Intercept subdirectory creation in the minifilter driver

Hi, All
Is there any way to intercept subdirectory creation in the minifilter driver
preoperation (or postoperation) callback routine? I track all calls with
MajorFunction == IRP_MJ_WRITE but when subdirectory is created, DesiredAccess
(Data->Iopb->Parameters.Create.SecurityContext->DesiredAccess) value is set
to 0x100001 (FILE_READ_DATA/FILE_LIST_DIRECTORY | SYNCHRONIZE) and any write
access is not specified.

Thanks, Eugene.

Thanks, Don,
Sorry for mistake, of course i'm tracking calls with IRP_MJ_CREATE.

"Don Burn" wrote:

> Directories are created with IRP_MJ_CREATE so I am not sure why you are
> looking at write calls. If you are not aware file system questions are
> best answered on the NTFSD forum hosted at http://www.osronline.com/ That
> is the list where all the file system people (including a number from
> Microsoft) hang out.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>

You need to inspect the create disposition, not the desired access. Search
for disposition here:

http://msdn.microsoft.com/en-us/libr...30(VS.85).aspx

And follow the link to see the available options.

You can see the FASTFAT source for an example of extracting the disposition
from the create options.

(Also, Don's advice of going to NTFSD is good)

-scott

--
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com


"Eugene" <> wrote in message
news:B73FE3C3-B3CE-4BAC-9A87-...
> Thanks, Don,
> Sorry for mistake, of course i'm tracking calls with IRP_MJ_CREATE.
>
> "Don Burn" wrote:
>
>> Directories are created with IRP_MJ_CREATE so I am not sure why you are
>> looking at write calls. If you are not aware file system questions are
>> best answered on the NTFSD forum hosted at http://www.osronline.com/
>> That
>> is the list where all the file system people (including a number from
>> Microsoft) hang out.
>>
>>
>> Don Burn (MVP, Windows DKD)
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>
>

Thank you very much, Done!

All works fine.

Eugene

"Scott Noone" wrote:

> You need to inspect the create disposition, not the desired access. Search
> for disposition here:
>
> http://msdn.microsoft.com/en-us/libr...30(VS.85).aspx
>
> And follow the link to see the available options.
>
> You can see the FASTFAT source for an example of extracting the disposition
> from the create options.
>
> (Also, Don's advice of going to NTFSD is good)
>
> -scott
>
> --
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com