up going that route I'll definitely use this.

Joel Etherton 2010-02-19 16:12:51

FileSystemWatcher would have to have a "Creating" event for the OP to use it the way they ask for. Once the "Created" event fires, it's too late for them.

JeffH 2010-02-19 16:14:28

How are your users creating new folders? Is there a set way (IE: right click, New > Folder) or are they doing it however the Explorer UI allows? I ask because an idea would be to build an add-in for the right click feature (similar to WinRar) that is designed to create a new folder with the parameters you specify.

This would only work if they all use the exact same method to create a new folder. No need for a windows service to do it.

rockinthesixstring 2010-02-19 16:07:50

@rockinthesixstring: I have been asked to make sure that even automated services (such as IIS, other windows services of lower priority) should not be allowed to create folders. This could be through explorer, through managed code, unmanaged code, FTP. Possibly even more.

Joel Etherton 2010-02-19 16:10:51

Sounds like a challenge. I can't think of a way to intercept, only follow along. If an invalid folder is created, deleted and generate a popup notification. though I've been known to be wrong before.

rockinthesixstring 2010-02-19 16:15:17

+3 A:

Unfortunately I don't know anywhere near enough about the how to help you, but I'm fairly sure that you'll need to either write or obtain a File System Filter Driver that can communicate with your windows service to tell it that someone has attempted to create a directory/file so that your service can make a decision for it. This way when someone/something attempts to create a file or folder that's not allowed they could be returned "Access Denied" or another Win32 error of your choice.

If you did go down the route of using a driver, I'd guess it'd still be best to do the heavy lifting of deciding if the creation/modification in the service, i.e. outside of Kernel mode.

Rob 2010-02-19 16:17:26

@Rob: I don't like this. It looks unfun. The less I like it, the more likely it is that this is the best method.

Joel Etherton 2010-02-19 16:51:41

Yeah, unfun. Should also be interesting trying to estimate it.

JeffH 2010-02-19 16:58:47

@Joel, that comment is QOTD worthy! ;)

Rob 2010-02-19 19:19:52

Joel - what the heck are you doing on this forum? It's your old soccer buddy Cesar. Sorry I have no answer for your question - I just ran across your post while searching for something else.

Cesar 2010-03-09 21:33:35

@Cesar: Eh, I'm a programmer :) Got pointed to this site a couple of months ago and have just been lurking around answering questions mostly. Some interesting problems to solve on here. What have you been up to?

Joel Etherton 2010-03-10 03:34:56

@JoelInvariably, I fall into this site when I'm searching for stuff for my work too. Just hapened again (searching for encryption stuff re: AES-CBC). I'm no longer in Ohio except for the odd trip back but I'll call you one of these days.

Cesar 2010-03-17 18:51:57

ansaurus

tags:

views:

answers:

How could I prevent a folder from being created using a windows service?

related questions