cwindowsdriverminifilter

Minifilter missing deleted files in particular scenarios Windows 10 1903 +


I have a minifilter driver that misses certain deletion of files, the problem lies with not knowing how they are deleted. This is the case for Windows 10 1903 and above. Tested Pre 1809 build and works fine.

For example MS C++ 2008 x86 redistributable https://www.microsoft.com/en-gb/download/details.aspx?id=29, on install the setup.exe extract files to C:{random GUID} (can be seen in the logs) and then installs. The files / directories get deleted afterwards in which I miss the IRP with the code below.

I currently monitor IRP_MJ_SET_INFORMATION with FileDispositionInformation for files deletions, you can test this by going to explorer and shift + delete.

Added IRP_MJ_CREATE for delete on close as well as per RbMm comments.

I also monitor for FileRenameInformation for moving files or renaming, again this is working if you move/rename a file in explorer.

My ideal solution would be to get the file on create and copy to another location, but I am not to sure where to start with it. I have looked at some minifilter examples and cannot find where PreOperationCallback is in an example to copy a freshly created file.

My other option is to try and understand how I get these deleted files with the example above. Is there any other FileInformationClass case that I might check to identify this kind of delete.

My code is below for PreOperationCallback:

FLT_PREOP_CALLBACK_STATUS PreOperationCallback(_Inout_ 
PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects, 
_Flt_CompletionContext_Outptr_ PVOID* CompletionContext)
{

  /* IRP-based I/O operation? */
  if (FLT_IS_IRP_OPERATION(Data)) {

   if (Data->Iopb->MajorFunction == IRP_MJ_CREATE) {

    if (Data->Iopb->Parameters.Create.Options & (FILE_DELETE_ON_CLOSE)) {
        DbgPrint("FILE_DELETE_ON_CLOSE");
        return process_irp(Data, FltObjects, CompletionContext, FALSE, FALSE);

   }else if (Data->Iopb->MajorFunction == IRP_MJ_SET_INFORMATION) {

   switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {

     case FileDispositionInformation:
        // deleting a file we need to action
        if (((FILE_DISPOSITION_INFORMATION*) Data->Iopb->Parameters.SetFileInformation.InfoBuffer)->DeleteFile) {
          return process_irp(Data, FltObjects, CompletionContext, FALSE, FALSE);
        }
        break;

     case FileRenameInformation:

       // Process the request according to our needs e.g copy the file
       return process_irp(Data, FltObjects, CompletionContext, FALSE, TRUE);
     }
   }
 }

  return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

Update - I just created a very simple C# app to create a file and delete it using File.Delete("C:\test.txt"); The driver is not picking this up in current codebase on 1903 builds and above.


Solution

  • You have to 'process_irp' for FileRenameInformationEx and FileDispositionInformationEx like below.

    switch (Data->Iopb->Parameters.SetFileInformation.FileInformationClass) {
    
     case FileDispositionInformation:
     case 64/*FileDispositionInformationEx*/:
        // deleting a file we need to action
        if (((FILE_DISPOSITION_INFORMATION*) Data->Iopb->Parameters.SetFileInformation.InfoBuffer)->DeleteFile) {
          return process_irp(Data, FltObjects, CompletionContext, FALSE, FALSE);
        }
        break;
    
     case FileRenameInformation:
     case 65/*FileRenameInformationEx*/:
       // Process the request according to our needs e.g copy the file
       return process_irp(Data, FltObjects, CompletionContext, FALSE, TRUE);
     }
    

    }