AddFilterRule Method
Adds a standard filter rule or access rule.
Syntax
public boolean addFilterRule(String mask, int accessFlags, long controlFlags, long notifyFlags);
Remarks
This method adds a standard filter rule and/or access rule for the files and directories that match the specified Mask. Each rule in a ruleset is uniquely identified by its mask; if a rule with the specified mask already exists, the new rule's parameters are merged into it.
If the rule is added successfully, this method returns true; otherwise, it returns false.
Standard filter rules determine which filesystem operations, of those performed on matching files and directories, the class should fire its events for. Access rules instruct the class's system driver to apply certain access restrictions to matching files and directories.
The Mask parameter must be a valid file mask according to the File Masks topic. Only the files and directories which match the specified mask will be covered by the rule.
The AccessFlags parameter specifies which access restrictions the class's system driver should apply to matching files and directories. The value passed for this parameter should be constructed by OR'ing together zero or more of the following flags:
ACCESS_NONE | 0x00 | No access restrictions. |
ACCESS_READ_ONLY | 0x01 | Read-only access; writing and deleting is prohibited. |
ACCESS_WRITE_ONLY | 0x02 | Write-only access; reading and deleting is prohibited. |
ACCESS_DELETE_PROTECT | 0x04 | Deletion and renaming is prohibited. |
ACCESS_EXECUTE_PROTECT | 0x08 | Execution is prohibited. |
ACCESS_NO_CHANGE_DAC | 0x10 | Change of security attributes is prohibited. |
ACCESS_NO_CHANGE_OWNER | 0x20 | Change of owner is prohibited. |
ACCESS_RENAME_PROTECT | 0x40 | Renaming is prohibited. |
ACCESS_DELETE_ONLY_PROTECT | 0x80 | Deletion is prohibited (renaming is not affected). |
ACCESS_REMOTE_ACCESS_PROTECT | 0x100 | Access from other systems is prohibited. |
ACCESS_DENY_ALL | 0x200 | All access is denied. |
ACCESS_ALL_FLAGS | -1 | Used to denote all currently set access restriction flags. |
The ControlFlags parameter specifies which filesystem operations the class should fire Control Events for. For example, if the FS_CE_BEFORE_READ and FS_CE_AFTER_READ flags are present, the BeforeReadFile and AfterReadFile events will fire before and after a read operation is performed on any file that matches Mask. The value passed for this parameter should be constructed by OR'ing together zero or more of the following flags:
FS_CE_NONE | 0 | Don't fire for any filesystem operations.
Control Events will not fire for any filesystem operations. |
FS_CE_BEFORE_CREATE | 0x000000000001L | Fire before file creation operations.
The BeforeCreateFile event will fire anytime the OS attempts to create a file or directory. In some cases, can cause the BeforeOpenFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_CE_AFTER_CREATE | 0x000000000002L | Fire after file creation operations.
The AfterCreateFile event will fire after a file or directory creation request has been processed, before the response is returned. In some cases, can cause the AfterOpenFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_CE_BEFORE_OPEN | 0x000000000004L | Fire before file open operations.
The BeforeOpenFile event will fire anytime the OS attempts to open a file or directory. In some cases, can cause the BeforeCreateFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_CE_AFTER_OPEN | 0x000000000008L | Fire after file open operations.
The AfterOpenFile event will fire after a file or directory open request has been processed, before the response is returned. In some cases, can cause the AfterCreateFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_CE_BEFORE_READ | 0x000000000010L | Fire before read operations.
The BeforeReadFile event will fire anytime the OS attempts to read data from a file. |
FS_CE_AFTER_READ | 0x000000000020L | Fire after read operations.
The AfterReadFile event will fire after a read request has been processed, before the response is returned. |
FS_CE_BEFORE_WRITE | 0x000000000040L | Fire before write operations.
The BeforeWriteFile event will fire anytime the OS attempts to write data to a file. |
FS_CE_AFTER_WRITE | 0x000000000080L | Fire after write operations.
The AfterReadFile event will fire after a write request has been processed, before the response is returned. |
FS_CE_BEFORE_LOCK_CONTROL | 0x000000000100L | Fire before lock and unlock operations.
The BeforeLock, BeforeUnlockAll, BeforeUnlockAllByKey, and BeforeUnlockSingle events will fire, as applicable, before the OS attempts to lock or unlock a range of bytes in a file. |
FS_CE_AFTER_LOCK_CONTROL | 0x000000000200L | Fire before and after lock and unlock operations.
The AfterLock, AfterUnlockAll, AfterUnlockAllByKey, and AfterUnlockSingle, events will fire, as applicable, after a lock or unlock request has been processed, before the response is returned. |
FS_CE_BEFORE_CLEANUP | 0x000000000400L | Fire before file handle cleanup operations.
The BeforeCleanupFile event will fire anytime a process closes a file or directory handle. |
FS_CE_AFTER_CLEANUP | 0x000000000800L | Fire after file handle cleanup operations.
The AfterCleanupFile event will fire after a file handle cleanup request has been processed, before the response is returned. |
FS_CE_BEFORE_CLOSE | 0x000000001000L | Fire before file close operations.
The BeforeCloseFile event will fire anytime the OS closes a file or directory. Also, the AfterCloseEnumeration event will fire anytime the OS closes a directory enumeration (which typically occurs immediately before the directory is closed). |
FS_CE_AFTER_CLOSE | 0x000000002000L | Fire after file close operations.
The AfterCloseFile event will fire after a file/directory close request has been processed, before the response is returned. |
FS_CE_BEFORE_CAN_DELETE | 0x000000004000L | Fire before 'can be deleted' operations.
The BeforeCanFileBeDeleted event will fire anytime the OS checks whether a file or directory can be deleted. |
FS_CE_AFTER_CAN_DELETE | 0x000000008000L | Fire after 'can be deleted' operations.
The AfterCanFileBeDeleted event will fire after a 'can be deleted' request has been processed, before the response is returned. |
FS_CE_BEFORE_DELETE | 0x000000010000L | Fire before delete operations
The BeforeDeleteFile event will fire anytime the OS attempts to delete a file or directory. |
FS_CE_AFTER_DELETE | 0x000000020000L | Fire after delete operations.
The AfterDeleteFile event will fire after a delete request has been processed, before the response is returned. |
FS_CE_BEFORE_RENAME | 0x000000040000L | Fire before rename/move operations.
The BeforeRenameOrMoveFile event will fire anytime the OS attempts to rename or move a file or directory. |
FS_CE_AFTER_RENAME | 0x000000080000L | Fire after rename/move operations.
The AfterRenameOrMoveFile event will fire after a rename or move request has been processed, before the response is returned. |
FS_CE_BEFORE_GET_SECURITY | 0x000000100000L | Fire before get security operations.
The BeforeGetFileSecurity event will fire before the OS queries the security attributes of a file or directory. |
FS_CE_AFTER_GET_SECURITY | 0x000000200000L | Fire after get security operations.
The AfterGetFileSecurity events will fire after a get security operation has been processed, before the response is returned. |
FS_CE_AFTER_ENUMERATE_DIRECTORY | 0x000000800000L | Fire for directory enumeration operations.
The AfterEnumerateDirectory event will fire after information about a directory entry has been retrieved during directory enumeration, before the response is returned. |
FS_CE_BEFORE_QUERY_FILE_INFO | 0x000001000000L | Fire before 'query file information' operations.
The BeforeQueryFileInfo event will fire anytime the OS needs to retrieve information about a file or directory. |
FS_CE_AFTER_QUERY_FILE_INFO | 0x000002000000L | Fire after 'query file information' operations.
The AfterQueryFileInfo event will fire after a file or directory information query request has been processed, before the response is returned. |
FS_CE_AFTER_GET_SIZES | 0x000008000000L | Fire after get size operations.
The AfterGetFileSizes event will fire after a file's size information is retrieved, before the response is returned. |
FS_CE_BEFORE_SET_SECURITY | 0x000010000000L | Fire before set security operations.
The BeforeSetFileSecurity event will fire anytime the OS needs to change the security attributes of a file or directory. |
FS_CE_AFTER_SET_SECURITY | 0x000020000000L | Fire after set security operations.
The AfterSetFileSecurity event will fire after a security attributes change request has been processed, before the response is returned. |
FS_CE_BEFORE_SET_ATTRIBUTES | 0x000040000000L | Fire before file attribute update operations.
The BeforeSetFileAttributes event will fire anytime the OS attempts to change the attributes of a file or directory. |
FS_CE_AFTER_SET_ATTRIBUTES | 0x000080000000L | Fire after file attribute update operations.
The AfterSetFileAttributes event will fire after a file attributes change request has been processed, before the response is returned. |
FS_CE_BEFORE_SET_SIZES | 0x000100000000L | Fire before file resize operations.
The BeforeSetFileSize event will fire anytime the OS attempts to resize a file, and the BeforeSetAllocationSize event will fire anytime the OS attempts to change a file's allocation size. |
FS_CE_AFTER_SET_SIZES | 0x000200000000L | Fire after file resize operations.
The AfterSetFileSize event will fire after a file resize request has been processed, and the AfterSetAllocationSize event will fire after a file allocation size change request has been processed, before the response is returned. |
FS_CE_BEFORE_CREATE_HARD_LINK | 0x000400000000L | Fire before hard link creation operations.
The BeforeCreateHardLink event will fire anytime the OS attempts to create a hard link. |
FS_CE_AFTER_CREATE_HARD_LINK | 0x000800000000L | Fire after hard link creation operations.
The AfterCreateHardLink events will fire after a hard link creation request has been processed, before the response is returned. |
FS_CE_BEFORE_FSCTL | 0x001000000000L | Fire before FSCTL operations.
The BeforeFsctl event will fire anytime an IRP_MJ_FILE_SYSTEM_CONTROL request occurs. |
FS_CE_AFTER_FSCTL | 0x002000000000L | Fire after FSCTL operations.
The AfterFsctl event will fire after an IRP_MJ_FILE_SYSTEM_CONTROL request has been processed, before the response is returned. |
FS_CE_BEFORE_IOCTL | 0x004000000000L | Fire before IOCTL operations.
The BeforeIoctl event will fire anytime an IRP_MJ_DEVICE_CONTROL request occurs. |
FS_CE_AFTER_IOCTL | 0x008000000000L | Fire after IOCTL operations.
The AfterIoctl event will fire after an IRP_MJ_DEVICE_CONTROL request has been processed, before the response is returned. |
FS_CE_BEFORE_SET_FILE_INFO | 0x010000000000L | Fire before 'set file information' operations.
The BeforeSetFileInfo event will fire anytime the OS needs to change information about a file or directory. |
FS_CE_AFTER_SET_FILE_INFO | 0x020000000000L | Fire after 'set file information' operations.
The AfterSetFileInfo event will fire after a file or directory information change request has been processed, before the response is returned. |
FS_CE_REPARSE_FILENAME | 0x100000000000L | Fire before various operations for the purpose of file redirection.
The ReparseFileName event will fire before any operation that includes a file or directory name, giving the application a chance to redirect it. This is event is typically used when an application requires more advanced redirection logic than Reparse Rules can provide; please refer to that topic for more information. |
FS_CE_REPARSE_TAG | 0x200000000000L | Fire for reparse operations.
The ReparseWithTag event will fire anytime a file/directory open operation returns a STATUS_REPARSE result, allowing the application to handle the reparse point. Please refer to Microsoft's Reparse Points article for more information. |
FS_CE_ALL | -1 | Fire for all filesystem operations.
Control Events will fire for all filesystem operations. |
The NotifyFlags parameter specifies which filesystem operations the class should fire Notification Events for. For example, if the FS_NE_READ flag is present, the NotifyReadFile event will fire after a read operation is performed on any file that matches Mask. The value passed for this parameter should be constructed by OR'ing together zero or more of the following flags:
FS_NE_NONE | 0 | Don't fire for any filesystem operations.
Notification Events will not fire for any filesystem operations. |
FS_NE_CREATE | 0x00000001L | Fire for file creation operations.
The NotifyCreateFile event will fire anytime the OS creates a file or directory. In some cases, can cause the NotifyOpenFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_NE_OPEN | 0x00000002L | Fire for file open operations.
The NotifyOpenFile event will fire anytime the OS opens a file or directory. In some cases, can cause the NotifyCreateFile event to fire; refer to the File Create/Open Events topic for more information. |
FS_NE_READ | 0x00000004L | Fire for read operations.
The NotifyReadFile event will fire anytime the OS reads data from a file. |
FS_NE_WRITE | 0x00000008L | Fire for write operations.
The NotifyWriteFile event will fire anytime the OS write data to a file. |
FS_NE_LOCK_CONTROL | 0x00000010L | Fire for lock and unlock operations.
The NotifyLock, NotifyUnlockAll, NotifyUnlockAllByKey, and NotifyUnlockSingle events will fire, as applicable, anytime the OS locks or unlocks a range of bytes in a file. |
FS_NE_CLEANUP | 0x00000020L | Fire for file handle cleanup operations.
The NotifyCleanupFile event will fire anytime a process closes a file or directory handle. |
FS_NE_CLOSE | 0x00000040L | Fire for file close operations.
The NotifyCloseFile event will fire anytime the OS closes a file or directory. |
FS_NE_CAN_DELETE | 0x00000080L | Fire for 'can be deleted' operations.
The NotifyCanFileBeDeleted event will fire anytime the OS checks whether a file or directory can be deleted. |
FS_NE_DELETE | 0x00000100L | Fire for delete operations.
The NotifyDeleteFile event will fire anytime the OS deletes a file or directory. |
FS_NE_RENAME | 0x00000200L | Fire for rename/move operations.
The NotifyRenameOrMoveFile event will fire anytime the OS renames or moves a file or directory. |
FS_NE_GET_SECURITY | 0x00000400L | Fire for get security operations.
The NotifyGetFileSecurity event will fire anytime the OS queries the security attributes of a file or directory. |
FS_NE_ENUMERATE_DIRECTORY | 0x00000800L | Fire for directory enumeration operations.
The NotifyEnumerateDirectory event will fire anytime the OS retrieves a directory entry during directory enumeration. |
FS_NE_QUERY_FILE_INFO | 0x00001000L | Fire for QueryFileInformation operations.
The NotifyQueryFileInfo event will fire anytime the OS retrieves information about a file or directory. |
FS_NE_GET_SIZES | 0x00002000L | Fire for get size operations.
The NotifyGetFileSizes event will fire anytime the OS retrieves a file's size information. |
FS_NE_SET_SECURITY | 0x00004000L | Fire for set security operations.
The NotifySetFileSecurity event will fire anytime the OS changes the security attributes of a file or directory. |
FS_NE_SET_ATTRIBUTES | 0x00008000L | Fire for file attribute update operations.
The NotifySetFileAttributes event will fire anytime the OS changes the attributes of a file or directory. |
FS_NE_SET_SIZES | 0x00010000L | Fire for file resize operations.
The NotifySetFileSize event will fire anytime the OS resizes a file, and the NotifySetAllocationSize event will fire anytime the OS changes a file's allocation size. |
FS_NE_CREATE_HARD_LINK | 0x00020000L | Fire for hard link creation operations.
The NotifyCreateHardLink event will fire anytime the OS creates a hard link. |
FS_NE_FSCTL | 0x00040000L | Fire for FSCTL operations.
The NotifyFsctl event will fire anytime an IRP_MJ_FILE_SYSTEM_CONTROL operation occurs. |
FS_NE_IOCTL | 0x00080000L | Fire for IOCTL operations.
The NotifyIoctl event will fire anytime an IRP_MJ_DEVICE_CONTROL operation occurs. |
FS_NE_SET_FILE_INFO | 0x00100000L | Fire for SetFileInformation operations.
The NotifySetFileInfo event will fire anytime the OS changed information about a file or directory. |
FS_NE_ALL | -1 | Fire for all filesystem operations.
Notification Events will fire for all filesystem operations. |
Note: The methods and properties related to rule management are not intended to be used from multiple threads at once. Applications that wish to use said methods and properties from multiple threads (such as, e.g., during the AfterFilterAttachToVolume and AfterFilterDetachFromVolume events) are responsible for employing proper thread synchronization techniques to ensure that manipulation and enumeration of the rule lists occurs in a thread-safe manner.