ansaurus

Question

Windows Filesystem Minifilter Drivers: can I monitor and prevent FS operations using them?

Answer 1

+1 A:

Yes this is all possible with a filesystem mini filter driver.

For #1 you don't need a mini filter driver you could use a Win32 API like ReadDirectoryChangesW.

For #2 you can not only do that but you can also modify what gets read/written, even of different size.

You can get started here.

Brian R. Bondy 2010-05-17 14:24:19

ty. my reasons for using minifilters for 1. is that ReadDirectoryChangesW reports access operations delayed by 1d (xp) or 1h (vista+)

clyfe 2010-05-17 14:41:15

Answer 2

A:

Raymond Chen, who is a long-time Windows developer, addressed a version of this question on his blog - he would recommend using ACLs for preventing operations rather than trying to get code to run to stop it. See his post on this for some thoughts...

Mike Kelly 2010-05-20 16:15:51

[professional sollutions](http://www.pgp.com/products/endpoint/index.html) seem to use divers. also setting ACLs on endpoints programmatically is [hard-ish](http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks), and setting ACLs on, say, USB Disks conditionally by serial number and other factors seems only doable by drivers.

clyfe 2010-05-20 19:34:32

ansaurus

tags:

views:

answers:

Windows Filesystem Minifilter Drivers: can I monitor and prevent FS operations using them?

related questions