CBFilter Class
Properties Methods Events Configuration Settings Errors
The CBFilter class allows applications to intercept and control filesystem requests.
Syntax
cbfsfilter.Cbfilter
Remarks
The CBFilter class gives applications the ability to intercept filesystem requests, allowing them to be altered, handled, blocked, etc. Applications use standard filter rules to specify which requests they're interested in intercepting; and special filter rules to enforce access restrictions and redirect requests to different files.
To learn more about the class's capabilities, please refer to the product's General Information topics.
Getting Started
- If the class's system driver hasn't been installed yet, call the Install method to do so. This only needs to be done once.
- In production, the driver can be installed (or updated) ahead-of-time by the application's installation script using the Installer DLL. Please refer to the Driver Installation topic for more information.
- Call the Initialize method to initialize the CBFilter class. This must be done each time the application starts.
- Add one or more filter rules using methods like AddFilterRule. (Rules can also be added/removed after the filter is started.)
- Call the StartFilter method to start filtering filesystem requests.
- When finished, call the StopFilter method to stop filtering filesystem requests.
- To uninstall the class's system driver, call the Uninstall method. This should not be done as part of the driver upgrade process.
- In production, the driver can be uninstalled by the application's uninstallation script using the Installer DLL. Please refer to the Driver Installation topic for more information.
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
| Active | Whether the class is active and processing requests. |
| Altitude | The altitude the class's system driver should use when operating in minifilter mode. |
| DefaultRules | Collection of default rules. |
| FileFlushingBehavior | The file flushing and closing behavior that the class's system driver should enforce. |
| FilterMode | The filter mode the class's system driver should use. |
| FilterRules | Collection of filter rules. |
| FireVolumeEvents | The events that should be fired when a filesystem volume is mounted to or unmounted from the system. |
| PassthroughRules | Collection of passthrough rules. |
| ProcessCachedIORequests | Whether cached file read/write requests should be processed. |
| ProcessFailedRequests | Whether failed requests should be processed. |
| ReparseRules | Collection of reparse rules. |
| SerializeEvents | Whether events should be fired on a single worker thread, or many. |
| Tag | Stores application-defined data specific to this instance of the class. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
| AddBytesToWriteBuffer | Reserves extra space in the file data buffers used in file read/write events. |
| AddDefaultRule | Adds a default rule. |
| AddFilterRule | Adds a standard filter rule or access rule. |
| AddFilterRuleEx | Adds a standard filter rule or access rule with additional match qualifiers. |
| AddPassthroughRule | Adds a passthrough rule. |
| AddPassthroughRuleEx | Adds a passthrough rule with additional match qualifiers. |
| AddReparseRule | Adds a reparse rule. |
| CloseDefaultRulesSnapshot | Closes the previously-created default rules snapshot. |
| CloseReparseRulesSnapshot | Closes the previously-created reparse rules snapshot. |
| Config | Sets or retrieves a configuration setting. |
| CreateDefaultRulesSnapshot | Creates a snapshot of information about the default rules that have been added. |
| CreateFileDirect | Creates or opens a file or directory by passing the request directly to the filesystem. |
| CreateFileDirectAsStream | Creates or opens a file by passing the request directly to the filesystem. |
| CreateReparseRulesSnapshot | Creates a snapshot of information about the reparse rules that have been added. |
| CreateVirtualFile | This method is under construction. |
| DeleteAllFilterRules | Deletes all standard filter rules and access rules. |
| DeleteAllPassthroughRules | Deletes all passthrough rules. |
| DeleteAllReparseRules | Deletes all reparse rules. |
| DeleteDefaultRule | Deletes a particular default rule. |
| DeleteFilterRule | Deletes a particular standard filter rule or access rule. |
| DeletePassthroughRule | Deletes a particular passthrough rule. |
| DeleteReparseRule | Deletes a particular reparse rule. |
| FileMatchesMask | Checks whether a particular file or directory name matches the specified mask. |
| FlushNotificationQueue | Flushes the notification event queue. |
| GetDriverStatus | Retrieves the status of the class's system driver. |
| GetDriverVersion | Retrieves the version of the class's system driver. |
| GetHandleCreatorProcessId | Retrieves the Id of the process (PID) that opened the file handle. |
| GetHandleCreatorProcessName | Retrieves the name of the process that opened the file handle. |
| GetHandleCreatorThreadId | Retrieves the Id of the thread that opened the file handle. |
| GetHandleCreatorToken | Retrieves the security token associated with the process that opened the file handle. |
| GetOriginatorProcessId | Retrieves the Id of the process (PID) that initiated the operation. |
| GetOriginatorProcessName | Retrieves the name of the process that initiated the operation. |
| GetOriginatorThreadId | Retrieves the Id of the thread that initiated the operation. |
| GetOriginatorToken | Retrieves the security token associated with the process that initiated the operation. |
| GetReparseRuleByMask | Retrieves the reparse rule associated with the specified file mask. |
| GetVolumeGUID | Retrieves the volume GUID of the device targeted by a filesystem operation. |
| Initialize | Initializes the class. |
| Install | Installs (or upgrades) the class's system driver. |
| IsFileFiltered | Checks whether a particular file or directory is covered by any filter rules. |
| NtStatusToWin32Error | Converts a native status code to a Win32 error code. |
| ResetTimeout | Resets the timeout duration for the current event handler. |
| SetFileSizeDirect | Resizes a file by passing the request directly to the filesystem. |
| ShutdownSystem | Shuts down or reboots the operating system. |
| StartFilter | Start filtering filesystem operations. |
| StopFilter | Stop filtering filesystem operations. |
| SuspendDefaultRules | Suspends all default rules until the application exits. |
| SuspendFileEvents | Suspends all events for a particular file or directory until all of its handles have been closed. |
| ToggleProcessProtection | Enables or disables termination protection for the application. |
| Uninstall | Uninstalls the class's system driver. |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
| AfterCanFileBeDeleted | Fires after the OS marks a file or directory for deletion or removes such a mark. |
| AfterCleanupFile | Fires after a file or directory handle is closed. |
| AfterCloseEnumeration | Fires after a directory enumeration operation finishes. |
| AfterCloseFile | Fires after a file or directory is closed. |
| AfterCreateFile | Fires after a file or directory is created. |
| AfterCreateHardLink | Fires after a hard link is created. |
| AfterDeleteFile | Fires after a file or directory is deleted. |
| AfterEnumerateDirectory | Fires after a directory entry is returned during directory enumeration. |
| AfterFilterAttachToVolume | Fires after the filter attaches to a newly-mounted filesystem volume. |
| AfterFilterDetachFromVolume | Fires after the filter detaches from a filesystem volume. |
| AfterFsctl | Fires after an IRP_MJ_FILE_SYSTEM_CONTROL request is processed. |
| AfterGetFileSecurity | Fires after a file or directory's security attributes are retrieved. |
| AfterGetFileSizes | Fires after a file's size information is retrieved. |
| AfterIoctl | Fires after an IRP_MJ_DEVICE_CONTROL request is processed. |
| AfterLock | Fires after a range of bytes in a file is locked. |
| AfterOpenFile | Fires after a file or directory is opened. |
| AfterQueryFileInfo | Fires after information about a file or directory is retrieved. |
| AfterReadFile | Fires after data is read from a file. |
| AfterRenameOrMoveFile | Fires after a file or directory is renamed or moved. |
| AfterSetAllocationSize | Fires after a file's allocation size is changed. |
| AfterSetFileAttributes | Fires after a file or directory's attributes and/or times are changed. |
| AfterSetFileInfo | Fires after information about a file or directory is changed. |
| AfterSetFileSecurity | Fires after a file or directory's security attributes are changed. |
| AfterSetFileSize | Fires after a file is resized. |
| AfterUnlockAll | Fires after all locked byte ranges in a file are unlocked. |
| AfterUnlockAllByKey | Fires after all locked byte ranges in a file, associated with a particular key, are unlocked. |
| AfterUnlockSingle | Fires after a particular locked byte range in a file is unlocked. |
| AfterWriteFile | Fires after data is written to a file. |
| BeforeCanFileBeDeleted | Fires before the OS attempts to mark a file or directory for deletion or remove such a mark. |
| BeforeCleanupFile | Fires before a file or directory handle is closed. |
| BeforeCloseFile | Fires before a file or directory is closed. |
| BeforeCreateFile | Fires before a file or directory is created. |
| BeforeCreateHardLink | Fires before a hard link is created. |
| BeforeDeleteFile | Fires before a file or directory is deleted. |
| BeforeFilterAttachToVolume | Fires before the filter attaches to a newly-mounted filesystem volume. |
| BeforeFsctl | Fires before an IRP_MJ_FILE_SYSTEM_CONTROL request is processed. |
| BeforeGetFileSecurity | Fires before a file or directory's security attributes are retrieved. |
| BeforeIoctl | Fires before an IRP_MJ_DEVICE_CONTROL request is processed. |
| BeforeLock | Fires before a range of bytes in a file is locked. |
| BeforeOpenFile | Fires before a file or directory is opened. |
| BeforeQueryFileInfo | Fires before information about a file or directory is retrieved. |
| BeforeReadFile | Fires before data is read from a file. |
| BeforeRenameOrMoveFile | Fires before a file or directory is renamed or moved. |
| BeforeSetAllocationSize | Fires before a file's allocation size is changed. |
| BeforeSetFileAttributes | Fires before a file or directory's attributes and/or times are changed. |
| BeforeSetFileInfo | Fires before information about a file or directory is changed. |
| BeforeSetFileSecurity | Fires before a file or directory's security attributes are changed. |
| BeforeSetFileSize | Fires before a file is resized. |
| BeforeUnlockAll | Fires before all locked byte ranges in a file are unlocked. |
| BeforeUnlockAllByKey | Fires before all locked byte ranges in a file, associated with a particular key, are unlocked. |
| BeforeUnlockSingle | Fires before a particular locked byte range in a file is unlocked. |
| BeforeWriteFile | Fires before data is written to a file. |
| CleanupContext | Fires when the application-defined data stored in one or more contexts needs to be cleaned up. |
| DeleteVirtualFile | Fires when a virtual file needs to be deleted. |
| Error | Fires if an unhandled error occurs during an event. |
| FilterStart | Fires once the filter has attached and filtering has started. |
| FilterStop | Fires once filtering has stopped and the filter has detached. |
| NotifyCanFileBeDeleted | Fires when the OS marks a file or directory for deletion or removes such a mark. |
| NotifyCleanupFile | Fires when a file or directory handle has been closed. |
| NotifyCloseFile | Fires when a file or directory has been closed. |
| NotifyCreateFile | Fires when a file or directory has been created. |
| NotifyCreateHardLink | Fires when a hard link has been created. |
| NotifyDeleteFile | Fires when a file or directory has been deleted. |
| NotifyEnumerateDirectory | Fires when a directory entry has been returned during directory enumeration. |
| NotifyFilterAttachToVolume | Fires when the filter has been attached to a newly-mounted filesystem volume. |
| NotifyFilterDetachFromVolume | Fires when the filter has been detached from a filesystem volume. |
| NotifyFsctl | Fires when an IRP_MJ_FILE_SYSTEM_CONTROL operation has occurred. |
| NotifyGetFileSecurity | Fires when a file or directory's security attributes have been retrieved. |
| NotifyGetFileSizes | Fires when a file's size information has been retrieved. |
| NotifyIoctl | Fires when an IRP_MJ_DEVICE_CONTROL operation has occurred. |
| NotifyLock | Fires when a range of bytes in a file has been locked. |
| NotifyOpenFile | Fires when a file or directory has been opened. |
| NotifyQueryFileInfo | Fires when information about a file or directory has been retrieved. |
| NotifyReadFile | Fires when data has been read from a file. |
| NotifyRenameOrMoveFile | Fires when a file or directory has been renamed or moved. |
| NotifySetAllocationSize | Fires when a file's allocation size has been changed. |
| NotifySetFileAttributes | Fires when a file or directory's attributes and/or times have been changed. |
| NotifySetFileInfo | Fires when information about a file or directory has been changed. |
| NotifySetFileSecurity | Fires when a file or directory's security attributes have been changed. |
| NotifySetFileSize | Fires when a file has been resized. |
| NotifyUnlockAll | Fires when all locked byte ranges in a file have been unlocked. |
| NotifyUnlockAllByKey | Fires when all locked byte ranges in a file, associated with a particular key, have been unlocked. |
| NotifyUnlockSingle | Fires when a particular locked byte range in a file has been unlocked. |
| NotifyWriteFile | Fires when data has been written to a file. |
| ReparseFileName | Fires to allow file access to be dynamically redirected another location. |
| ReparseWithTag | Fires if an open operation returns STATUS_REPARSE so that the application can respond to the reparse point. |
| WorkerThreadCreation | Fires just after a new worker thread is created. |
| WorkerThreadTermination | Fires just before a worker thread is terminated. |
Configuration Settings
The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.
| AllowFileAccessInBeforeOpen | Whether file access, via the CreateFileDirect method, is allowed in during the BeforeCreateFile and BeforeOpenFile events. |
| AlwaysPrepareFiles | Whether the driver should keep track of information for files that are already open when (i.e., were opened before) the class is initialized. |
| CacheRemoteFilesLocally | Whether remote files involved in filtered operations should be cached locally rather than remotely. |
| DirectRequestsDownTheStack | Whether requests for handles created with the CreateFileDirect method go down the filter stack and not direct to the filesystem. |
| FilterOwnRequests | Whether the class's system driver should filter requests made by the application itself. |
| ForceAdminRightsForDefaultRules | Specifies whether default rules can be added or deleted only by administrators. |
| ForceAppPermissionCheck | Whether the driver should require the controller process to have elevated or system privileges. |
| ForceSecurityChecks | Whether the driver should prevent the controller process from filtering files that it would not normally have access to. |
| LoggingEnabled | Whether extended logging is enabled. |
| MaxWorkerThreadCount | The maximum number of worker threads to use to fire events. |
| MinWorkerThreadCount | The minimum number of worker threads to use to fire events. |
| ModifiableReadWriteBuffers | Whether the driver should duplicate read/write buffers sent to the user. |
| PreprocessedRulesCacheSize | Maximum number of preprocessed rules to keep cached. |
| ResolveNtDeviceToDriveLetter | Whether native device names are translated to drive letters. |
| SendRequestsViaDriverStack | Whether internal requests to the filesystem are sent directly to the filesystem driver or through the stack of filesystem filter drivers. |
| WorkerInitialStackSize | The initial stack size to create worker threads with. |
| BuildInfo | Information about the product's build. |
| LicenseInfo | Information about the current license. |