Callback Technologies Knowledge Base

CBFS Filter Articles:


Does CBFS Filter include any patented technologies?

CBFS Filter itself doesn't include patented technologies. However, there exist several US patents ( US5937406 , US7502782 , US8224837 , maybe more) which you can…

GetOriginator*() methods don't work in OnFileOpenN and OnFileCreateN. Why is it so?

To keep the size of the operation log as small as possible, CBFS Filter doesn't store supplementary information about filesystem events for notifications. You ne…

How can I create a file in a directory protected with ReadOnly access rule?

Use CBFSFilter::CreateNonCbFile() method. When calling the method combine FILE_FLAG_BACKUP_SEMANTICS, FILE_ATTRIBUTE_DIRECTORY and FILE_FLAG_POSIX_SEMANTICS in F…

How can I have the directory read-only and its subdirectories as read-write?

You need to set the following rules (C++ syntax below): CBFSFilter::AddFilterAccessRule( span class= span class= CBFSFilter::AddFilterAccessRule( span class= spa…

How do I prevent file deletion using callback rules?

Files are deleted by opening the file with DeleteOnClose flag set, then closing the file. You need to handle file open operation using AddFilterCallbackRule() me…

Why does my process not receive events on mapped network drives?

CBFS Filter can intercept requests that either originate on the local computer (i.e. the system CBFS Filter works on) or come to this system for processing. It c…

Is there any integrity check of what process is using CBFS Filter?

CBFS Filter driver will accept any valid requests from any process. The best it can do is to check the caller process' EXE name (this can be done by issuing EXE-…

Can I check integrity of the caller process?

As described in this question , you can perform checks in OnOpenFile/OnCreateFile callbacks / event handlers. Authenticode signature of the process' main EXE fil…

Can I check which process accesses the file?

CBFS Filter offers flexible mechanisms to check the caller process. What you need to do is handle file creation and opening requests (add callback rules for OnOp…

Do we need to install CBFS Filter driver after each restart of computer?

The installation is performed once and this is usually done in the application installer, not in the application itself. However, you add rules and activate the …

Can I obtain the name of the user, that accesses a shared folder?

Suppose you have shared the folder on the computer where CBFS Filter works. To get the name of the user, you need to share this folder for named access (not anon…

How do I track file copying?

There's no such file system operation as file copying. The copy operation involves: file_open_for_reading, file_open_for_writing, read, write and two file_close …

How do I know which user initiated the filesystem event?

Use GetOriginatorToken() method of CBFS Filter class to get the security token of the process. You can use the security token to retrieve various security-relate…

In some cases I get the file name in ALL CAPS. What

The file name is reported in the same format it was passed to the OS by the calling application. The caller can use short or long path names (or combine them) an…

How do I monitor files in the folder but not its subfolders?

Starting with version 2.2 CBFS Filter supports pass-through rules. These rules let you specify masks, for which matching files are not handled using other rules …

I get BSOD with error code BSOD with error code NO_MORE_IRP_STACK_LOCATIONS (35). What's that?

I get BSOD with error code BSOD with error code NO_MORE_IRP_STACK_LOCATIONS (35). What

How do I hide a folder?

First you need to realize that hiding a folder with CBFS Filter doesn't remove its contents from the disk. The data remains available if the user boots in safe m…

Can I create files and folders, that don't really exist on the disk, using CBFS Filter?

Version 3 of CBFS Filter supports creation of virtual files and directories. There is an additional parameter present in Create/Open file callback. It s a Boolea…

How can I attach a filter to USB drive?

If the device is already present in the system and has some drive letter, then you just attach the filter to the drive as you do with a regular drive. However, i…

The OS caches the data read from the file and decrypted by CBFS Filter. How do I prevent this?

File data cache is always used by the OS and its file system manager. You can't disable it or prevent the data from being placed into the cache. However, this is…

Why doesn't GetOriginatorProcessName return some process names?

If GetOriginatorProcessName() method returns false, check the error code using GetLastError() function from Windows API. If the buffer is too small, increase the…

I need to monitor file operations on the server. Is this possible with CBFS Filter?

When you need to track the file operations that are performed on the remote system (usually a file server), you need to understand the specifics and limitations …

Is CBFS Filter a mini-filter driver?

Starting with the version 3.1, CBFS Filter can be installed and used in both Legacy and Mini-filter modes. Please note that in the mini-filter mode you need to r…

Can I use GetOriginator* functions in notifications (which are asynchronous)?

In asynchronous notifications, only Process name and Process ID are available and can be retrieved. OriginatorToken is not available. The reason is that the Proc…

What is the difference between OnCreateFileC and OnOpenFileC callback?

The differences between OnCreateFileC and OnOpenFileC callback

What callbacks must be implemented for virtual files to work?

You need to implement OnReadFileC and OnWriteFileC callbacks in order to handle reading and writing requests for a file. Optionally, you can handle OnCloseFileC …

Is it possible to create nested virtual directories?

Yes, you can create virtual hierarchies of directories and files, just remember that no "real" file can be placed (created or moved to) in the virtual directory.…

Is it possible to create a "real" file in a virtual directory or move an existing file to the virtual directory?

No, since virtual directories don't really exist on the disk, the file can't be created or moved to the place that doesn't exist.…

File Deletion in CBFS Filter

How file deletion works and how to track it

FileSystemWatcher and ReadDirectoryChangesW vs. CBFS Filter

CBFS Filter is a developer component that monitors and controls disk activity, tracks file and directory operations, alters file data, encrypts files, and much m…