Constants

Don't fire any events when volumes are mounted or unmounted.

Fire Notification Events when volumes are mounted or unmounted. The NotifyFilterAttachToVolume and NotifyFilterDetachFromVolume events will fire, asynchronously, as necessary.

Fire Control Events when volumes are mounted or unmounted. The BeforeFilterAttachToVolume, AfterFilterAttachToVolume, and AfterFilterDetachFromVolume events will fire, synchronously, as necessary.

Fire all events when volumes are mounted or unmounted.

No encryption information specified.

No encryption is applied.

Use AES256 encryption with PBKDF2 key derivation based on a HMAC_SHA256 key hash.

Uninstall drivers from previous component versions (e.g., 2020).

Keep the driver's current start type setting in the registry. If this flag is not set (default), the installation logic will reset the driver's start type setting in the Windows registry to the default value. Setting this flag causes the installation logic to preserve the current value, which may be necessary if the user (or the application) set it previously.

Install the driver file when its version and build number is the same as the version of the already installed driver.

Whether internal requests to the filesystem are sent directly to the filesystem driver or through the stack of filesystem filter drivers. This flag is applicable only for CBFILTER and CBMONITOR.

After installation, the effects of this flag can be changed using the SendRequestsViaDriverStack configuration setting.

Whether the driver should keep track of information for files that are already open when (i.e., were opened before) the component is initialized. This flag is applicable only for CBFILTER and CBMONITOR.

If this flag is set, the driver will prepare information about each file as it is opened, regardless of whether a CBFILTER/CBMONITOR-based application is actually running at the time. This information then allows applications to receive events for any files that are already open when the CBFILTER/CBMONITOR component is initialized.

NOTE: These preparations will slow down all file open operations; do not enable this feature unless it is actually necessary.

After installation, the effects of this flag can be changed using the AlwaysPrepareFiles configuration setting.

Whether the driver should require the controller process to have elevated or system privileges. This flag is not applicable for CBPROCESS.

If this flag is set, the driver will verify that the controller process is a system service (or is executing with elevated privileges) anytime a file is opened. If the controller process does not meet these requirements, the file will be skipped (i.e., not filtered in any way).

NOTE: This additional verification will slow down all file open operations.

After installation, the effects of this flag can be changed using the ForceAppPermissionCheck configuration setting.

Whether the driver should prevent the controller process from filtering files that it would not normally have access to. This flag is not applicable for CBPROCESS.

If this flag is set, the driver will check the security permissions of the controller process anytime a file is opened to verify that the process has access to the file. If the controller process does not have access to the file, the file will be skipped (i.e., not filtered in any way). For example, if this flag is set and the controller process is running with limited privileges, then the driver will not allow it to filter files that require greater privileges to access.

NOTE: This additional verification will slow down all file open operations.

After installation, the effects of this flag can be changed using the ForceSecurityChecks configuration setting.

Whether the driver should keep track of information for opened files which are not covered by any rules. This flag is applicable only for CBFILTER and CBMONITOR.

If this flag is not set, the driver will prepare information about each file as it is opened, regardless of whether this file matches any of the rules tha exist at the time of file opening. The prepared information is used to keep track of file names (especially during file renaming or when hard links are managed).

This flag can be used to optimize the filtering process and reduce the load on the kernel memory in scenarios, where filtering rules are defined beforehand and cover only a subset of files or directories. I.e., the flag brings no benefit if a rule is set with the "*.*" mask or when it is set to "C:\*.*" with only drive C: available in the system.

The flag will be effective only when all instances of the component have it set. If any of the instances doesn't have it set, the information is prepared for all files and is used for all instances.

After installation, the effects of this flag can be changed using the SkipPreparingFilesWithNoRules configuration setting.

Uninstall modules from previous product versions.

Uninstall modules from the current product version.

Uninstall modules from all product versions.

The specified module is not present on the system.

The specified module is in the Stopped state.

The specified module is loaded and running.

The file is read-only. Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories.

The file or directory is hidden. The file is not included in an ordinary directory listing.

A file or directory that the operating system uses a part of, or uses exclusively.

The entry is a directory.

The entry is an archive file or directory. Applications typically use this attribute to mark files for backup or removal.

A file doesn't have other attributes set. This attribute is valid only when used alone.

A file that is being used for temporary storage. File systems avoid writing data back to mass storage if sufficient cache memory is available, because typically, an application deletes a temporary file after the handle is closed. In that scenario, the system can entirely avoid writing the data. Otherwise, the data are written after the handle is closed.

A file that is a sparse file.

A file that is a reparse point or a symbolic link.

A file or directory that is compressed. For a file, all of the data in the file are compressed. For a directory, compression is the default for newly created files and subdirectories. A filesystem implementation can make use of this attribute by setting the SupportCompressedAttribute property to True and then properly handling the GetFileInfo, EnumerateDirectory, and SetFileAttributes events.

The data of a file are not available immediately. This attribute indicates that the file data are physically moved to offline storage.

The file or directory is not to be indexed by the content indexing service.

A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.

NOTE: This flag is used by NTFS and the OS sends undocumented requests to the filesystem based on this flag. The flag should not be used for files in custom filesystem implementations.

Reserved.

NOTE: This flag is reserved by the OS and should not be used for files in custom filesystem implementations.

The file or directory has no physical representation on the local system; the item is virtual. Opening the item will be more expensive than normal (e.g., it will cause at least some of it to be fetched from a remote store). This flag is reported by filesystems during directory enumerations.

For a directory, the right to list the contents of the directory.

For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.

For a directory, the right to create a file in the directory.

For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory

For a directory, the right to create a subdirectory.

For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.) For a directory object, the right to create a subdirectory (FILE_ADD_SUBDIRECTORY).

The right to read extended file attributes.

The right to write extended file attributes.

For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.

For a directory, the right to delete a directory and all the files it contains, including read-only files.

The right to read file attributes.

The right to write file attributes.

The right to read the information in the file or directory object's security descriptor. This does not include the information in the SACL.

Includes READ_CONTROL, which is the right to read the information in the file or directory object's security descriptor. This does not include the information in the SACL.

Same as STANDARD_RIGHTS_READ

Same as STANDARD_RIGHTS_READ

The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.

All possible access rights for a file.

A combinarion of flags that allow reading of the file. NOTE: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.

A combinarion of flags that allow modifications to the file. NOTE: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.

A combinarion of flags that allow execution of the file. NOTE: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.

Creates a new file, only if it does not already exist. If the specified file exists, the operation fails with an "already exists" error.

Creates a new file, always. If the specified file exists and is writable, the system overwrites the file. If the specified file does not exist and is a valid path, a new file is created.

Opens a file, only if it exists If the specified file does not exist, opening fails.

Opens a file, always. If the specified file exists, the operation succeeds. If the specified file does not exist and is a valid path to a writable location, the a file is created.

Opens a file and truncates it so that its size is zero bytes, only if it exists. If the specified file does not exist, the operation fails with a "file not found" error.

Opens or creates a directory and returns an error if a file exists. The directory will be either opened or created depending on other flags set for the CreationDisposition parameter. If there exists a file with the given name, and the value requests opening of a directory, the ERROR_FILE_NOT_SUPPORTED error (numeric value 425) is returned.

Opens or creates a file and returns an error if a directory exists. The file will be either opened or created depending on other flags set for the CreationDisposition parameter. If there exists a directory with the given name, and the value requests opening of a file, the ERROR_DIRECTORY_NOT_SUPPORTED error (numeric value 336) is returned.

Prevents any process from opening a file or device if it requests delete, read, or write access.

Enables subsequent open operations on a file or device to request read access. Enables subsequent open operations to request read access; otherwise, no process can open the file or device if it requests read access. If this flag is not specified, but the file or device has been opened for read access, the function fails.

Enables subsequent open operations on a file or device to request write access. Enables subsequent open operations to request write access; otherwise, no process can open the file or device if it requests write access. If this flag is not specified, but the file or device has been opened for write access or has a file mapping with write access, the function fails.

Enables subsequent open operations on a file or device to request delete access. Enables subsequent open operations to request delete access; otherwise, no process can open the file or device if it requests delete access. If this flag is not specified, but the file or device has been opened for delete access, the function fails.

NOTE: Delete access allows both delete and rename operations.

Specifies that the driver should pass IO_IGNORE_SHARE_ACCESS_CHECK flag to the system functions. Use this flag to bypass sharing checks performed by the I/O manager when opening local files.

NOTE: The filesystem still may perform these checks. Also, the internal structures are not updated with the share mode values, passed in this call. This means that subsequent file open operations will not know about the previous share mode and may succeed where they would have to fail.

Requests that BypassIO be enabled for the given file, which means an application might not see all non-cached reads for that file.

Informs that BypassIO is being disabled on the specified file.

Queries whether BypassIO can be enabled for the given file.

Requests that BypassIO be paused on the specified volume/storage stack.

Requests that BypassIO processing be resumed on the given volume.

Requests that BypassIO processing be paused on a stream.

Requests that BypassIO processing be resumed on a stream.

Requests information about the BypassIO state of the volume.

The file is encrypted.

The file is decrypted.