File Create/Open Events
The CBFilter class provides three pairs of events related to creating and opening files:
- BeforeCreateFile and BeforeOpenFile, which are Control Events fired when the request is made.
- AfterCreateFile and AfterOpenFile, which are Control Events fired after the request has been handled.
- NotifyCreateFile and NotifyOpenFile, which are Notification Events fired after the request has been handled.
Files can be created or deleted at any time, so there is no way for the OS to know with complete certainty whether a particular file exists until an interested process actually attempts to access it. This is true even if the process checks whether the file exists beforehand, because that file could then be created/deleted in the time between between when the check occurred and when the create/open call occurs.
It is for this reason that the same Windows API function, CreateFile, is used for both creating and opening files. Processes that call this function use its CreationDisposition parameter to specify what the OS and filesystem should do if the file exists/doesn't exist. The one and only CreationDisposition option that results in a "create file" request is CREATE_NEW; all other options result in an "open file" request, and the filesystem then uses the CreationDisposition for guidance.
Since the classs' only source of information is the requests themselves, they also have no way of knowing whether a particular file exists (or not) at any given time. So they simply act in the following manner:
- If the request's CreationDisposition is CREATE_NEW, then the *CreateFile events are used.
- If the request's CreationDisposition is FILE_SUPERSEDE (an NT-native flag used in the kernel), then the *OpenFile events are used, followed by the corresponding *CreateFile events.
- In all other cases, the *OpenFile events are used.