File Create/Open Events

The CBENCRYPT component provides a pair of events related to creating and opening files:

  • CreateFile and OpenFile, which are fired when the request is made.

Files can be created or deleted at any time, so there is no way for the OS to know with complete certainty whether a particular file exists until an interested process actually attempts to access it. This is true even if the process checks whether the file exists beforehand, because that file could then be created/deleted in the time between between when the check occurred and when the create/open call occurs.

It is for this reason that the same Windows API function, CreateFile, is used for both creating and opening files. Processes that call this function use its CreationDisposition parameter to specify what the OS and filesystem should do if the file exists/doesn't exist. The one and only CreationDisposition option that results in a "create file" request is CREATE_NEW; all other options result in an "open file" request, and the filesystem then uses the CreationDisposition for guidance.

Since the components' only source of information is the requests themselves, they also have no way of knowing whether a particular file exists (or not) at any given time. So they simply act in the following manner:

  • If the request's CreationDisposition is CREATE_NEW, then the CreateFile event is used.
  • If the request's CreationDisposition is FILE_SUPERSEDE (an NT-native flag used in the kernel), then the OpenFile event is used, followed by the corresponding CreateFile.
  • In all other cases, the OpenFile event is used.

 
 
Copyright (c) 2021 Callback Technologies, Inc. - All rights reserved.
CBFS Filter 2020 .NET Edition - Version 20.0 [Build 7850]