Constants
All constants are accessible through the callback.CBFSFilter.Constants class.
Access Restriction Flags |
||
ACCESS_NONE | 0x00 |
No access restrictions.
|
ACCESS_READ_ONLY | 0x01 |
Read-only access; writing and deleting is prohibited.
|
ACCESS_WRITE_ONLY | 0x02 |
Write-only access; reading and deleting is prohibited.
|
ACCESS_DELETE_PROTECT | 0x04 |
Deletion and renaming is prohibited.
|
ACCESS_EXECUTE_PROTECT | 0x08 |
Execution is prohibited.
|
ACCESS_NO_CHANGE_DAC | 0x10 |
Change of security attributes is prohibited.
|
ACCESS_NO_CHANGE_OWNER | 0x20 |
Change of owner is prohibited.
|
ACCESS_RENAME_PROTECT | 0x40 |
Renaming is prohibited.
|
ACCESS_DELETE_ONLY_PROTECT | 0x80 |
Deletion is prohibited (renaming is not affected).
|
ACCESS_REMOTE_ACCESS_PROTECT | 0x100 |
Access from other systems is prohibited.
|
ACCESS_DENY_ALL | 0x200 |
All access is denied.
|
ACCESS_ALL_FLAGS | -1 |
Used to denote all currently set access restriction flags.
|
Filesystem Control Event Flags |
||
FS_CE_NONE | 0 |
Don't fire for any filesystem operations.
Control Events will not fire for any filesystem operations. |
FS_CE_BEFORE_CREATE | 0x000000000001L |
Fire before file creation operations.
The BeforeCreateFile event will fire anytime the OS attempts to create a file or directory. In some cases, can cause the BeforeOpenFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_CE_AFTER_CREATE | 0x000000000002L |
Fire after file creation operations.
The AfterCreateFile event will fire after a file or directory creation request has been processed, before the response is returned. In some cases, can cause the AfterOpenFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_CE_BEFORE_OPEN | 0x000000000004L |
Fire before file open operations.
The BeforeOpenFile event will fire anytime the OS attempts to open a file or directory. In some cases, can cause the BeforeCreateFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_CE_AFTER_OPEN | 0x000000000008L |
Fire after file open operations.
The AfterOpenFile event will fire after a file or directory open request has been processed, before the response is returned. In some cases, can cause the AfterCreateFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_CE_BEFORE_READ | 0x000000000010L |
Fire before read operations.
The BeforeReadFile event will fire anytime the OS attempts to read data from a file. |
FS_CE_AFTER_READ | 0x000000000020L |
Fire after read operations.
The AfterReadFile event will fire after a read request has been processed, before the response is returned. |
FS_CE_BEFORE_WRITE | 0x000000000040L |
Fire before write operations.
The BeforeWriteFile event will fire anytime the OS attempts to write data to a file. |
FS_CE_AFTER_WRITE | 0x000000000080L |
Fire after write operations.
The AfterReadFile event will fire after a write request has been processed, before the response is returned. |
FS_CE_BEFORE_LOCK_CONTROL | 0x000000000100L |
Fire before lock and unlock operations.
The BeforeLock, BeforeUnlockAll, BeforeUnlockAllByKey, and BeforeUnlockSingle events will fire, as applicable, before the OS attempts to lock or unlock a range of bytes in a file. |
FS_CE_AFTER_LOCK_CONTROL | 0x000000000200L |
Fire before and after lock and unlock operations.
The AfterLock, AfterUnlockAll, AfterUnlockAllByKey, and AfterUnlockSingle, events will fire, as applicable, after a lock or unlock request has been processed, before the response is returned. |
FS_CE_BEFORE_CLEANUP | 0x000000000400L |
Fire before file handle cleanup operations.
The BeforeCleanupFile event will fire anytime a process closes a file or directory handle. |
FS_CE_AFTER_CLEANUP | 0x000000000800L |
Fire after file handle cleanup operations.
The AfterCleanupFile event will fire after a file handle cleanup request has been processed, before the response is returned. |
FS_CE_BEFORE_CLOSE | 0x000000001000L |
Fire before file close operations.
The BeforeCloseFile event will fire anytime the OS closes a file or directory. Also, the AfterCloseEnumeration event will fire anytime the OS closes a directory enumeration (which typically occurs immediately before the directory is closed). |
FS_CE_AFTER_CLOSE | 0x000000002000L |
Fire after file close operations.
The AfterCloseFile event will fire after a file/directory close request has been processed, before the response is returned. |
FS_CE_BEFORE_CAN_DELETE | 0x000000004000L |
Fire before 'can be deleted' operations.
The BeforeCanFileBeDeleted event will fire anytime the OS checks whether a file or directory can be deleted. |
FS_CE_AFTER_CAN_DELETE | 0x000000008000L |
Fire after 'can be deleted' operations.
The AfterCanFileBeDeleted event will fire after a 'can be deleted' request has been processed, before the response is returned. |
FS_CE_BEFORE_DELETE | 0x000000010000L |
Fire before delete operations
The BeforeDeleteFile event will fire anytime the OS attempts to delete a file or directory. |
FS_CE_AFTER_DELETE | 0x000000020000L |
Fire after delete operations.
The AfterDeleteFile event will fire after a delete request has been processed, before the response is returned. |
FS_CE_BEFORE_RENAME | 0x000000040000L |
Fire before rename/move operations.
The BeforeRenameOrMoveFile event will fire anytime the OS attempts to rename or move a file or directory. |
FS_CE_AFTER_RENAME | 0x000000080000L |
Fire after rename/move operations.
The AfterRenameOrMoveFile event will fire after a rename or move request has been processed, before the response is returned. |
FS_CE_BEFORE_GET_SECURITY | 0x000000100000L |
Fire before get security operations.
The BeforeGetFileSecurity event will fire before the OS queries the security attributes of a file or directory. |
FS_CE_AFTER_GET_SECURITY | 0x000000200000L |
Fire after get security operations.
The AfterGetFileSecurity events will fire after a get security operation has been processed, before the response is returned. |
FS_CE_AFTER_ENUMERATE_DIRECTORY | 0x000000800000L |
Fire for directory enumeration operations.
The AfterEnumerateDirectory event will fire after information about a directory entry has been retrieved during directory enumeration, before the response is returned. |
FS_CE_BEFORE_QUERY_FILE_INFO | 0x000001000000L |
Fire before 'query file information' operations.
The BeforeQueryFileInfo event will fire anytime the OS needs to retrieve information about a file or directory. |
FS_CE_AFTER_QUERY_FILE_INFO | 0x000002000000L |
Fire after 'query file information' operations.
The AfterQueryFileInfo event will fire after a file or directory information query request has been processed, before the response is returned. |
FS_CE_AFTER_GET_SIZES | 0x000008000000L |
Fire after get size operations.
The AfterGetFileSizes event will fire after a file's size information is retrieved, before the response is returned. |
FS_CE_BEFORE_SET_SECURITY | 0x000010000000L |
Fire before set security operations.
The BeforeSetFileSecurity event will fire anytime the OS needs to change the security attributes of a file or directory. |
FS_CE_AFTER_SET_SECURITY | 0x000020000000L |
Fire after set security operations.
The AfterSetFileSecurity event will fire after a security attributes change request has been processed, before the response is returned. |
FS_CE_BEFORE_SET_ATTRIBUTES | 0x000040000000L |
Fire before file attribute update operations.
The BeforeSetFileAttributes event will fire anytime the OS attempts to change the attributes of a file or directory. |
FS_CE_AFTER_SET_ATTRIBUTES | 0x000080000000L |
Fire after file attribute update operations.
The AfterSetFileAttributes event will fire after a file attributes change request has been processed, before the response is returned. |
FS_CE_BEFORE_SET_SIZES | 0x000100000000L |
Fire before file resize operations.
The BeforeSetFileSize event will fire anytime the OS attempts to resize a file, and the BeforeSetAllocationSize event will fire anytime the OS attempts to change a file's allocation size. |
FS_CE_AFTER_SET_SIZES | 0x000200000000L |
Fire after file resize operations.
The AfterSetFileSize event will fire after a file resize request has been processed, and the AfterSetAllocationSize event will fire after a file allocation size change request has been processed, before the response is returned. |
FS_CE_BEFORE_CREATE_HARD_LINK | 0x000400000000L |
Fire before hard link creation operations.
The BeforeCreateHardLink event will fire anytime the OS attempts to create a hard link. |
FS_CE_AFTER_CREATE_HARD_LINK | 0x000800000000L |
Fire after hard link creation operations.
The AfterCreateHardLink events will fire after a hard link creation request has been processed, before the response is returned. |
FS_CE_BEFORE_FSCTL | 0x001000000000L |
Fire before FSCTL operations.
The BeforeFsctl event will fire anytime an IRP_MJ_FILE_SYSTEM_CONTROL request occurs. |
FS_CE_AFTER_FSCTL | 0x002000000000L |
Fire after FSCTL operations.
The AfterFsctl event will fire after an IRP_MJ_FILE_SYSTEM_CONTROL request has been processed, before the response is returned. |
FS_CE_BEFORE_IOCTL | 0x004000000000L |
Fire before IOCTL operations.
The BeforeIoctl event will fire anytime an IRP_MJ_DEVICE_CONTROL request occurs. |
FS_CE_AFTER_IOCTL | 0x008000000000L |
Fire after IOCTL operations.
The AfterIoctl event will fire after an IRP_MJ_DEVICE_CONTROL request has been processed, before the response is returned. |
FS_CE_BEFORE_SET_FILE_INFO | 0x010000000000L |
Fire before 'set file information' operations.
The BeforeSetFileInfo event will fire anytime the OS needs to change information about a file or directory. |
FS_CE_AFTER_SET_FILE_INFO | 0x020000000000L |
Fire after 'set file information' operations.
The AfterSetFileInfo event will fire after a file or directory information change request has been processed, before the response is returned. |
FS_CE_REPARSE_FILENAME | 0x100000000000L |
Fire before various operations for the purpose of file redirection.
The ReparseFileName event will fire before any operation that includes a file or directory name, giving the application a chance to redirect it. This is event is typically used when an application requires more advanced redirection logic than Reparse Rules can provide; please refer to that topic for more information. |
FS_CE_REPARSE_TAG | 0x200000000000L |
Fire for reparse operations.
The ReparseWithTag event will fire anytime a file/directory open operation returns a STATUS_REPARSE result, allowing the application to handle the reparse point. Please refer to Microsoft's Reparse Points article for more information. |
FS_CE_ALL | -1 |
Fire for all filesystem operations.
Control Events will fire for all filesystem operations. |
Filesystem Notification Event Flags |
||
FS_NE_NONE | 0 |
Don't fire for any filesystem operations.
Notification Events will not fire for any filesystem operations. |
FS_NE_CREATE | 0x00000001L |
Fire for file creation operations.
The NotifyCreateFile event will fire anytime the OS creates a file or directory. In some cases, can cause the NotifyOpenFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_NE_OPEN | 0x00000002L |
Fire for file open operations.
The NotifyOpenFile event will fire anytime the OS opens a file or directory. In some cases, can cause the NotifyCreateFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_NE_READ | 0x00000004L |
Fire for read operations.
The NotifyReadFile event will fire anytime the OS reads data from a file. |
FS_NE_WRITE | 0x00000008L |
Fire for write operations.
The NotifyWriteFile event will fire anytime the OS write data to a file. |
FS_NE_LOCK_CONTROL | 0x00000010L |
Fire for lock and unlock operations.
The NotifyLock, NotifyUnlockAll, NotifyUnlockAllByKey, and NotifyUnlockSingle events will fire, as applicable, anytime the OS locks or unlocks a range of bytes in a file. |
FS_NE_CLEANUP | 0x00000020L |
Fire for file handle cleanup operations.
The NotifyCleanupFile event will fire anytime a process closes a file or directory handle. |
FS_NE_CLOSE | 0x00000040L |
Fire for file close operations.
The NotifyCloseFile event will fire anytime the OS closes a file or directory. |
FS_NE_CAN_DELETE | 0x00000080L |
Fire for 'can be deleted' operations.
The NotifyCanFileBeDeleted event will fire anytime the OS checks whether a file or directory can be deleted. |
FS_NE_DELETE | 0x00000100L |
Fire for delete operations.
The NotifyDeleteFile event will fire anytime the OS deletes a file or directory. |
FS_NE_RENAME | 0x00000200L |
Fire for rename/move operations.
The NotifyRenameOrMoveFile event will fire anytime the OS renames or moves a file or directory. |
FS_NE_GET_SECURITY | 0x00000400L |
Fire for get security operations.
The NotifyGetFileSecurity event will fire anytime the OS queries the security attributes of a file or directory. |
FS_NE_ENUMERATE_DIRECTORY | 0x00000800L |
Fire for directory enumeration operations.
The NotifyEnumerateDirectory event will fire anytime the OS retrieves a directory entry during directory enumeration. |
FS_NE_QUERY_FILE_INFO | 0x00001000L |
Fire for QueryFileInformation operations.
The NotifyQueryFileInfo event will fire anytime the OS retrieves information about a file or directory. |
FS_NE_GET_SIZES | 0x00002000L |
Fire for get size operations.
The NotifyGetFileSizes event will fire anytime the OS retrieves a file's size information. |
FS_NE_SET_SECURITY | 0x00004000L |
Fire for set security operations.
The NotifySetFileSecurity event will fire anytime the OS changes the security attributes of a file or directory. |
FS_NE_SET_ATTRIBUTES | 0x00008000L |
Fire for file attribute update operations.
The NotifySetFileAttributes event will fire anytime the OS changes the attributes of a file or directory. |
FS_NE_SET_SIZES | 0x00010000L |
Fire for file resize operations.
The NotifySetFileSize event will fire anytime the OS resizes a file, and the NotifySetAllocationSize event will fire anytime the OS changes a file's allocation size. |
FS_NE_CREATE_HARD_LINK | 0x00020000L |
Fire for hard link creation operations.
The NotifyCreateHardLink event will fire anytime the OS creates a hard link. |
FS_NE_FSCTL | 0x00040000L |
Fire for FSCTL operations.
The NotifyFsctl event will fire anytime an IRP_MJ_FILE_SYSTEM_CONTROL operation occurs. |
FS_NE_IOCTL | 0x00080000L |
Fire for IOCTL operations.
The NotifyIoctl event will fire anytime an IRP_MJ_DEVICE_CONTROL operation occurs. |
FS_NE_SET_FILE_INFO | 0x00100000L |
Fire for SetFileInformation operations.
The NotifySetFileInfo event will fire anytime the OS changed information about a file or directory. |
FS_NE_ALL | -1 |
Fire for all filesystem operations.
Notification Events will fire for all filesystem operations. |
Filesystem Filter Modes |
||
FS_FILTER_MODE_LEGACY | 0 |
Use legacy filesystem filter mode.
Note: Legacy mode is obsolete; support for it is deprecated, and will be removed in a future product update. Please refer to the Minifilter and Legacy Modes topic for more information. |
FS_FILTER_MODE_MINIFILTER | 1 |
Use filesystem minifilter mode.
|
Filesystem Reparse Flags |
||
FS_REPARSE_CHANGE_PATH | 0 |
Perform redirection by modifying the path directly using the CBFilter system driver.
|
FS_REPARSE_USE_REPARSE_POINT | 1 |
Perform redirection by having the CBFilter system driver emulate real reparse point behavior.
This option will cause the driver to report that a file or directory's parent directory is a reparse point of the SYMLINK variety. Redirection performed in this manner is more consistent with Windows' own behavior; however, some software may fail to correctly handle paths that cross such symbolic links. |
Filesystem Request Directions |
||
FS_REQUEST_DIR_USER_NONCACHED | 0 | Operations performed in the 'user mode application <--> filesystem' direction. |
FS_REQUEST_DIR_USER_CACHED | 1 | Operations performed in the 'user mode application <--> system cache' direction. |
FS_REQUEST_DIR_SYSTEM_NONCACHED | 2 | Operations performed in the 'system cache <--> filesystem' direction. |
FS_REQUEST_DIR_SYSTEM_CACHED | 3 | Operations performed in the 'system component <--> system cache' direction. |
Filesystem Volume Mount Events |
||
FS_MOUNT_IGNORE | 0 |
Don't fire any events when volumes are mounted or unmounted.
|
FS_MOUNT_NOTIFY | 64 |
Fire Notification Events when volumes are mount or unmounted.
The NotifyFilterAttachToVolume and NotifyFilterDetachFromVolume events will fire, asynchronously, as necessary. |
FS_MOUNT_CONTROL | 128 |
Fire Control Events when volumes are mounted or unmounted.
The BeforeFilterAttachToVolume, AfterFilterAttachToVolume, and AfterFilterDetachFromVolume events will fire, synchronously, as necessary. |
FS_MOUNT_BOTH | 192 |
Fire all events when volumes are mounted or unmounted.
|
File Flushing Behavior Flags |
||
FS_FLUSH_FILES_ON_OPEN | 1 |
Whether memory-mapped file data should be flushed to disk before files are opened.
This flag indicates that the component's system driver should flush any cached and memory-mapped file data, leftover from the last time a file was opened, prior to opening it again. Doing so ensures that file data is read directly from the disk rather than from the old memory mapping. Applications that modify file data as it is being read may need to set this flag in order to function correctly. For example, applications that provide on-the-fly encryption should set this flag to ensure that file data is always read from the disk (and thus has a chance to get decrypted) when a file is opened. Applications that do not modify file data as it is being read should leave this flag unset in order to maintain optimal performance when opening files. |
FS_FLUSH_FILES_ON_CLOSE | 2 |
Whether file buffers must be flushed when files are closed.
This flag indicates that the component's system driver should flush and clear the buffers of files that are opened for writing (and have had data written to them) when they are closed. Applications that modify file data as it is being written may need to set this flag in order to function correctly. For example, applications that provide on-the-fly encryption should set this flag to ensure that all file data is flushed to the disk (and thus has a chance to get encrypted) when a file is closed. Applications that do not modify file data as it is being written can unset this flag. After a file is flushed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information. |
FS_CLOSE_FILES_ON_STOPFILTER | 4 |
Whether files opened for writing must be closed when the application stops filtering.
This flag indicates that the component's system driver should close files that are opened for writing (and have had data written to them) when the application calls StopFilter. Applications that modify file data as it is being written (e.g., on-the-fly encryption) may need to set this flag in order to prevent further operations against the file data from being performed. Applications that do not modify file data as it is being written can leave this flag unset. Note that if memory mappings of some file exist, these mappings will remain active; only the open handles to such files are closed. When the file is closed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information. Applications can control whether file data is flushed before files are closed using the FS_FLUSH_FILES_ON_STOPFILTER flag; any data that is not flushed gets discarded. |
FS_FLUSH_FILES_ON_STOPFILTER | 8 |
Whether file buffers must be flushed when the application stops filtering.
This flag indicates that the component's system driver should flush and clear the buffers of files that are opened for writing (and have had data written to them) when the application calls StopFilter. Applications that modify file data as it is being written (e.g., on-the-fly encryption) may need to set this flag to ensure that no unprotected data is kept in memory, but rather has a chance to be encrypted and written out to disk. Applications that do not modify file data as it is being written can leave this flag unset. If the application will not be able to perform on-the-fly data modification at the moment when StopFilter is called (e.g., because a cryptographic hardware module is unplugged), then this flag should be unset before calling StopFilter. After a file is flushed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information. |
FS_CLOSE_FILES_ON_CRASH | 16 |
Whether files opened for writing must be closed if the application terminates unexpectedly.
This flag indicates that the component's system driver should close files that are opened for writing (and have had data written to them) if the driver detects that the application has terminated. Applications that modify file data as it is being written (e.g., on-the-fly encryption) may need to set this flag in order to prevent further operations against the file data from being performed. Applications that do not modify file data as it is being written can leave this flag unset. Note that if memory mappings of some file exist, these mappings will remain active; only the open handles to such files are closed. When the file is closed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information. |
FS_FLUSH_FILES_ON_CRASH | 32 |
Whether file buffers must be flushed if the application terminates unexpectedly.
This flag indicates that the component's system driver should flush and clear the buffers of files that are opened for writing (and have had data written to them) if the driver detects that the application has terminated. Applications that do not modify data as it is being written may set this flag if necessary. Applications that modify data as it is being written (e.g., on-the-fly encryption) should not set this flag, since such flushing could cause unprotected data to be written out to disk. |
FS_SUPPORT_FILE_ENCRYPTION | 31 |
Combination of flags suitable for on-the-fly file encryption applications.
This option includes the following flags: FS_FLUSH_FILES_ON_OPEN, FS_FLUSH_FILES_ON_CLOSE, FS_CLOSE_FILES_ON_STOPFILTER, FS_FLUSH_FILES_ON_STOPFILTER, and FS_CLOSE_FILES_ON_CRASH flags. |
Registry Control Event Flags |
||
REG_CE_NONE | 0 |
Don't fire for any registry operations.
Control Events will not fire for any registry operations. |
REG_CE_BEFORE_CREATE_KEY | 0x00000001L |
Fire before registry key creation operations.
The BeforeCreateKey event will fire anytime the OS attempts to create a registry key. |
REG_CE_AFTER_CREATE_KEY | 0x00000002L |
Fire after registry key creation operations.
The AfterCreateKey event will fire after a registry key creation request has been processed, before the response is returned. |
REG_CE_BEFORE_OPEN_KEY | 0x00000004L |
Fire before registry key open operations.
The BeforeOpenKey event will fire anytime the OS attempts to open a registry key. |
REG_CE_AFTER_OPEN_KEY | 0x00000008L |
Fire after registry key open operations.
The AfterOpenKey event will fire after a registry key open request has been processed, before the response is returned. |
REG_CE_BEFORE_CLOSE_KEY | 0x00000010L |
Fire before registry key close operations.
The BeforeCloseKey event will fire anytime the OS closes a registry key. |
REG_CE_AFTER_CLOSE_KEY | 0x00000020L |
Fire after registry key close operations.
The AfterCloseKey event will fire after a registry key close request has been processed, before the response is returned. |
REG_CE_BEFORE_DELETE_KEY | 0x00000040L |
Fire before registry key delete operations.
The BeforeDeleteKey event will fire anytime the OS attempts to delete a registry key. |
REG_CE_AFTER_DELETE_KEY | 0x00000080L |
Fire after registry key delete operations.
The AfterDeleteKey event will fire after a registry key delete request has been processed, before the response is returned. |
REG_CE_BEFORE_RENAME_KEY | 0x00000100L |
Fire before registry key rename operations.
The BeforeRenameKey event will fire anytime the OS attempts to rename a registry key. |
REG_CE_AFTER_RENAME_KEY | 0x00000200L |
Fire after registry key rename operations.
The AfterRenameKey event will fire after a registry key rename request has been processed, before the response is returned. |
REG_CE_BEFORE_ENUM_KEY | 0x00000400L |
Fire before subkey enumeration operations.
The BeforeEnumerateKey event will fire anytime the OS attempts to enumerate a registry key's subkeys. |
REG_CE_AFTER_ENUM_KEY | 0x00000800L |
Fire after subkey enumeration operations.
The AfterEnumerateKey event will fire after a subkey enumeration request has been processed, before the response is returned. |
REG_CE_BEFORE_QUERY_KEY | 0x00001000L |
Fire before registry key metadata retrieval operations.
The BeforeQueryKey event will fire anytime the OS attempts to retrieve a registry key's metadata. |
REG_CE_AFTER_QUERY_KEY | 0x00002000L |
Fire after registry key metadata retrieval operations.
The AfterQueryKey event will fire after a registry key metadata retrieval request has been processed, before the response is returned. |
REG_CE_BEFORE_SET_KEY | 0x00004000L |
Fire before registry key metadata update operations.
The BeforeSetKey event will fire anytime the OS attempts to a registry key's metadata. |
REG_CE_AFTER_SET_KEY | 0x00008000L |
Fire after registry key metadata update operations.
The AfterSetKey event will fire after a registry key metadata update request has been processed, before the response is returned. |
REG_CE_BEFORE_DELETE_VALUE | 0x00010000L |
Fire before registry value delete operations.
The BeforeDeleteValue event will fire anytime the OS attempts to delete a registry value. |
REG_CE_AFTER_DELETE_VALUE | 0x00020000L |
Fire after registry value delete operations.
The AfterDeleteValue event will fire after a registry value delete request has been processed, before the response is returned. |
REG_CE_BEFORE_ENUM_VALUE | 0x00040000L |
Fire before value enumeration operations.
The BeforeEnumerateValue event will fire anytime the OS attempts to enumerate a registry key's values. |
REG_CE_AFTER_ENUM_VALUE | 0x00080000L |
Fire after value enumeration operations.
The AfterEnumerateValue event will fire after a value enumeration request has been processed, before the response is returned. |
REG_CE_BEFORE_QUERY_VALUE | 0x00100000L |
Fire before registry value query operations.
The BeforeQueryValue event will fire anytime the OS attempts to query a registry value. |
REG_CE_AFTER_QUERY_VALUE | 0x00200000L |
Fire after registry value query operations.
The AfterQueryValue event will fire after a registry value query request has been processed, before the response is returned. |
REG_CE_BEFORE_SET_VALUE | 0x00400000L |
Fire before registry value set/update operations.
The BeforeSetValue event will fire anytime the OS attempts to set or update a registry value. |
REG_CE_AFTER_SET_VALUE | 0x00800000L |
Fire after registry value set/update operations.
The AfterSetValue event will fire after a registry value set or update request has been processed, before the response is returned. |
REG_CE_ALL | -1 |
Fire for all registry operations.
Control Events will fire for all registry operations. |
Registry Key Fields |
||
REG_KEYFIELD_LASTWRITETIME | 1 |
A registry key's last write time.
|
REG_KEYFIELD_NAME | 2 |
A registry key's name.
|
REG_KEYFIELD_MAXNAMELENGTH | 4 |
A registry key's longest subkey name.
|
REG_KEYFIELD_CLASSNAME | 8 |
A registry key's class name.
|
REG_KEYFIELD_MAXCLASSNAMELENGTH | 16 |
A registry key's longest subkey class name.
|
REG_KEYFIELD_SUBKEYS | 32 |
The number of subkeys a registry key has.
|
REG_KEYFIELD_VALUES | 64 |
The number of values a registry key has.
|
REG_KEYFIELD_MAXVALUENAMELENGTH | 128 |
A registry key's longest value name.
|
REG_KEYFIELD_MAXVALUEDATASIZE | 256 |
A registry key's largest value data size.
|
REG_KEYFIELD_VIRTUALIZATIONINFO | 512 |
A registry key's virtualization information.
|
Registry Value Fields |
||
REG_VALUEFIELD_TYPE | 1 |
A registry value's type.
|
REG_VALUEFIELD_NAME | 2 |
A registry value's name.
|
REG_VALUEFIELD_DATA | 4 |
A registry value's data.
|
Registry Value Types |
||
REG_VALUETYPE_SZ | 1 |
A unicode string.
|
REG_VALUETYPE_EXPAND_SZ | 2 |
A unicode string that contains environmental variable references.
|
REG_VALUETYPE_BINARY | 3 |
Binary data.
|
REG_VALUETYPE_DWORD | 4 |
A 32-bit number.
|
REG_VALUETYPE_MULTI_SZ | 7 |
Multiple unicode strings.
|
REG_VALUETYPE_QWORD | 11 |
A 64-bit number.
|
Install Flags |
||
INSTALL_REMOVE_OLD_VERSIONS | 0x00000001 |
Uninstall drivers from previous component versions (e.g., 2017).
|
INSTALL_KEEP_START_TYPE | 0x00000002 |
Keep the driver's current start type setting in the registry.
If this flag is not set (default), the installation logic will reset the driver's start type setting in the Windows registry to the default value. Setting this flag causes the installation logic to preserve the current value, which may be necessary if the user (or the application itself) set it previously. |
INSTALL_REQUESTS_VIA_DRIVER_STACK | 0x00000004 |
Whether internal requests to the filesystem are sent directly to the filesystem driver or through the stack of filesystem filter drivers.
This flag is only applicable for CBFilter and CBMonitor. After installation, the effects of this flag can be changed using the SendRequestsViaDriverStack configuration setting. |
INSTALL_ALWAYS_PREPARE_FILES | 0x00010000 |
Whether the driver should keep track of information for files that are already open when (i.e., were opened before) the component is initialized.
This flag is only applicable for CBFilter and CBMonitor. If this flag is set, the driver will prepare information about each file as it is opened, regardless of whether a CBFilter/CBMonitor-based application is actually running at the time. This information then allows applications to receive events for any files that are already open when the CBFilter/CBMonitor component is initialized. Please note that these preparations will slow down all file open operations; don't enable this feature unless it's actually necessary. After installation, the effects of this flag can be changed using the AlwaysPrepareFiles configuration setting. |
INSTALL_FORCE_APP_PERMISSION_CHECK | 0x00020000 |
Whether the driver should require the controller process to have elevated or system privileges.
This flag is only applicable for CBFilter and CBMonitor. If this flag is set, the driver will verify that the controller process is a system service (or is executing with elevated privileges) anytime a file is opened. If the controller process does not meet these requirements, the file will be skipped (i.e., not filtered in any way). Please note that this additional verification will slow down all file open operations. After installation, the effects of this flag can be changed using the ForceAppPermissionCheck configuration setting. |
INSTALL_FORCE_SECURITY_CHECKS | 0x00040000 |
Whether the driver should prevent the controller process from filtering files that it would not normally have access to.
This flag is only applicable for CBFilter and CBMonitor. If this flag is set, the driver will check the security permissions of the controller process anytime a file is opened in order to verify that the process itself has access to the file. If the controller process does not have access to the file, the file will be skipped (i.e., not filtered in any way). For example, if this flag is set and the controller process is running with limited privileges, then the driver will not allow it to filter files that require greater privileges to access. Please note that this additional verification will slow down all file open operations. After installation, the effects of this flag can be changed using the ForceSecurityChecks configuration setting. |
Uninstall Version Flags |
||
UNINSTALL_VERSION_PREVIOUS | 0x00000001 |
Uninstall modules from previous product versions.
|
UNINSTALL_VERSION_CURRENT | 0x00000002 |
Uninstall modules from the current product version.
|
UNINSTALL_VERSION_ALL | 0x00000003 |
Uninstall modules from all product versions.
|
Module Status Flags |
||
MODULE_STATUS_NOT_PRESENT | 0x00000000 |
The specified module is not present on the system.
|
MODULE_STATUS_STOPPED | 0x00000001 |
The specified module is in the Stopped state.
|
MODULE_STATUS_RUNNING | 0x00000004 |
The specified module is loaded and running.
|
File Attributes |
||
FILE_SYS_ATTR_READ_ONLY | 0x00000001 |
The file is read-only.
Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories. |
FILE_SYS_ATTR_HIDDEN | 0x00000002 |
The file or directory is hidden.
It is not included in an ordinary directory listing. |
FILE_SYS_ATTR_SYSTEM | 0x00000004 |
A file or directory that the operating system uses a part of, or uses exclusively.
|
FILE_SYS_ATTR_DIRECTORY | 0x00000010 |
The entry is a directory.
|
FILE_SYS_ATTR_ARCHIVE | 0x00000020 |
The entry is an archive file or directory.
Applications typically use this attribute to mark files for backup or removal. |
FILE_SYS_ATTR_NORMAL | 0x00000080 |
A file doesn't have other attributes set.
This attribute is only valid when used alone. |
FILE_SYS_ATTR_TEMPORARY | 0x00000100 |
A file that is being used for temporary storage.
File systems avoid writing data back to mass storage if sufficient cache memory is available, because typically, an application deletes a temporary file after the handle is closed. In that scenario, the system can entirely avoid writing the data. Otherwise, the data is written after the handle is closed. |
FILE_SYS_ATTR_SPARSE_FILE | 0x00000200 |
A file that is a sparse file.
|
FILE_SYS_ATTR_REPARSE_POINT | 0x00000400 |
A file that is a reparse point or a symbolic link.
|
FILE_SYS_ATTR_COMPRESSED | 0x00000800 |
A file or directory that is compressed.
For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories. |
FILE_SYS_ATTR_OFFLINE | 0x00001000 |
The data of a file is not available immediately.
This attribute indicates that the file data is physically moved to offline storage. |
FILE_SYS_ATTR_NOT_CONTENT_INDEXED | 0x00002000 |
The file or directory is not to be indexed by the content indexing service.
|
FILE_SYS_ATTR_ENCRYPTED | 0x00004000 |
A file or directory that is encrypted.
For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.
|
FILE_SYS_ATTR_VIRTUAL | 0x00010000 |
Reserved.
Note: This flag is reserved by the OS and should not be used for files in custom filesystem implementations. |
FILE_SYS_ATTR_RECALL_ON_OPEN | 0x00040000 |
The file or directory has no physical representation on the local system; the item is virtual.
Opening the item will be more expensive than normal, e.g. it will cause at least some of it to be fetched from a remote store. This flag is reported by filesystems during directory enumerations. |
File Desired Access Flags |
||
DESIRED_ACCESS_FILE_LIST_DIRECTORY | 0x00000001 |
For a directory, the right to list the contents of the directory.
|
DESIRED_ACCESS_FILE_READ_DATA | 0x00000001 |
For a file object, the right to read the corresponding file data.
For a directory object, the right to read the corresponding directory data.
|
DESIRED_ACCESS_FILE_ADD_FILE | 0x00000002 |
For a directory, the right to create a file in the directory.
|
DESIRED_ACCESS_FILE_WRITE_DATA | 0x00000002 |
For a file object, the right to write data to the file.
For a directory object, the right to create a file in the directory
|
DESIRED_ACCESS_FILE_ADD_SUBDIRECTORY | 0x00000004 |
For a directory, the right to create a subdirectory.
|
DESIRED_ACCESS_FILE_APPEND_DATA | 0x00000004 |
For a file object, the right to append data to the file.
(For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.) For a directory object, the right to create a subdirectory (FILE_ADD_SUBDIRECTORY).
|
DESIRED_ACCESS_FILE_READ_EA | 0x00000008 |
The right to read extended file attributes.
|
DESIRED_ACCESS_FILE_WRITE_EA | 0x00000010 |
The right to write extended file attributes.
|
DESIRED_ACCESS_FILE_EXECUTE | 0x00000020 |
For a native code file, the right to execute the file.
This access right given to scripts may cause the script to be executable, depending on the script interpreter.
|
DESIRED_ACCESS_FILE_DELETE_CHILD | 0x00000040 |
For a directory, the right to delete a directory and all the files it contains, including read-only files.
|
DESIRED_ACCESS_FILE_READ_ATTRIBUTES | 0x00000080 |
The right to read file attributes.
|
DESIRED_ACCESS_FILE_WRITE_ATTRIBUTES | 0x00000100 |
The right to write file attributes.
|
DESIRED_ACCESS_READ_CONTROL | 0x00020000 |
The right to read the information in the file or directory object's security descriptor.
This does not include the information in the SACL.
|
DESIRED_ACCESS_STANDARD_RIGHTS_READ | 0x00020000 |
Includes READ_CONTROL, which is the right to read the information in the file or directory object's security descriptor.
This does not include the information in the SACL.
|
DESIRED_ACCESS_STANDARD_RIGHTS_WRITE | 0x00020000 |
Same as STANDARD_RIGHTS_READ
|
DESIRED_ACCESS_STANDARD_RIGHTS_EXECUTE | 0x00020000 |
Same as STANDARD_RIGHTS_READ
|
DESIRED_ACCESS_SYNCHRONIZE | 0x00100000 |
The right to use the object for synchronization.
This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
DESIRED_ACCESS_FILE_ALL_ACCESS | 0x001F01FF |
All possible access rights for a file.
|
DESIRED_ACCESS_FILE_GENERIC_READ | 0x00120089 |
A combinarion of flags that allow reading of the file.
Note: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.
|
DESIRED_ACCESS_FILE_GENERIC_WRITE | 0x00120116 |
A combinarion of flags that allow modifications to the file.
Note: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.
|
DESIRED_ACCESS_FILE_GENERIC_EXECUTE | 0x001200A0 |
A combinarion of flags that allow execution of the file.
Note: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.
|
Creation Disposition flags |
||
FILE_DISPOSITION_CREATE_NEW | 0x00000001 |
Creates a new file, only if it does not already exist.
If the specified file exists, the operation fails with an "already exists" error. |
FILE_DISPOSITION_CREATE_ALWAYS | 0x00000002 |
Creates a new file, always.
If the specified file exists and is writable, the system overwrites the file. If the specified file does not exist and is a valid path, a new file is created. |
FILE_DISPOSITION_OPEN_EXISTING | 0x00000003 |
Opens a file, only if it exists
If the specified file does not exist, opening fails. |
FILE_DISPOSITION_OPEN_ALWAYS | 0x00000004 |
Opens a file, always.
If the specified file exists, the operation succeeds. If the specified file does not exist and is a valid path to a writable location, the a file is created. |
FILE_DISPOSITION_TRUNCATE_EXISTING | 0x00000005 |
Opens a file and truncates it so that its size is zero bytes, only if it exists.
If the specified file does not exist, the operation fails with a "file not found" error. |
Share Modes |
||
FILE_SYS_SHARE_READ | 0x00000001 |
Enables subsequent open operations on a file to request read access.
Otherwise, other processes cannot open the file if they request read access. If this flag is not specified, but the file has been opened for read access, file creation or opening fails. |
FILE_SYS_SHARE_WRITE | 0x00000002 |
Enables subsequent open operations on a file to request write access.
Otherwise, other processes cannot open the file if they request write access. If this flag is not specified, but the file has been opened for write access or has a file mapping with write access, file creation or opening fails. |
FILE_SYS_SHARE_DELETE | 0x00000004 |
Enables subsequent open operations on a file to request delete access.
Otherwise, other processes cannot open the file if they request delete access. If this flag is not specified, but the file has been opened for delete access, the function fails.
|