Callback Technologies Knowledge Base

CBFS Filter Articles:


Why don't the GetOriginator*() methods work in OnFileOpenN and OnFileCreateN?

To keep the size of the operation log as small as possible, CBFS Filter doesn't store supplementary information about filesystem events for notifications. You ne…

How can I create a file in a directory protected with the ReadOnly access rule?

Use the CBFSFilter::CreateNonCbFile() method. When calling the method, combine FILE_FLAG_BACKUP_SEMANTICS, FILE_ATTRIBUTE_DIRECTORY, and FILE_FLAG_POSIX_SEMANTIC…

How can I have a directory as read-only and its subdirectories as read-write?

You need to set the following rules (in C++ syntax below): CallbackFilter::AddFilterAccessRule("C:\\ReadOnly\\*.*",CallbackFilter::ReadOnly); CallbackFilter::Add…

How do I prevent file deletion using callback rules?

Files are deleted by opening the file with the DeleteOnClose flag set, then closing the file. You need to handle the file open operation using the AddFilterCallb…

Why does my process not receive events on mapped network drives?

CBFS Filter can intercept requests that either originate on the local computer (i.e. the system CBFS Filter works on) or come to this system for processing. It c…

Is there any integrity check of what process is using CBFS Filter?

CBFS Filter driver will accept any valid requests from any process. The best it can do is to check the caller process' EXE name (this can be done by issuing EXE-…

Can I check integrity of the caller process?

As described in this question , you can perform checks in OnOpenFile/OnCreateFile callbacks / event handlers. Authenticode signature of the process' main EXE fil…

Can I check which process accesses the file?

CBFS Filter offers flexible mechanisms to check the caller process. What you need to do is handle file creation and opening requests (add callback rules for OnOp…

Do we need to install CBFS Filter driver after each restart of computer?

The installation is performed once and this is usually done in the application installer, not in the application itself. However, you add rules and activate the …

Can I obtain the name of a user that accesses a shared folder?

Suppose you have shared the folder on the computer CBFS Filter works on. To get the name of the user, you need to share this folder for named access (not anonymo…

How do I track file copying?

There's no such file system operation as file copying. The copy operation involves: file_open_for_reading, file_open_for_writing, read, write , and two file_clos…

How do I know which user initiated a file system event?

Use the GetOriginatorToken method of the CBFS Filter class to get the security token of the process. You can use the security token to retrieve various security-…

In some cases I get the file name in ALL CAPS. What's wrong?

The file name is reported in the same format that was passed to the OS by the calling application. The caller can use short or long path names (or combine them) …

How do I monitor files in a folder but not its subfolders?

CBFS Filter supports pass-through rules. These rules let you specify masks for which matching files are not handled using other rules (i.e., are excluded from fi…

I get BSOD with the error code NO_MORE_IRP_STACK_LOCATIONS (35). What's that?

When network disks are monitored, BSOD with error code NO_MORE_IRP_STACK_LOCATIONS (35) is reported. This happens when multiple filters (over 3) are installed du…

How do I hide a folder?

First, note that hiding a folder with CBFS Filter doesn't remove its contents from the disk. The data remains available if the user boots in safe mode or another…

Can I create files and folders that don't really exist on the disk, using CBFS Filter?

Version 3 of CBFS Filter supports the creation of virtual files and directories. There is an additional parameter present in the Create/Open file callback. It s …

How can I attach a filter to a USB drive?

If the device is already present in the system and has some drive letter, then you just attach the filter to the drive as you do with a regular drive. However, i…

The OS caches the data read from the file and decrypted by CBFS Filter. How do I prevent this?

A file data cache is always used by the OS and its file system manager. You can't disable it or prevent the data from being placed into the cache. Before the app…

Why doesn't GetOriginatorProcessName return some process names?

If the GetOriginatorProcessName() method returns false, check the error code using the GetLastError() function from the Windows API. If the buffer is too small, …

I need to monitor file operations on the server. Is this possible with CBFS Filter?

When you need to track the file operations that are performed on a remote system (usually a file server), you need to understand the specifics and limitations of…

Is CBFS Filter a minifilter driver?

CBFS Filter can be installed and used in both legacy and minifilter modes. Please note that in the minifilter mode you need to register and obtain from Microsoft…

Can I use GetOriginator* functions in asynchronous notifications?

In asynchronous notifications, only the process name and process Id are available and can be retrieved. OriginatorToken is not available. The reason is that the …

What is the difference between the OnCreateFileC and OnOpenFileC callbacks?

The differences between the OnCreateFileC and OnOpenFileC callbacks

What callbacks must be implemented for virtual files to work?

You need to implement the OnReadFileC and OnWriteFileC callbacks in order to handle reading and writing requests for a file. Optionally, you can handle OnCloseFi…

Is it possible to create nested virtual directories?

Yes, you can create virtual hierarchies of directories and files, just remember that no "real" file can be placed (created in or moved to) the virtual directory.…

Is it possible to create a "real" file in a virtual directory or move an existing file to the virtual directory?

No, since virtual directories don't really exist on the disk, a file can't be created or moved to a place that doesn't exist.…

File Deletion in CBFS Filter

How file deletion works and how to track it

FileSystemWatcher and ReadDirectoryChangesW vs. CBFS Filter

CBFS Filter enables you to emulate FileSystemWatcher, and much more.