Adds a standard filter rule.
This method adds a standard filter rule for the files and directories that match the specified Mask. Each rule in a ruleset is uniquely identified by its mask; if a rule with the specified mask already exists, the new rule's parameters are merged into it.
If the rule is added successfully, this method returns true; otherwise, it returns false.
Standard filter rules determine which filesystem operations, of those performed on matching files and directories, the class should fire its events for.
The Mask parameter must be a valid file mask according to the File Masks topic. Only the files and directories which match the specified mask will be covered by the rule.
The NotifyFlags parameter specifies which filesystem operations the class should fire Notification Events for. For example, if the FS_NE_READ flag is present, the NotifyReadFile event will fire after a read operation is performed on any file that matches Mask. The value passed for this parameter should be constructed by OR'ing together zero or more of the following flags:
|FS_NE_NONE||0||Don't fire for any filesystem operations.
Notification Events will not fire for any filesystem operations.
|FS_NE_CREATE||0x00000001L||Fire for file creation operations.
The NotifyCreateFile event will fire anytime the OS creates a file or directory. In some cases, can cause the NotifyOpenFile event to fire; refer to the File Create/Open Events topic for more information.
|FS_NE_OPEN||0x00000002L||Fire for file open operations.
The NotifyOpenFile event will fire anytime the OS opens a file or directory. In some cases, can cause the NotifyCreateFile event to fire; refer to the File Create/Open Events topic for more information.
|FS_NE_READ||0x00000004L||Fire for read operations.
The NotifyReadFile event will fire anytime the OS reads data from a file.
|FS_NE_WRITE||0x00000008L||Fire for write operations.
The NotifyWriteFile event will fire anytime the OS write data to a file.
|FS_NE_LOCK_CONTROL||0x00000010L||Fire for lock and unlock operations.|
|FS_NE_CLEANUP||0x00000020L||Fire for file handle cleanup operations.
The NotifyCleanupFile event will fire anytime a process closes a file or directory handle.
|FS_NE_CLOSE||0x00000040L||Fire for file close operations.
The NotifyCloseFile event will fire anytime the OS closes a file or directory.
|FS_NE_CAN_DELETE||0x00000080L||Fire for 'can be deleted' operations.
The NotifyCanFileBeDeleted event will fire anytime the OS checks whether a file or directory can be deleted.
|FS_NE_DELETE||0x00000100L||Fire for delete operations.
The NotifyDeleteFile event will fire anytime the OS deletes a file or directory.
|FS_NE_RENAME||0x00000200L||Fire for rename/move operations.
The NotifyRenameOrMoveFile event will fire anytime the OS renames or moves a file or directory.
|FS_NE_GET_SECURITY||0x00000400L||Fire for get security operations.
The NotifyGetFileSecurity event will fire anytime the OS queries the security attributes of a file or directory.
|FS_NE_ENUMERATE_DIRECTORY||0x00000800L||Fire for directory enumeration operations.
The NotifyEnumerateDirectory event will fire anytime the OS retrieves a directory entry during directory enumeration.
|FS_NE_QUERY_FILE_INFO||0x00001000L||Fire for QueryFileInformation operations.
The NotifyQueryFileInfo event will fire anytime the OS retrieves information about a file or directory.
|FS_NE_GET_SIZES||0x00002000L||Fire for get size operations.
The NotifyGetFileSizes event will fire anytime the OS retrieves a file's size information.
|FS_NE_SET_SECURITY||0x00004000L||Fire for set security operations.
The NotifySetFileSecurity event will fire anytime the OS changes the security attributes of a file or directory.
|FS_NE_SET_ATTRIBUTES||0x00008000L||Fire for file attribute update operations.
The NotifySetFileAttributes event will fire anytime the OS changes the attributes of a file or directory.
|FS_NE_SET_SIZES||0x00010000L||Fire for file resize operations.|
|FS_NE_CREATE_HARD_LINK||0x00020000L||Fire for hard link creation operations.
The NotifyCreateHardLink event will fire anytime the OS creates a hard link.
|FS_NE_FSCTL||0x00040000L||Fire for FSCTL operations.
The NotifyFsctl event will fire anytime an IRP_MJ_FILE_SYSTEM_CONTROL operation occurs.
|FS_NE_IOCTL||0x00080000L||Fire for IOCTL operations.
The NotifyIoctl event will fire anytime an IRP_MJ_DEVICE_CONTROL operation occurs.
|FS_NE_SET_FILE_INFO||0x00100000L||Fire for SetFileInformation operations.
The NotifySetFileInfo event will fire anytime the OS changed information about a file or directory.
|FS_NE_ALL||-1||Fire for all filesystem operations.
Notification Events will fire for all filesystem operations.
Note: The methods and properties related to rule management are not intended to be used from multiple threads at once. Applications that wish to use said methods and properties from multiple threads (such as, e.g., during the AfterFilterAttachToVolume and AfterFilterDetachFromVolume events) are responsible for employing proper thread synchronization techniques to ensure that manipulation and enumeration of the rule lists occurs in a thread-safe manner.