问题
I need to:
1. Monitor operations on certain drives/paths
2. Prevent read and/or write operations on certain drives/paths
For example:
C://Users
D:
Can this be done using Windows Filesystem Minifilter Drivers ?
I am mostly interested in step 2. In other words can a minifilter cancel a IRP ?
回答1:
Yes this is all possible with a filesystem mini filter driver.
For #1 you don't need a mini filter driver you could use a Win32 API like ReadDirectoryChangesW.
For #2 you can not only do that but you can also modify what gets read/written, even of different size.
You can get started here.
回答2:
Raymond Chen, who is a long-time Windows developer, addressed a version of this question on his blog - he would recommend using ACLs for preventing operations rather than trying to get code to run to stop it. See his post on this for some thoughts...
回答3:
I would suggest using Detours library to handle this task.
来源:https://stackoverflow.com/questions/2849790/windows-filesystem-minifilter-drivers-can-i-monitor-and-prevent-fs-operations-u