What is the IRP message generated on file delete in a filter driver? RRS feed

  • Question

  • I am trying to create a filter driver to block file deletion operations, but I can't identify the IRP message on deleting files.

    I worked with the code below; it works in windows 7 but not in windows version 8 or later.

    if (pIrp->MajorFunction==IRP_MJ_WRITE || pIrp>MajorFunction==IRP_MJ_SET_INFORMATION ||
                pIrp>MajorFunction==IRP_MJ_SET_VOLUME_INFORMATION || pIrp->MajorFunction==IRP_MJ_SET_SECURITY ||
                                     DbgPrint("fdrv :Read only operation block");
                                          Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
                      Irp->IoStatus.Information = 0;
                                IoCompleteRequest(Irp, IO_NO_INCREMENT);
                    return STATUS_ACCESS_DENIED;

    • Edited by Nikhil V S Friday, June 15, 2018 8:42 AM
    Friday, June 15, 2018 8:41 AM


All replies

  • Of Filesystems And Other Demons: File Deletion lists many ways to delete files. The code you posted doesn't check for FILE_DELETE_ON_CLOSE in IrpSp->Parameters.Create.Options of IRP_MJ_CREATE. OSR's ntfsd List: Cannot capture DELETE operation in Windows 8 Release Preview says Windows 8 uses FILE_DELETE_ON_CLOSE more than earlier versions did.

    You may want to block destructive renames of other files, too.

    Friday, June 15, 2018 2:29 PM
  • thank you 

     i made some change in my code


                 if (irpSp->Parameters.Create.Options & FILE_DELETE_ON_CLOSE)
    						    DbgPrint("APFD FILE_DELETE_ON_CLOSE create while delete  \n");
    						   Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
    			                      Irp->IoStatus.Information = 0;
                                           IoCompleteRequest(Irp, IO_NO_INCREMENT);
    			                    return STATUS_ACCESS_DENIED;
    Is this code is  perfect ?otherwise please help me.i am beginner to filter driver development

    Monday, June 18, 2018 6:29 AM
  • I'm not a file system expert but that code seems OK to me, except…

    1. Your driver is a legacy file system filter. You should rewrite it as a file system minifilter. Current versions of Windows can be configured to block legacy file system filters, and future versions of Windows might not allow them at all.
    2. I assume your driver runs this code before it passes the IRP down (i.e. in pre-create), so that the file system has not yet seen the FILE_DELETE_ON_CLOSE flag. How does your driver check whether the file being opened is the one that needs to be protected? If the driver only looks at the path string, it may be possible to circumvent this check by using the stream type syntax, a relative open, or open by file ID.
    Monday, June 18, 2018 7:39 AM
  • thanks for your great reply 

    But i am littille  bit confused about this .if you don't mind can you provide any sample code to do this  then it will be a great help for me

    thanks for your  support

    • Edited by Nikhil V S Monday, June 18, 2018 10:57 AM
    Monday, June 18, 2018 9:27 AM
  • Take a look at the delete mini-filter sample this shows how to detect deletion of a file or a stream.   Your logic is going to have to be more complex than what you currently are thinking, you can't just stop all deletes you need to stop deletion of files you care about.   That is going to mean in a Create post operation getting the name and deciding if this is a file you care about, then failing an operation that would delete a file that you care about.

    Don Burn Windows Driver Consulting Website:

    Monday, June 18, 2018 12:37 PM
  • Thank you @ranta

    now its working 

    Wednesday, June 20, 2018 7:46 AM