TechQA.

Minifilter prevent new file created with warning dialog

1.1k views Asked by At

I has written a minifilter in kernel mode. I want to prevent creating a new file on USB. But when I used:

[CODE]
    FltCancelFileOpen( FltObjects->Instance, FltObjects->FileObject );
    Data->IoStatus.Status = STATUS_ACCESS_DENIED; 
    Data->IoStatus.Information = 0;
    return FLT_PREOP_COMPLETE;
[CODE]

=> I could prevent creating a new file. But It always show warning dialog. What should i do to NOT show this dialog?

UPDATED: 2014/12/22
I am writing a fs minifilter driver for an sittuation. When User drag & drop a file or folder to USB (example H:)

  1. The driver will get file's information;
    ==> Done

  2. The driver will delete this file or folder (No file/ folder will be created on USB)
    - I just want to catch event to start app (3)
    - The files will be deleted before created on USB.
    **==> Done

  3. Do something.

=> Please give me an advice for this sittuation? Thanks a lot!

filesystems driver pass-through minifilter
Original Q&A
2

There are 2 answers

0
GSP On BEST ANSWER

Now I could solve my issue by redirect open another file

  1. First, define new unicode string newfile = "abcdef.txt";

  2. Using FltGetFileNameInformation to get file name information

  3. Using FltParseFileNameInformation to pares it.

  4. Get file name which format : \Device\HarddiskVolume1[path_to_file]filename[.ext]

  5. Then, split it to part: \Device\HarddiskVolume1[path_to_file] and filename[.ext]

  6. Append newfile to first part: \Device\HarddiskVolume1[path_to_file]abcdef.txt

  7. Now I will open new file instead of old file as following:

    // Get old file name

    PUNICODE_STRING pFileName = &Data->Iopb->TargetFileObject->FileName;

    // Free release buffer

    ExFreePool(pFileName->Buffer);

    // Re-allocate buffer pFileName->Length = 0; pFileName->MaximumLength = redirectTargetFile.MaximumLength; pFileName->Buffer = (PWSTR) ExAllocatePool(NonPagedPool, pFileName->MaximumLength);

    // Assign new file name for it RtlCopyUnicodeString(pFileName, &unicode_string_new_file_name); // Tell the kernel to reparse this file open so it uses the new file path

    Data->IoStatus.Information = IO_REPARSE; Data->IoStatus.Status = STATUS_REPARSE; Data->Iopb->TargetFileObject->RelatedFileObject = NULL;

    FltSetCallbackDataDirty(Data); return FLT_PREOP_SUCCESS_WITH_CALLBACK;


Reference http://www.codingnotebook.com/2013/05/redirect-file-open-using-windows.html

4
Eugene Mayevski 'Callback On

No you can't -- it's the originator of the request that decides how to react to the denied access. Potentially you could allow opening but prevent any writes, but this would confuse the application and the user.

Related Questions in FILESYSTEMS

Related Questions in DRIVER

Related Questions in PASS-THROUGH

Related Questions in MINIFILTER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions