how can I get referenced original file name at minifilter When I did 'save as'?

I made solution that block save & saveas by file name using minifilter driver.

save blocking is OK, but I can't block saveas by file name.

I expected to get the original name from 'PFLT_CALLBACK_DATA' or 'PFLT_CALLBACK_DATA' at IRP_MJ_WRITE.

how can I get referenced original file name at minifilter When I did 'save as'?

No way to get original file name directly, but you can try ways below.

1. Track IRP_MJ_READ of original file per process.

   Once a process read your original file, the process can't not write any file until it's terminated.

2. Moniter [Save as] Dialog in User Mode like below.

   • Find [Save as] dialog by

     HWND hWnd = ::FindWindow("#32770", "Save As");

   • Enumerate sub windows and check class name and get original file path from their window name.

     Text of window whose class name is 'ToolbarWindow32' contains a parent directory path of original file.

     Text of window whose class name is 'Edit' contains a name of original file.

   • Cancel [Save As] dialog by

     ::PostMessage(hWnd, WM_COMMAND, MAKEWPARAM(IDCANCEL, BN_CLICKED), NULL);