Which callbacks should I define in Driver.c for USB kernel mode driver for interception of file events for: reading from file, writing to file and deletion of file? RRS feed

  • Question

  • Hi! I need to develop USB kernel mode driver which intercepts file events for reading from file, writing to file and deletion of file that is located on USB. After interception my driver must check the file name. If the file name contains at least one digit then my driver must lock the file from reading from it  and writing to it. I have the following DriverEntry callback in Driver.c

    NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT  DriverObject, _In_ PUNICODE_STRING RegistryPath)
    	WDF_DRIVER_CONFIG config;
    	NTSTATUS status;
    	WDF_OBJECT_ATTRIBUTES attributes;
    	// Initialize WPP Tracing.
    	WPP_INIT_TRACING(DriverObject, RegistryPath);
    	// Register a cleanup callback so that we can call WPP_CLEANUP when
    	// the framework driver object is deleted during driver unload.
    	attributes.EvtCleanupCallback = MyFirstUSBKernelModeDriverEvtDriverContextCleanup;
    	WDF_DRIVER_CONFIG_INIT(&config, MyFirstUSBKernelModeDriverEvtDeviceAdd);
    	status = WdfDriverCreate(DriverObject, RegistryPath, &attributes, &config, WDF_NO_HANDLE);
    	if (!NT_SUCCESS(status)) {
    		TraceEvents(TRACE_LEVEL_ERROR, TRACE_DRIVER, "WdfDriverCreate failed %!STATUS!", status);
    		return status;
    	return status;
    Which events calbacks I should define in Driver.c and register inside body of DriverEntry? And how? I'm newbie in driver development and appreciate any help very high.

    Wednesday, April 15, 2015 3:26 PM


  • You cannot capture file events at the USB driver level.  File events are handled at the file system level and you need a file system mini-filter to capture them.  You can create a mini-filter that will check if the device below it is connected to a USB bus.

    Don Burn Windows Driver Consulting Website:

    Wednesday, April 15, 2015 3:30 PM

All replies