AfterCreateFile Event

Fires after a file or directory is created.


virtual int FireAfterCreateFile(CBFilterAfterCreateFileEventParams *e);
typedef struct {
const char *FileName;
int DesiredAccess;
int Attributes;
int ShareMode;
int Options;
int CreateDisposition;
int Status;
void *FileContext;
void *HandleContext;
int ResultCode; int reserved; } CBFilterAfterCreateFileEventParams;
virtual INT FireAfterCreateFile(CBFilterAfterCreateFileEventParams *e);
typedef struct {
INT DesiredAccess;
INT Attributes;
INT ShareMode;
INT Options;
INT CreateDisposition;
INT Status;
LPVOID FileContext;
LPVOID HandleContext;
INT ResultCode; INT reserved; } CBFilterAfterCreateFileEventParams;


This event fires after the file or directory specified by FileName is created. Please refer to the File Create/Open Events topic for more information about how the class determines whether to fire this event or AfterOpenFile.

Applications only need to handle this event if they've added a standard filter rule that includes the FS_CE_AFTER_CREATE flag. Please note that applications must have the FilterOwnRequests configuration setting enabled if they wish to filter their own file/directory creation requests.

The DesiredAccess, Attributes, ShareMode, Options, and CreateDisposition parameters reflect the values that were passed for the similarly-named parameters of the Windows API's CreateFile function (or, more accurately, the values carried by the IRP_MJ_CREATE IRP). Please refer to Microsoft's documentation for more information.

To determine whether the request was for a file or a directory, compare Attributes against the Windows API's FILE_ATTRIBUTE_DIRECTORY constant, like so:

// Check whether the request is for a file or a directory.
FILE_ATTRIBUTE_DIRECTORY will be present if it was specified by the calling process or if the existing filesystem entry is a directory.

To determine whether a file will be deleted when its last handle is closed, compare Options against the Windows API's FILE_FLAG_DELETE_ON_CLOSE constant, like so:

// Check whether the file will be deleted on close.

The Status parameter contains an NT status code that indicates the outcome of the operation; 0 indicates success. To convert this value to a Win32 error code, call the NtStatusToWin32Error method. Please note that this event won't fire for failed requests unless the ProcessFailedRequests property is enabled. Applications may change this parameter's value if they want a different NT status code to be returned.

The FileContext and HandleContext parameters are placeholders for application-defined data associated with the file and specific handle, respectively. Please refer to the Contexts topic for more information.

When the ProcessFailedRequests property is enabled, this event may fire even if the specified file or directory has not been created or opened, in which case the Status parameter will be non-zero. Applications must not alter the FileContext and HandleContext parameters when this occurs.

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason (e.g., a resource isn't available, security checks failed, etc.), set it to a non-zero value to report an appropriate error. Please refer to the Error Reporting and Handling topic for more information.

This event is fired synchronously; please refer to the Event Types topic for more information.

Copyright (c) 2021 Callback Technologies, Inc. - All rights reserved.
CBFS Filter 2020 C++ Edition - Version 20.0 [Build 7836]