File Masks
File masks are "templates" against which file and directory names are matched. A file mask may optionally begin with a path, either with or without a volume name (see next section); and both the filename part and the path part may contain single-character wildcards (?) and/or multi-character wildcards (*). Here are a few examples of file masks:
- 20??_Budget.xls
- *.doc
- *\Pictures\20??\*.jpg
- \temp\*.tmp
- C:\Reports\*
In general, file masks like, e.g., C:\Reports\* will not match the C:\Reports\ directory itself, so any filter rule using this mask will therefore not match operations that target C:\Reports\ directly (such as, e.g., an operation that enumerates its files and subdirectories). This behavior applies for all rules except reparse rules; a reparse rule with a source mask like C:\Reports\* will match any operation that targets the C:\Reports\ directory or any of its descendants.
Volume Names in Paths
If a file mask begins with a path, that path may optionally include a volume name. This allows applications monitor only the volumes they're interested in. The following kinds of volume names are acceptable:
- A volume GUID, formatted like Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\ (note the trailing backslash). A mask may start with the \\?\ prefix, e.g. "\\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}".
- A hidden volume mounting point, formatted like \\.\mounting_point_name\.
- A DOS name, formatted like C:\.
- A network resource, formatted like \\server_name\share_name\ (please refer to the Monitoring Network Resources topic for more information).
- A volume NT-native name, formatted like \Device\HarddiskVolumeX\, where X is the number of the volume.
Please note that, to successfully add a rule with a file mask that includes a volume name, the specified volume must already be present on the system. Applications that wish to add rules for volumes that are not currently present can do one of the following things:
- Add rules without volume names, and selectively skip volumes as desired by setting the BeforeFilterAttachToVolume event's SkipVolume parameter to true.
- Add and remove volume-specific rules "on-demand" using the AfterFilterAttachToVolume and AfterFilterDetachFromVolume events.
Per-Process Masks
Masks used by standard filter rules and access rules can be restricted so that they only match operations made by a specific process (or, made by all processes except a specific process). To do this, construct a mask in one of the following forms:
- process_name.exe|file_mask: Only matches operations requested by process_name.exe.
- ~process_name.exe|file_mask: Only matches operations not requested by process_name.exe.
- process_id|file_mask: Only matches operations requested by the process whose Id is process_id.
- ~process_id|file_mask: Only matches operations not requested by the process whose Id is process_id.
In all cases, file_mask can be any valid file mask as described above. The process_name.exe portion must be a valid process executable filename, and may optionally begin with a path. Wildcards are supported in any part of the process_name.exe portion. The process_id portion must be a numeric process Id (PID). When adding a PID-based rule, you need to be aware of the PID Reuse behavior of Windows.