Geek Answers Handbook

FIleSytemCall interception to remove

Is there a way to detect file deletion before windows perform deletion? I found the FileSystemWatcher class, but the event only occurs after the delete action is completed, but I want to catch the delete action after the user / process wants to delete it. You can control the file system table, but are looking for a better approach. Thank you for your help.

0
windows visual-c ++ operating-system
source share
3 answers

I think the easiest way is to use the hook to get notified (and eventually stop) the process. This is not possible in .NET, so you need DllImport to create many structures and several functions for P / Invoke.

Start your work with the NtSetFileInformation (undocumented) function. This is a function that is called by something else when a file needs to be deleted (using the FileDispositionInformation structure).

Now the problem is how to connect this function (good luck, it's not easy). A good choice would be to use Microsoft Detours . Take a look at this article for an example. His problem is that it is not free. An alternative solution (with a reasonable price and with the .NET interface) is Deviare , but I have never tried even their free version, I know how good it is. If anyone else knows a good interception tool ...

+1
source share

You need a file system filter driver. However, I highly recommend that if you don't know the answer, you probably shouldn't.

http://msdn.microsoft.com/en-us/library/windows/hardware/gg462968.aspx

+1
source share

Or maybe try the ICopyHook interface.

http://msdn.microsoft.com/en-us/library/windows/desktop/bb776049%28v=vs.85%29.aspx

In CopyCallback, use the FO_DELETE parameter in the wFunc parameter to indicate the delete operation.

Inconvenience: Prevent uninstall only in Windows Shell

0
source share

More articles:


All Articles