Constants

All constants are accessible through the cbfConstants namespace declared in the cbfsfilter.h file.

Access Restriction Flags

ACCESS_NONE 0x00 No access restrictions.

ACCESS_READ_ONLY 0x01 Read-only access; writing and deleting is prohibited.

ACCESS_WRITE_ONLY 0x02 Write-only access; reading and deleting is prohibited.

ACCESS_DELETE_PROTECT 0x04 Deletion and renaming is prohibited.

ACCESS_EXECUTE_PROTECT 0x08 Execution is prohibited.

ACCESS_NO_CHANGE_DAC 0x10 Change of security attributes is prohibited.

ACCESS_NO_CHANGE_OWNER 0x20 Change of owner is prohibited.

ACCESS_RENAME_PROTECT 0x40 Renaming is prohibited.

ACCESS_DELETE_ONLY_PROTECT 0x80 Deletion is prohibited (renaming is not affected).

ACCESS_REMOTE_ACCESS_PROTECT 0x100 Access from other systems is prohibited.

ACCESS_DENY_ALL 0x200 All access is denied.

ACCESS_ALL_FLAGS -1 Used to denote all currently set access restriction flags.

Filesystem Control Event Flags

FS_CE_NONE 0 Don't fire for any filesystem operations.

Control Events will not fire for any filesystem operations.

FS_CE_BEFORE_CREATE 0x000000000001L Fire before file creation operations.

The BeforeCreateFile event will fire anytime the OS attempts to create a file or directory. In some cases, can cause the BeforeOpenFile event to fire; refer to the File Create/Open Events topic for more information.

FS_CE_AFTER_CREATE 0x000000000002L Fire after file creation operations.

The AfterCreateFile event will fire after a file or directory creation request has been processed, before the response is returned. In some cases, can cause the AfterOpenFile event to fire; refer to the File Create/Open Events topic for more information.

FS_CE_BEFORE_OPEN 0x000000000004L Fire before file open operations.

The BeforeOpenFile event will fire anytime the OS attempts to open a file or directory. In some cases, can cause the BeforeCreateFile event to fire; refer to the File Create/Open Events topic for more information.

FS_CE_AFTER_OPEN 0x000000000008L Fire after file open operations.

The AfterOpenFile event will fire after a file or directory open request has been processed, before the response is returned. In some cases, can cause the AfterCreateFile event to fire; refer to the File Create/Open Events topic for more information.

FS_CE_BEFORE_READ 0x000000000010L Fire before read operations.

The BeforeReadFile event will fire anytime the OS attempts to read data from a file.

FS_CE_AFTER_READ 0x000000000020L Fire after read operations.

The AfterReadFile event will fire after a read request has been processed, before the response is returned.

FS_CE_BEFORE_WRITE 0x000000000040L Fire before write operations.

The BeforeWriteFile event will fire anytime the OS attempts to write data to a file.

FS_CE_AFTER_WRITE 0x000000000080L Fire after write operations.

The AfterReadFile event will fire after a write request has been processed, before the response is returned.

FS_CE_BEFORE_LOCK_CONTROL 0x000000000100L Fire before lock and unlock operations.

The BeforeLock, BeforeUnlockAll, BeforeUnlockAllByKey, and BeforeUnlockSingle events will fire, as applicable, before the OS attempts to lock or unlock a range of bytes in a file.

FS_CE_AFTER_LOCK_CONTROL 0x000000000200L Fire before and after lock and unlock operations.

The AfterLock, AfterUnlockAll, AfterUnlockAllByKey, and AfterUnlockSingle, events will fire, as applicable, after a lock or unlock request has been processed, before the response is returned.

FS_CE_BEFORE_CLEANUP 0x000000000400L Fire before file handle cleanup operations.

The BeforeCleanupFile event will fire anytime a process closes a file or directory handle.

FS_CE_AFTER_CLEANUP 0x000000000800L Fire after file handle cleanup operations.

The AfterCleanupFile event will fire after a file handle cleanup request has been processed, before the response is returned.

FS_CE_BEFORE_CLOSE 0x000000001000L Fire before file close operations.

The BeforeCloseFile event will fire anytime the OS closes a file or directory. Also, the AfterCloseEnumeration event will fire anytime the OS closes a directory enumeration (which typically occurs immediately before the directory is closed).

FS_CE_AFTER_CLOSE 0x000000002000L Fire after file close operations.

The AfterCloseFile event will fire after a file/directory close request has been processed, before the response is returned.

FS_CE_BEFORE_CAN_DELETE 0x000000004000L Fire before 'can be deleted' operations.

The BeforeCanFileBeDeleted event will fire anytime the OS checks whether a file or directory can be deleted.

FS_CE_AFTER_CAN_DELETE 0x000000008000L Fire after 'can be deleted' operations.

The AfterCanFileBeDeleted event will fire after a 'can be deleted' request has been processed, before the response is returned.

FS_CE_BEFORE_DELETE 0x000000010000L Fire before delete operations

The BeforeDeleteFile event will fire anytime the OS attempts to delete a file or directory.

FS_CE_AFTER_DELETE 0x000000020000L Fire after delete operations.

The AfterDeleteFile event will fire after a delete request has been processed, before the response is returned.

FS_CE_BEFORE_RENAME 0x000000040000L Fire before rename/move operations.

The BeforeRenameOrMoveFile event will fire anytime the OS attempts to rename or move a file or directory.

FS_CE_AFTER_RENAME 0x000000080000L Fire after rename/move operations.

The AfterRenameOrMoveFile event will fire after a rename or move request has been processed, before the response is returned.

FS_CE_BEFORE_GET_SECURITY 0x000000100000L Fire before get security operations.

The BeforeGetFileSecurity event will fire before the OS queries the security attributes of a file or directory.

FS_CE_AFTER_GET_SECURITY 0x000000200000L Fire after get security operations.

The AfterGetFileSecurity events will fire after a get security operation has been processed, before the response is returned.

FS_CE_AFTER_ENUMERATE_DIRECTORY 0x000000800000L Fire for directory enumeration operations.

The AfterEnumerateDirectory event will fire after information about a directory entry has been retrieved during directory enumeration, before the response is returned.

FS_CE_BEFORE_QUERY_FILE_INFO 0x000001000000L Fire before 'query file information' operations.

The BeforeQueryFileInfo event will fire anytime the OS needs to retrieve information about a file or directory.

FS_CE_AFTER_QUERY_FILE_INFO 0x000002000000L Fire after 'query file information' operations.

The AfterQueryFileInfo event will fire after a file or directory information query request has been processed, before the response is returned.

FS_CE_AFTER_GET_SIZES 0x000008000000L Fire after get size operations.

The AfterGetFileSizes event will fire after a file's size information is retrieved, before the response is returned.

FS_CE_BEFORE_SET_SECURITY 0x000010000000L Fire before set security operations.

The BeforeSetFileSecurity event will fire anytime the OS needs to change the security attributes of a file or directory.

FS_CE_AFTER_SET_SECURITY 0x000020000000L Fire after set security operations.

The AfterSetFileSecurity event will fire after a security attributes change request has been processed, before the response is returned.

FS_CE_BEFORE_SET_ATTRIBUTES 0x000040000000L Fire before file attribute update operations.

The BeforeSetFileAttributes event will fire anytime the OS attempts to change the attributes of a file or directory.

FS_CE_AFTER_SET_ATTRIBUTES 0x000080000000L Fire after file attribute update operations.

The AfterSetFileAttributes event will fire after a file attributes change request has been processed, before the response is returned.

FS_CE_BEFORE_SET_SIZES 0x000100000000L Fire before file resize operations.

The BeforeSetFileSize event will fire anytime the OS attempts to resize a file, and the BeforeSetAllocationSize event will fire anytime the OS attempts to change a file's allocation size.

FS_CE_AFTER_SET_SIZES 0x000200000000L Fire after file resize operations.

The AfterSetFileSize event will fire after a file resize request has been processed, and the AfterSetAllocationSize event will fire after a file allocation size change request has been processed, before the response is returned.

FS_CE_BEFORE_CREATE_HARD_LINK 0x000400000000L Fire before hard link creation operations.

The BeforeCreateHardLink event will fire anytime the OS attempts to create a hard link.

FS_CE_AFTER_CREATE_HARD_LINK 0x000800000000L Fire after hard link creation operations.

The AfterCreateHardLink events will fire after a hard link creation request has been processed, before the response is returned.

FS_CE_BEFORE_FSCTL 0x001000000000L Fire before FSCTL operations.

The BeforeFsctl event will fire anytime an IRP_MJ_FILE_SYSTEM_CONTROL request occurs.

FS_CE_AFTER_FSCTL 0x002000000000L Fire after FSCTL operations.

The AfterFsctl event will fire after an IRP_MJ_FILE_SYSTEM_CONTROL request has been processed, before the response is returned.

FS_CE_BEFORE_IOCTL 0x004000000000L Fire before IOCTL operations.

The BeforeIoctl event will fire anytime an IRP_MJ_DEVICE_CONTROL request occurs.

FS_CE_AFTER_IOCTL 0x008000000000L Fire after IOCTL operations.

The AfterIoctl event will fire after an IRP_MJ_DEVICE_CONTROL request has been processed, before the response is returned.

FS_CE_BEFORE_SET_FILE_INFO 0x010000000000L Fire before 'set file information' operations.

The BeforeSetFileInfo event will fire anytime the OS needs to change information about a file or directory.

FS_CE_AFTER_SET_FILE_INFO 0x020000000000L Fire after 'set file information' operations.

The AfterSetFileInfo event will fire after a file or directory information change request has been processed, before the response is returned.

FS_CE_REPARSE_FILENAME 0x100000000000L Fire before various operations for the purpose of file redirection.

The ReparseFileName event will fire before any operation that includes a file or directory name, giving the application a chance to redirect it. This is event is typically used when an application requires more advanced redirection logic than Reparse Rules can provide; please refer to that topic for more information.

FS_CE_REPARSE_TAG 0x200000000000L Fire for reparse operations.

The ReparseWithTag event will fire anytime a file/directory open operation returns a STATUS_REPARSE result, allowing the application to handle the reparse point. Please refer to Microsoft's Reparse Points article for more information.

FS_CE_ALL -1 Fire for all filesystem operations.

Control Events will fire for all filesystem operations.

Filesystem Notification Event Flags

FS_NE_NONE 0 Don't fire for any filesystem operations.

Notification Events will not fire for any filesystem operations.

FS_NE_CREATE 0x00000001L Fire for file creation operations.

The NotifyCreateFile event will fire anytime the OS creates a file or directory. In some cases, can cause the NotifyOpenFile event to fire; refer to the File Create/Open Events topic for more information.

FS_NE_OPEN 0x00000002L Fire for file open operations.

The NotifyOpenFile event will fire anytime the OS opens a file or directory. In some cases, can cause the NotifyCreateFile event to fire; refer to the File Create/Open Events topic for more information.

FS_NE_READ 0x00000004L Fire for read operations.

The NotifyReadFile event will fire anytime the OS reads data from a file.

FS_NE_WRITE 0x00000008L Fire for write operations.

The NotifyWriteFile event will fire anytime the OS write data to a file.

FS_NE_LOCK_CONTROL 0x00000010L Fire for lock and unlock operations.

The NotifyLock, NotifyUnlockAll, NotifyUnlockAllByKey, and NotifyUnlockSingle events will fire, as applicable, anytime the OS locks or unlocks a range of bytes in a file.

FS_NE_CLEANUP 0x00000020L Fire for file handle cleanup operations.

The NotifyCleanupFile event will fire anytime a process closes a file or directory handle.

FS_NE_CLOSE 0x00000040L Fire for file close operations.

The NotifyCloseFile event will fire anytime the OS closes a file or directory.

FS_NE_CAN_DELETE 0x00000080L Fire for 'can be deleted' operations.

The NotifyCanFileBeDeleted event will fire anytime the OS checks whether a file or directory can be deleted.

FS_NE_DELETE 0x00000100L Fire for delete operations.

The NotifyDeleteFile event will fire anytime the OS deletes a file or directory.

FS_NE_RENAME 0x00000200L Fire for rename/move operations.

The NotifyRenameOrMoveFile event will fire anytime the OS renames or moves a file or directory.

FS_NE_GET_SECURITY 0x00000400L Fire for get security operations.

The NotifyGetFileSecurity event will fire anytime the OS queries the security attributes of a file or directory.

FS_NE_ENUMERATE_DIRECTORY 0x00000800L Fire for directory enumeration operations.

The NotifyEnumerateDirectory event will fire anytime the OS retrieves a directory entry during directory enumeration.

FS_NE_QUERY_FILE_INFO 0x00001000L Fire for QueryFileInformation operations.

The NotifyQueryFileInfo event will fire anytime the OS retrieves information about a file or directory.

FS_NE_GET_SIZES 0x00002000L Fire for get size operations.

The NotifyGetFileSizes event will fire anytime the OS retrieves a file's size information.

FS_NE_SET_SECURITY 0x00004000L Fire for set security operations.

The NotifySetFileSecurity event will fire anytime the OS changes the security attributes of a file or directory.

FS_NE_SET_ATTRIBUTES 0x00008000L Fire for file attribute update operations.

The NotifySetFileAttributes event will fire anytime the OS changes the attributes of a file or directory.

FS_NE_SET_SIZES 0x00010000L Fire for file resize operations.

The NotifySetFileSize event will fire anytime the OS resizes a file, and the NotifySetAllocationSize event will fire anytime the OS changes a file's allocation size.

FS_NE_CREATE_HARD_LINK 0x00020000L Fire for hard link creation operations.

The NotifyCreateHardLink event will fire anytime the OS creates a hard link.

FS_NE_FSCTL 0x00040000L Fire for FSCTL operations.

The NotifyFsctl event will fire anytime an IRP_MJ_FILE_SYSTEM_CONTROL operation occurs.

FS_NE_IOCTL 0x00080000L Fire for IOCTL operations.

The NotifyIoctl event will fire anytime an IRP_MJ_DEVICE_CONTROL operation occurs.

FS_NE_SET_FILE_INFO 0x00100000L Fire for SetFileInformation operations.

The NotifySetFileInfo event will fire anytime the OS changed information about a file or directory.

FS_NE_ALL -1 Fire for all filesystem operations.

Notification Events will fire for all filesystem operations.

Filesystem Filter Modes

FS_FILTER_MODE_LEGACY 0 Use legacy filesystem filter mode.

Note: Legacy mode is obsolete; support for it is deprecated, and will be removed in a future product update. Please refer to the Minifilter and Legacy Modes topic for more information.

FS_FILTER_MODE_MINIFILTER 1 Use filesystem minifilter mode.

Filesystem Reparse Flags

FS_REPARSE_CHANGE_PATH 0 Perform redirection by modifying the path directly using the CBFilter system driver.

FS_REPARSE_USE_REPARSE_POINT 1 Perform redirection by having the CBFilter system driver emulate real reparse point behavior.

This option will cause the driver to report that a file or directory's parent directory is a reparse point of the SYMLINK variety. Redirection performed in this manner is more consistent with Windows' own behavior; however, some software may fail to correctly handle paths that cross such symbolic links.

Filesystem Request Directions

FS_REQUEST_DIR_USER_NONCACHED 0 Operations performed in the 'user mode application <--> filesystem' direction.
FS_REQUEST_DIR_USER_CACHED 1 Operations performed in the 'user mode application <--> system cache' direction.
FS_REQUEST_DIR_SYSTEM_NONCACHED 2 Operations performed in the 'system cache <--> filesystem' direction.
FS_REQUEST_DIR_SYSTEM_CACHED 3 Operations performed in the 'system component <--> system cache' direction.

Filesystem Volume Mount Events

FS_MOUNT_IGNORE 0 Don't fire any events when volumes are mounted or unmounted.

FS_MOUNT_NOTIFY 64 Fire Notification Events when volumes are mount or unmounted.

The NotifyFilterAttachToVolume and NotifyFilterDetachFromVolume events will fire, asynchronously, as necessary.

FS_MOUNT_CONTROL 128 Fire Control Events when volumes are mounted or unmounted.

The BeforeFilterAttachToVolume, AfterFilterAttachToVolume, and AfterFilterDetachFromVolume events will fire, synchronously, as necessary.

FS_MOUNT_BOTH 192 Fire all events when volumes are mounted or unmounted.

File Flushing Behavior Flags

FS_FLUSH_FILES_ON_OPEN 1 Whether memory-mapped file data should be flushed to disk before files are opened.

This flag indicates that the class's system driver should flush any cached and memory-mapped file data, leftover from the last time a file was opened, prior to opening it again. Doing so ensures that file data is read directly from the disk rather than from the old memory mapping.

Applications that modify file data as it is being read may need to set this flag in order to function correctly. For example, applications that provide on-the-fly encryption should set this flag to ensure that file data is always read from the disk (and thus has a chance to get decrypted) when a file is opened.

Applications that do not modify file data as it is being read should leave this flag unset in order to maintain optimal performance when opening files.

FS_FLUSH_FILES_ON_CLOSE 2 Whether file buffers must be flushed when files are closed.

This flag indicates that the class's system driver should flush and clear the buffers of files that are opened for writing (and have had data written to them) when they are closed.

Applications that modify file data as it is being written may need to set this flag in order to function correctly. For example, applications that provide on-the-fly encryption should set this flag to ensure that all file data is flushed to the disk (and thus has a chance to get encrypted) when a file is closed.

Applications that do not modify file data as it is being written can unset this flag.

After a file is flushed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information.

FS_CLOSE_FILES_ON_STOPFILTER 4 Whether files opened for writing must be closed when the application stops filtering.

This flag indicates that the class's system driver should close files that are opened for writing (and have had data written to them) when the application calls StopFilter.

Applications that modify file data as it is being written (e.g., on-the-fly encryption) may need to set this flag in order to prevent further operations against the file data from being performed. Applications that do not modify file data as it is being written can leave this flag unset.

Note that if memory mappings of some file exist, these mappings will remain active; only the open handles to such files are closed.

When the file is closed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information. Applications can control whether file data is flushed before files are closed using the FS_FLUSH_FILES_ON_STOPFILTER flag; any data that is not flushed gets discarded.

FS_FLUSH_FILES_ON_STOPFILTER 8 Whether file buffers must be flushed when the application stops filtering.

This flag indicates that the class's system driver should flush and clear the buffers of files that are opened for writing (and have had data written to them) when the application calls StopFilter.

Applications that modify file data as it is being written (e.g., on-the-fly encryption) may need to set this flag to ensure that no unprotected data is kept in memory, but rather has a chance to be encrypted and written out to disk. Applications that do not modify file data as it is being written can leave this flag unset.

If the application will not be able to perform on-the-fly data modification at the moment when StopFilter is called (e.g., because a cryptographic hardware module is unplugged), then this flag should be unset before calling StopFilter.

After a file is flushed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information.

FS_CLOSE_FILES_ON_CRASH 16 Whether files opened for writing must be closed if the application terminates unexpectedly.

This flag indicates that the class's system driver should close files that are opened for writing (and have had data written to them) if the driver detects that the application has terminated.

Applications that modify file data as it is being written (e.g., on-the-fly encryption) may need to set this flag in order to prevent further operations against the file data from being performed. Applications that do not modify file data as it is being written can leave this flag unset.

Note that if memory mappings of some file exist, these mappings will remain active; only the open handles to such files are closed.

When the file is closed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information.

FS_FLUSH_FILES_ON_CRASH 32 Whether file buffers must be flushed if the application terminates unexpectedly.

This flag indicates that the class's system driver should flush and clear the buffers of files that are opened for writing (and have had data written to them) if the driver detects that the application has terminated.

Applications that do not modify data as it is being written may set this flag if necessary. Applications that modify data as it is being written (e.g., on-the-fly encryption) should not set this flag, since such flushing could cause unprotected data to be written out to disk.

FS_SUPPORT_FILE_ENCRYPTION 31 Combination of flags suitable for on-the-fly file encryption applications.

This option includes the following flags: FS_FLUSH_FILES_ON_OPEN, FS_FLUSH_FILES_ON_CLOSE, FS_CLOSE_FILES_ON_STOPFILTER, FS_FLUSH_FILES_ON_STOPFILTER, and FS_CLOSE_FILES_ON_CRASH flags.

Registry Control Event Flags

REG_CE_NONE 0 Don't fire for any registry operations.

Control Events will not fire for any registry operations.

REG_CE_BEFORE_CREATE_KEY 0x00000001L Fire before registry key creation operations.

The BeforeCreateKey event will fire anytime the OS attempts to create a registry key.

REG_CE_AFTER_CREATE_KEY 0x00000002L Fire after registry key creation operations.

The AfterCreateKey event will fire after a registry key creation request has been processed, before the response is returned.

REG_CE_BEFORE_OPEN_KEY 0x00000004L Fire before registry key open operations.

The BeforeOpenKey event will fire anytime the OS attempts to open a registry key.

REG_CE_AFTER_OPEN_KEY 0x00000008L Fire after registry key open operations.

The AfterOpenKey event will fire after a registry key open request has been processed, before the response is returned.

REG_CE_BEFORE_CLOSE_KEY 0x00000010L Fire before registry key close operations.

The BeforeCloseKey event will fire anytime the OS closes a registry key.

REG_CE_AFTER_CLOSE_KEY 0x00000020L Fire after registry key close operations.

The AfterCloseKey event will fire after a registry key close request has been processed, before the response is returned.

REG_CE_BEFORE_DELETE_KEY 0x00000040L Fire before registry key delete operations.

The BeforeDeleteKey event will fire anytime the OS attempts to delete a registry key.

REG_CE_AFTER_DELETE_KEY 0x00000080L Fire after registry key delete operations.

The AfterDeleteKey event will fire after a registry key delete request has been processed, before the response is returned.

REG_CE_BEFORE_RENAME_KEY 0x00000100L Fire before registry key rename operations.

The BeforeRenameKey event will fire anytime the OS attempts to rename a registry key.

REG_CE_AFTER_RENAME_KEY 0x00000200L Fire after registry key rename operations.

The AfterRenameKey event will fire after a registry key rename request has been processed, before the response is returned.

REG_CE_BEFORE_ENUM_KEY 0x00000400L Fire before subkey enumeration operations.

The BeforeEnumerateKey event will fire anytime the OS attempts to enumerate a registry key's subkeys.

REG_CE_AFTER_ENUM_KEY 0x00000800L Fire after subkey enumeration operations.

The AfterEnumerateKey event will fire after a subkey enumeration request has been processed, before the response is returned.

REG_CE_BEFORE_QUERY_KEY 0x00001000L Fire before registry key metadata retrieval operations.

The BeforeQueryKey event will fire anytime the OS attempts to retrieve a registry key's metadata.

REG_CE_AFTER_QUERY_KEY 0x00002000L Fire after registry key metadata retrieval operations.

The AfterQueryKey event will fire after a registry key metadata retrieval request has been processed, before the response is returned.

REG_CE_BEFORE_SET_KEY 0x00004000L Fire before registry key metadata update operations.

The BeforeSetKey event will fire anytime the OS attempts to a registry key's metadata.

REG_CE_AFTER_SET_KEY 0x00008000L Fire after registry key metadata update operations.

The AfterSetKey event will fire after a registry key metadata update request has been processed, before the response is returned.

REG_CE_BEFORE_DELETE_VALUE 0x00010000L Fire before registry value delete operations.

The BeforeDeleteValue event will fire anytime the OS attempts to delete a registry value.

REG_CE_AFTER_DELETE_VALUE 0x00020000L Fire after registry value delete operations.

The AfterDeleteValue event will fire after a registry value delete request has been processed, before the response is returned.

REG_CE_BEFORE_ENUM_VALUE 0x00040000L Fire before value enumeration operations.

The BeforeEnumerateValue event will fire anytime the OS attempts to enumerate a registry key's values.

REG_CE_AFTER_ENUM_VALUE 0x00080000L Fire after value enumeration operations.

The AfterEnumerateValue event will fire after a value enumeration request has been processed, before the response is returned.

REG_CE_BEFORE_QUERY_VALUE 0x00100000L Fire before registry value query operations.

The BeforeQueryValue event will fire anytime the OS attempts to query a registry value.

REG_CE_AFTER_QUERY_VALUE 0x00200000L Fire after registry value query operations.

The AfterQueryValue event will fire after a registry value query request has been processed, before the response is returned.

REG_CE_BEFORE_SET_VALUE 0x00400000L Fire before registry value set/update operations.

The BeforeSetValue event will fire anytime the OS attempts to set or update a registry value.

REG_CE_AFTER_SET_VALUE 0x00800000L Fire after registry value set/update operations.

The AfterSetValue event will fire after a registry value set or update request has been processed, before the response is returned.

REG_CE_ALL -1 Fire for all registry operations.

Control Events will fire for all registry operations.

Registry Key Fields

REG_KEYFIELD_LASTWRITETIME 1 A registry key's last write time.

REG_KEYFIELD_NAME 2 A registry key's name.

REG_KEYFIELD_MAXNAMELENGTH 4 A registry key's longest subkey name.

REG_KEYFIELD_CLASSNAME 8 A registry key's class name.

REG_KEYFIELD_MAXCLASSNAMELENGTH 16 A registry key's longest subkey class name.

REG_KEYFIELD_SUBKEYS 32 The number of subkeys a registry key has.

REG_KEYFIELD_VALUES 64 The number of values a registry key has.

REG_KEYFIELD_MAXVALUENAMELENGTH 128 A registry key's longest value name.

REG_KEYFIELD_MAXVALUEDATASIZE 256 A registry key's largest value data size.

REG_KEYFIELD_VIRTUALIZATIONINFO 512 A registry key's virtualization information.

Registry Value Fields

REG_VALUEFIELD_TYPE 1 A registry value's type.

REG_VALUEFIELD_NAME 2 A registry value's name.

REG_VALUEFIELD_DATA 4 A registry value's data.

Registry Value Types

REG_VALUETYPE_SZ 1 A unicode string.

REG_VALUETYPE_EXPAND_SZ 2 A unicode string that contains environmental variable references.

REG_VALUETYPE_BINARY 3 Binary data.

REG_VALUETYPE_DWORD 4 A 32-bit number.

REG_VALUETYPE_MULTI_SZ 7 Multiple unicode strings.

REG_VALUETYPE_QWORD 11 A 64-bit number.

Install Flags

INSTALL_REMOVE_OLD_VERSIONS 0x00000001 Uninstall drivers from previous component versions (e.g., 2017).

INSTALL_KEEP_START_TYPE 0x00000002 Keep the driver's current start type setting in the registry.

If this flag is not set (default), the installation logic will reset the driver's start type setting in the Windows registry to the default value. Setting this flag causes the installation logic to preserve the current value, which may be necessary if the user (or the application itself) set it previously.

INSTALL_REQUESTS_VIA_DRIVER_STACK 0x00000004 Whether internal requests to the filesystem are sent directly to the filesystem driver or through the stack of filesystem filter drivers.

This flag is only applicable for CBFilter and CBMonitor.

After installation, the effects of this flag can be changed using the SendRequestsViaDriverStack configuration setting.

INSTALL_ALWAYS_PREPARE_FILES 0x00010000 Whether the driver should keep track of information for files that are already open when (i.e., were opened before) the component is initialized.

This flag is only applicable for CBFilter and CBMonitor.

If this flag is set, the driver will prepare information about each file as it is opened, regardless of whether a CBFilter/CBMonitor-based application is actually running at the time. This information then allows applications to receive events for any files that are already open when the CBFilter/CBMonitor class is initialized. Please note that these preparations will slow down all file open operations; don't enable this feature unless it's actually necessary.

After installation, the effects of this flag can be changed using the AlwaysPrepareFiles configuration setting.

INSTALL_FORCE_APP_PERMISSION_CHECK 0x00020000 Whether the driver should require the controller process to have elevated or system privileges.

This flag is only applicable for CBFilter and CBMonitor.

If this flag is set, the driver will verify that the controller process is a system service (or is executing with elevated privileges) anytime a file is opened. If the controller process does not meet these requirements, the file will be skipped (i.e., not filtered in any way). Please note that this additional verification will slow down all file open operations.

After installation, the effects of this flag can be changed using the ForceAppPermissionCheck configuration setting.

INSTALL_FORCE_SECURITY_CHECKS 0x00040000 Whether the driver should prevent the controller process from filtering files that it would not normally have access to.

This flag is only applicable for CBFilter and CBMonitor.

If this flag is set, the driver will check the security permissions of the controller process anytime a file is opened in order to verify that the process itself has access to the file. If the controller process does not have access to the file, the file will be skipped (i.e., not filtered in any way). For example, if this flag is set and the controller process is running with limited privileges, then the driver will not allow it to filter files that require greater privileges to access. Please note that this additional verification will slow down all file open operations.

After installation, the effects of this flag can be changed using the ForceSecurityChecks configuration setting.

Uninstall Version Flags

UNINSTALL_VERSION_PREVIOUS 0x00000001 Uninstall modules from previous product versions.

UNINSTALL_VERSION_CURRENT 0x00000002 Uninstall modules from the current product version.

UNINSTALL_VERSION_ALL 0x00000003 Uninstall modules from all product versions.

Module Status Flags

MODULE_STATUS_NOT_PRESENT 0x00000000 The specified module is not present on the system.

MODULE_STATUS_STOPPED 0x00000001 The specified module is in the Stopped state.

MODULE_STATUS_RUNNING 0x00000004 The specified module is loaded and running.

File Attributes

FILE_SYS_ATTR_READ_ONLY 0x00000001 The file is read-only.

Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories.

FILE_SYS_ATTR_HIDDEN 0x00000002 The file or directory is hidden.

It is not included in an ordinary directory listing.

FILE_SYS_ATTR_SYSTEM 0x00000004 A file or directory that the operating system uses a part of, or uses exclusively.

FILE_SYS_ATTR_DIRECTORY 0x00000010 The entry is a directory.

FILE_SYS_ATTR_ARCHIVE 0x00000020 The entry is an archive file or directory.

Applications typically use this attribute to mark files for backup or removal.

FILE_SYS_ATTR_NORMAL 0x00000080 A file doesn't have other attributes set.

This attribute is only valid when used alone.

FILE_SYS_ATTR_TEMPORARY 0x00000100 A file that is being used for temporary storage.

File systems avoid writing data back to mass storage if sufficient cache memory is available, because typically, an application deletes a temporary file after the handle is closed. In that scenario, the system can entirely avoid writing the data. Otherwise, the data is written after the handle is closed.

FILE_SYS_ATTR_SPARSE_FILE 0x00000200 A file that is a sparse file.

FILE_SYS_ATTR_REPARSE_POINT 0x00000400 A file that is a reparse point or a symbolic link.

FILE_SYS_ATTR_COMPRESSED 0x00000800 A file or directory that is compressed.

For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories.

FILE_SYS_ATTR_OFFLINE 0x00001000 The data of a file is not available immediately.

This attribute indicates that the file data is physically moved to offline storage.

FILE_SYS_ATTR_NOT_CONTENT_INDEXED 0x00002000 The file or directory is not to be indexed by the content indexing service.

FILE_SYS_ATTR_ENCRYPTED 0x00004000 A file or directory that is encrypted.

For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.
Note: This flag is used by NTFS and the OS sends undocumented requests to the filesystem based on this flag. The flag should not be used for files in custom filesystem implementations.

FILE_SYS_ATTR_VIRTUAL 0x00010000 Reserved.

Note: This flag is reserved by the OS and should not be used for files in custom filesystem implementations.

FILE_SYS_ATTR_RECALL_ON_OPEN 0x00040000 The file or directory has no physical representation on the local system; the item is virtual.

Opening the item will be more expensive than normal, e.g. it will cause at least some of it to be fetched from a remote store. This flag is reported by filesystems during directory enumerations.

File Desired Access Flags

DESIRED_ACCESS_FILE_LIST_DIRECTORY 0x00000001 For a directory, the right to list the contents of the directory.

DESIRED_ACCESS_FILE_READ_DATA 0x00000001 For a file object, the right to read the corresponding file data.

For a directory object, the right to read the corresponding directory data.

DESIRED_ACCESS_FILE_ADD_FILE 0x00000002 For a directory, the right to create a file in the directory.

DESIRED_ACCESS_FILE_WRITE_DATA 0x00000002 For a file object, the right to write data to the file.

For a directory object, the right to create a file in the directory

DESIRED_ACCESS_FILE_ADD_SUBDIRECTORY 0x00000004 For a directory, the right to create a subdirectory.

DESIRED_ACCESS_FILE_APPEND_DATA 0x00000004 For a file object, the right to append data to the file.

(For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.) For a directory object, the right to create a subdirectory (FILE_ADD_SUBDIRECTORY).

DESIRED_ACCESS_FILE_READ_EA 0x00000008 The right to read extended file attributes.

DESIRED_ACCESS_FILE_WRITE_EA 0x00000010 The right to write extended file attributes.

DESIRED_ACCESS_FILE_EXECUTE 0x00000020 For a native code file, the right to execute the file.

This access right given to scripts may cause the script to be executable, depending on the script interpreter.

DESIRED_ACCESS_FILE_DELETE_CHILD 0x00000040 For a directory, the right to delete a directory and all the files it contains, including read-only files.

DESIRED_ACCESS_FILE_READ_ATTRIBUTES 0x00000080 The right to read file attributes.

DESIRED_ACCESS_FILE_WRITE_ATTRIBUTES 0x00000100 The right to write file attributes.

DESIRED_ACCESS_READ_CONTROL 0x00020000 The right to read the information in the file or directory object's security descriptor.

This does not include the information in the SACL.

DESIRED_ACCESS_STANDARD_RIGHTS_READ 0x00020000 Includes READ_CONTROL, which is the right to read the information in the file or directory object's security descriptor.

This does not include the information in the SACL.

DESIRED_ACCESS_STANDARD_RIGHTS_WRITE 0x00020000 Same as STANDARD_RIGHTS_READ

DESIRED_ACCESS_STANDARD_RIGHTS_EXECUTE 0x00020000 Same as STANDARD_RIGHTS_READ

DESIRED_ACCESS_SYNCHRONIZE 0x00100000 The right to use the object for synchronization.

This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.

DESIRED_ACCESS_FILE_ALL_ACCESS 0x001F01FF All possible access rights for a file.

DESIRED_ACCESS_FILE_GENERIC_READ 0x00120089 A combinarion of flags that allow reading of the file.

Note: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.

DESIRED_ACCESS_FILE_GENERIC_WRITE 0x00120116 A combinarion of flags that allow modifications to the file.

Note: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.

DESIRED_ACCESS_FILE_GENERIC_EXECUTE 0x001200A0 A combinarion of flags that allow execution of the file.

Note: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.

Creation Disposition flags

FILE_DISPOSITION_CREATE_NEW 0x00000001 Creates a new file, only if it does not already exist.

If the specified file exists, the operation fails with an "already exists" error.

FILE_DISPOSITION_CREATE_ALWAYS 0x00000002 Creates a new file, always.

If the specified file exists and is writable, the system overwrites the file. If the specified file does not exist and is a valid path, a new file is created.

FILE_DISPOSITION_OPEN_EXISTING 0x00000003 Opens a file, only if it exists

If the specified file does not exist, opening fails.

FILE_DISPOSITION_OPEN_ALWAYS 0x00000004 Opens a file, always.

If the specified file exists, the operation succeeds. If the specified file does not exist and is a valid path to a writable location, the a file is created.

FILE_DISPOSITION_TRUNCATE_EXISTING 0x00000005 Opens a file and truncates it so that its size is zero bytes, only if it exists.

If the specified file does not exist, the operation fails with a "file not found" error.

Share Modes

FILE_SYS_SHARE_READ 0x00000001 Enables subsequent open operations on a file to request read access.

Otherwise, other processes cannot open the file if they request read access. If this flag is not specified, but the file has been opened for read access, file creation or opening fails.

FILE_SYS_SHARE_WRITE 0x00000002 Enables subsequent open operations on a file to request write access.

Otherwise, other processes cannot open the file if they request write access. If this flag is not specified, but the file has been opened for write access or has a file mapping with write access, file creation or opening fails.

FILE_SYS_SHARE_DELETE 0x00000004 Enables subsequent open operations on a file to request delete access.

Otherwise, other processes cannot open the file if they request delete access. If this flag is not specified, but the file has been opened for delete access, the function fails.
Note: Delete access allows both delete and rename operations.

Copyright (c) 2022 Callback Technologies, Inc. - All rights reserved.
CBFS Filter 2020 C++ Edition - Version 20.0 [Build 8317]