Msdn file system driver

File system filter drivers are comparable to legacy drivers, although they require several special development steps. Security, backup, snapshot, and anti-viruse software uses such drivers. It is an access point for any driver, including for file system filter driver. The first thing we should do is store DriverObject as a global variable we'll use it later :.

The next step in developing a file system filter driver is populating the IRP dispatch table with function pointers to IRP handlers. We'll have a generic pass-through IRP handler in our filer driver that sends requests further. We'll consider the implementation of IRP handlers later. Not setting up this table would lead to the system crashing.

In this case, IRP will be created. While developing a file system filter driver, we should register a notification about file system changes. Below you can see how to track file system changes. The final part of the file system driver initialization is setting an unload routine.

This routine will help you to load and unload your file system filter driver without needing to reboot. Nonetheless, this driver only truly becomes unloadable for debugging purposes, as it's impossible to unload file system filters safely.

It's not recommended to perform unloading in production code. The driver unload routine cleans up resources and deallocates them. The next step in file system driver development is unregistering the notification for file system changes.

After unregistering the notification, you should loop through created devices and detach and remove them. Then wait for five seconds until all outstanding IRPs have completed. Note that this is a debug-only solution. It works in the greater number of cases, but there's no guarantee that it will work in all of them.

The only responsibility of this IRP handler is to pass requests on to the next driver. The next driver object is stored in our device extension. Every file create operation invokes this IRP handler. After that, we call the pass-through handler that we've described above. There also exist relative opens as well as opens by id. In third-party resources, you can find more details about retrieving file names in those cases.

Below you can find an example of a common pass-through function:. We should delete our filter device after detaching it from the file system device stack. Below you can find example code demonstrating how to easily manage this request:. Volume devices are attached to the storage device stack.

In this article. A file system driver based on the Windows inbox FastFAT file system used as a model for new file systems. This filter is a transaction-aware file scanner that examines data in files.

Anti-virus might operate in this fashion. Change File System Minifilter Driver. Ctx File System Minifilter Drive. Demonstrates how to attach contexts to instances, files, streams, and stream handles in your minifilter. Delete File System Minifilter Driver. Serves as an example of how to use files for storing metadata that corresponds to your minifilters. This request is most often used for floppy drives. After performing the requested operation, the file system driver or recognizer should complete the IRP.

The IRP is shown as Irp. The driver can use the information that is set in the following members of the IRP and the IRP stack location in processing a file system control request:. SystemBuffer Pointer to a system-supplied input buffer to be passed to the file system or file system filter driver for the target volume. Whether this parameter is required depends on the specific file system control code. DeviceObject Pointer to the device object for the actual device on which the volume is to be mounted.

File system filter drivers should not use this parameter. Vpb Pointer to the volume parameter block VPB for the volume to be mounted. File systems that support removable media might substitute a previously used VPB for the one passed in this parameter.