NotifyFsctl Event

Fires when an IRP_MJ_FILE_SYSTEM_CONTROL operation has occurred.

Syntax

ANSI (Cross Platform)
virtual int FireNotifyFsctl(CBFilterNotifyFsctlEventParams *e);
typedef struct {
const char *FileName;
int FsControlCode;
const void *InBuffer;
int InBufferLength;
int InBufferValidBytes;
const void *OutBuffer;
int OutBufferLength;
int OutBufferValidBytes;
int Status;
int ResultCode; int reserved; } CBFilterNotifyFsctlEventParams; Unicode (Windows) virtual INT FireNotifyFsctl(CBFilterNotifyFsctlEventParams *e);
typedef struct {
LPCWSTR FileName;
INT FsControlCode;
LPCVOID InBuffer;
INT InBufferLength;
INT InBufferValidBytes;
LPCVOID OutBuffer;
INT OutBufferLength;
INT OutBufferValidBytes;
INT Status;
INT ResultCode; INT reserved; } CBFilterNotifyFsctlEventParams;
#define EID_CBFILTER_NOTIFYFSCTL 67

virtual INT CBFSFILTER_CALL FireNotifyFsctl(LPWSTR &lpszFileName, INT &iFsControlCode, LPVOID &lpInBuffer, INT &iInBufferLength, INT &iInBufferValidBytes, LPVOID &lpOutBuffer, INT &iOutBufferLength, INT &iOutBufferValidBytes, INT &iStatus, INT &iResultCode);

Remarks

This event fires when an IRP_MJ_FILE_SYSTEM_CONTROL (FSCTL) operation has occurred. Such requests are sent using the Windows API's DeviceIoControl function (user mode), or ZwFsControlFile function (kernel mode); please refer to Microsoft's documentation for more information.

Applications only need to handle this event if they've added a standard filter rule that includes the FS_NE_FSCTL flag.

The FileName parameter reflects the file, directory, or volume targeted by the request.

The FsControlCode parameter reflects the requested filesystem control code (FSCTL).

The InBuffer parameter points to a memory buffer that contains the data required to perform the operation. The InBufferLength and InBufferValidBytes parameters reflect the capacity of InBuffer and the length of the data it contains (respectively), in bytes; InBufferValidBytes may be less than InBufferLength (unless the request did not include data, in which case both will be 0).

The OutBuffer parameter points to a memory buffer that contains the data returned by the operation. The OutBufferLength and OutBufferValidBytes parameters reflect the capacity of OutBuffer and the length of the data it contains (respectively), in bytes; OutBufferValidBytes may be less than OutBufferLength (unless the operation did not return data, in which case both will be 0).

Please refer to the Buffer Parameters topic for more information on how to work with memory buffer event parameters.

The Status parameter contains an NT status code that indicates the outcome of the operation; 0 indicates success. To convert this value to a Win32 error code, call the NtStatusToWin32Error method. Please note that this event won't fire for failed requests unless the ProcessFailedRequests property is enabled.

The ResultCode parameter will always be 0 when the event is fired. If the event cannot be handled in a "successful" manner for some reason, set it to a non-zero value to report an appropriate error. Note, however, that this event fires after the operation has already completed, so reporting an error won't actually affect the operation itself. Please refer to the Error Reporting and Handling topic for more information.

This event is fired asynchronously; please refer to the Event Types topic for more information.

Copyright (c) 2022 Callback Technologies, Inc. - All rights reserved.
CBFS Filter 2020 C++ Edition - Version 20.0 [Build 8317]