All constants are accessible through the
cbfsfilter.Constants class.
Access Restriction Flags
ACCESS_READ_ONLY
Value: 0x01
Read-only access; writing and deleting are prohibited.
ACCESS_WRITE_ONLY
Value: 0x02
Write-only access; reading and deleting are prohibited.
ACCESS_DELETE_PROTECT
Value: 0x04
Deleting and renaming are prohibited.
ACCESS_EXECUTE_PROTECT
Value: 0x08
Execution is prohibited.
ACCESS_NO_CHANGE_DAC
Value: 0x10
Change of security attributes is prohibited.
ACCESS_NO_CHANGE_OWNER
Value: 0x20
Change of owner is prohibited.
ACCESS_RENAME_PROTECT
Value: 0x40
Renaming is prohibited.
ACCESS_DELETE_ONLY_PROTECT
Value: 0x80
Deleting is prohibited (renaming is not affected).
ACCESS_REMOTE_ACCESS_PROTECT
Value: 0x100
Access from other systems is prohibited.
ACCESS_DENY_ALL
Value: 0x200
All access is denied.
ACCESS_ALL_FLAGS
Value: -1
Used to denote all currently set access restriction flags.
Filesystem Control Event Flags
Don't fire for any filesystem operations.
Control Events will not fire for any filesystem operations.
FS_CE_BEFORE_CREATE
Value: 0x000000000001L
Fire before file creation operations.
The
BeforeCreateFile event will fire anytime the OS attempts to create a file or directory.
In some cases, this event can cause the
BeforeOpenFile event to fire; refer to the
File Create/Open Events topic for more information.
FS_CE_AFTER_CREATE
Value: 0x000000000002L
Fire after file creation operations.
The
AfterCreateFile event will fire after a file or directory creation request has been processed, before the response is returned.
In some cases, this event can cause the
AfterOpenFile event to fire; refer to the
File Create/Open Events topic for more information.
FS_CE_BEFORE_OPEN
Value: 0x000000000004L
Fire before file open operations.
The
BeforeOpenFile event will fire anytime the OS attempts to open a file or directory.
In some cases, this event can cause the
BeforeCreateFile event to fire; refer to the
File Create/Open Events topic for more information.
FS_CE_AFTER_OPEN
Value: 0x000000000008L
Fire after file open operations.
The
AfterOpenFile event will fire after a file or directory open request has been processed, before the response is returned.
In some cases, this event can cause the
AfterCreateFile event to fire; refer to the
File Create/Open Events topic for more information.
FS_CE_BEFORE_READ
Value: 0x000000000010L
Fire before read operations.
The
BeforeReadFile event will fire anytime the OS attempts to read data from a file.
FS_CE_AFTER_READ
Value: 0x000000000020L
Fire after read operations.
The
AfterReadFile event will fire after a read request has been processed, before the response is returned.
FS_CE_BEFORE_WRITE
Value: 0x000000000040L
Fire before write operations.
The
BeforeWriteFile event will fire anytime the OS attempts to write data to a file.
FS_CE_AFTER_WRITE
Value: 0x000000000080L
Fire after write operations.
The
AfterReadFile event will fire after a write request has been processed, before the response is returned.
FS_CE_BEFORE_CLEANUP
Value: 0x000000000400L
Fire before file handle cleanup operations.
The
BeforeCleanupFile event will fire anytime a process closes a file or directory handle.
FS_CE_AFTER_CLEANUP
Value: 0x000000000800L
Fire after file handle cleanup operations.
The
AfterCleanupFile event will fire after a file handle cleanup request has been processed, before the response is returned.
FS_CE_BEFORE_CLOSE
Value: 0x000000001000L
Fire before file close operations.
The
BeforeCloseFile event will fire anytime the OS closes a file or directory. Also, the
AfterCloseEnumeration event will fire anytime the OS closes a directory enumeration (which typically occurs immediately before the directory is closed).
FS_CE_AFTER_CLOSE
Value: 0x000000002000L
Fire after file close operations.
The
AfterCloseFile event will fire after a file/directory close request has been processed, before the response is returned.
FS_CE_BEFORE_CAN_DELETE
Value: 0x000000004000L
Fire before 'can be deleted' operations.
The
BeforeCanFileBeDeleted event will fire anytime the OS checks whether a file or directory can be deleted.
FS_CE_AFTER_CAN_DELETE
Value: 0x000000008000L
Fire after 'can be deleted' operations.
The
AfterCanFileBeDeleted event will fire after a
can be deleted request has been processed, before the response is returned.
FS_CE_BEFORE_DELETE
Value: 0x000000010000L
Fire before delete operations
The
BeforeDeleteFile event will fire anytime the OS attempts to delete a file or directory.
FS_CE_AFTER_DELETE
Value: 0x000000020000L
Fire after delete operations.
The
AfterDeleteFile event will fire after a delete request has been processed, before the response is returned.
FS_CE_BEFORE_RENAME
Value: 0x000000040000L
Fire before rename/move operations.
The
BeforeRenameOrMoveFile event will fire anytime the OS attempts to rename or move a file or directory.
FS_CE_AFTER_RENAME
Value: 0x000000080000L
Fire after rename/move operations.
The
AfterRenameOrMoveFile event will fire after a rename or move request has been processed, before the response is returned.
FS_CE_BEFORE_GET_SECURITY
Value: 0x000000100000L
Fire before get security operations.
The
BeforeGetFileSecurity event will fire before the OS queries the security attributes of a file or directory.
FS_CE_AFTER_GET_SECURITY
Value: 0x000000200000L
Fire after get security operations.
The
AfterGetFileSecurity events will fire after a
get security operation has been processed, before the response is returned.
FS_CE_BEFORE_ENUMERATE_DIRECTORY
Value: 0x000000400000L
Fire before directory enumeration operations.
The
BeforeEnumerateDirectory event will fire anytime the OS needs to read information about directory entries.
FS_CE_AFTER_ENUMERATE_DIRECTORY
Value: 0x000000800000L
Fire after directory enumeration operations.
The
AfterEnumerateDirectory event will fire after information about a directory entry has been retrieved during directory enumeration, before the response is returned.
FS_CE_BEFORE_QUERY_FILE_INFO
Value: 0x000001000000L
Fire before 'query file information' operations.
The
BeforeQueryFileInfo event will fire anytime the OS needs to retrieve information about a file or directory.
FS_CE_AFTER_QUERY_FILE_INFO
Value: 0x000002000000L
Fire after 'query file information' operations.
The
AfterQueryFileInfo event will fire after a file or directory information query request has been processed, before the response is returned.
FS_CE_AFTER_GET_SIZES
Value: 0x000008000000L
Fire after get size operations.
The
AfterGetFileSizes event will fire after a file's size information is retrieved, before the response is returned.
FS_CE_BEFORE_SET_SECURITY
Value: 0x000010000000L
Fire before set security operations.
The
BeforeSetFileSecurity event will fire anytime the OS needs to change the security attributes of a file or directory.
FS_CE_AFTER_SET_SECURITY
Value: 0x000020000000L
Fire after set security operations.
The
AfterSetFileSecurity event will fire after a security attribute change request has been processed, before the response is returned.
FS_CE_BEFORE_SET_ATTRIBUTES
Value: 0x000040000000L
Fire before file attribute update operations.
The
BeforeSetFileAttributes event will fire anytime the OS attempts to change the attributes of a file or directory.
FS_CE_AFTER_SET_ATTRIBUTES
Value: 0x000080000000L
Fire after file attribute update operations.
The
AfterSetFileAttributes event will fire after a file attribute change request has been processed, before the response is returned.
FS_CE_BEFORE_SET_SIZES
Value: 0x000100000000L
Fire before file resize operations.
The
BeforeSetFileSize event will fire anytime the OS attempts to resize a file,
and the
BeforeSetAllocationSize event will fire anytime the OS attempts to change a file's allocation size.
FS_CE_AFTER_SET_SIZES
Value: 0x000200000000L
Fire after file resize operations.
The
AfterSetFileSize event will fire after a file resize request has been processed, and the
AfterSetAllocationSize event will fire after a file allocation size change request has been processed,
before the response is returned.
FS_CE_BEFORE_CREATE_HARD_LINK
Value: 0x000400000000L
Fire before hard link creation operations.
The
BeforeCreateHardLink event will fire anytime the OS attempts to create a hard link.
FS_CE_AFTER_CREATE_HARD_LINK
Value: 0x000800000000L
Fire after hard link creation operations.
The
AfterCreateHardLink events will fire after a hard link creation request has been processed, before the response is returned.
FS_CE_BEFORE_FSCTL
Value: 0x001000000000L
Fire before FSCTL operations.
The
BeforeFsctl event will fire anytime an
IRP_MJ_FILE_SYSTEM_CONTROL request occurs.
FS_CE_AFTER_FSCTL
Value: 0x002000000000L
Fire after FSCTL operations.
The
AfterFsctl event will fire after an
IRP_MJ_FILE_SYSTEM_CONTROL request has been processed, before the response is returned.
FS_CE_BEFORE_IOCTL
Value: 0x004000000000L
Fire before IOCTL operations.
The
BeforeIoctl event will fire anytime an
IRP_MJ_DEVICE_CONTROL request occurs.
FS_CE_AFTER_IOCTL
Value: 0x008000000000L
Fire after IOCTL operations.
The
AfterIoctl event will fire after an
IRP_MJ_DEVICE_CONTROL request has been processed, before the response is returned.
FS_CE_BEFORE_SET_FILE_INFO
Value: 0x010000000000L
Fire before 'set file information' operations.
The
BeforeSetFileInfo event will fire anytime the OS needs to change information about a file or directory.
FS_CE_AFTER_SET_FILE_INFO
Value: 0x020000000000L
Fire after 'set file information' operations.
The
AfterSetFileInfo event will fire after a file or directory information change request has been processed, before the response is returned.
FS_CE_BEFORE_SET_EA
Value: 0x040000000000L
Fire before Set Extended Attributes operations.
The
BeforeSetEa event will fire anytime the OS needs to set extended attributes of a file.
FS_CE_AFTER_SET_EA
Value: 0x080000000000L
Fire after Set Extended Attributes operations.
The
AfterSetEa event will fire after the OS request to set extended attributes of a file has been processed, before the response is returned.
FS_CE_BEFORE_QUERY_EA
Value: 0x100000000000L
Fire before Query Extended Attributes operations.
The
BeforeQueryEa event will fire anytime the OS needs to retrieve extended attributes of a file.
FS_CE_AFTER_QUERY_EA
Value: 0x200000000000L
Fire after Query Extended Attributes operations.
The
AfterQueryEa event will fire after the OS request to retrieve extended attributes of a file has been processed, before the response is returned.
FS_CE_BEFORE_GET_REPARSE_POINT
Value: 0x400000000000L
Fire before Get Reparse Point operations.
The
BeforeGetReparsePoint event will fire anytime the OS needs to read a reparse point of a file or directory.
FS_CE_AFTER_GET_REPARSE_POINT
Value: 0x800000000000L
Fire after Get Reparse Point operations.
The
AfterGetReparsePoint event will fire after the OS request to read a reparse point of a file or directory has been processed, before the response is returned.
FS_CE_BEFORE_SET_REPARSE_POINT
Value: 0x1000000000000L
Fire before Set Reparse Point operations.
The
BeforeSetReparsePoint event will fire anytime the OS needs to set or update a reparse point for a file or directory.
FS_CE_AFTER_SET_REPARSE_POINT
Value: 0x2000000000000L
Fire after Set Reparse Point operations.
The
AfterSetReparsePoint event will fire after the OS request to set or update a reparse point for a file or directory has been processed, before the response is returned.
FS_CE_BEFORE_DELETE_REPARSE_POINT
Value: 0x4000000000000L
Fire before Delete Reparse Point operations.
The
BeforeDeleteReparsePoint event will fire anytime the OS needs to remove reparse point information from a file or directory.
FS_CE_AFTER_DELETE_REPARSE_POINT
Value: 0x8000000000000L
Fire after Delete Reparse Point operations.
The
AfterDeleteReparsePoint event will fire after the OS request to remove reparse point information from a file or directory has been processed, before the response is returned.
FS_CE_REPARSE_FILENAME
Value: 0x40000000000000L
Fire before various operations for the purpose of file redirection.
The
ReparseFileName event will fire before any operation that includes a file or directory name, giving the application a chance to redirect it.
This event is typically used when an application requires more advanced redirection logic than
Reparse Rules can provide; please refer to that topic for more information.
FS_CE_REPARSE_TAG
Value: 0x80000000000000L
Fire for reparse operations.
The
ReparseWithTag event will fire anytime a file/directory open operation returns a
STATUS_REPARSE result, allowing the application to handle the reparse point.
Please refer to Microsoft's
Reparse Points article for more information.
Fire for all filesystem operations.
Control Events will fire for all filesystem operations that the class tracks.
Filesystem Notification Event Flags
Don't fire for any filesystem operations.
Notification Events will not fire for any filesystem operations.
FS_NE_CREATE
Value: 0x00000001L
Fire for file creation operations.
The
NotifyCreateFile event will fire anytime the OS creates a file or directory.
In some cases, this event can cause the
NotifyOpenFile event to fire; refer to the
File Create/Open Events topic for more information.
FS_NE_OPEN
Value: 0x00000002L
Fire for file open operations.
The
NotifyOpenFile event will fire anytime the OS opens a file or directory.
In some cases, this event can cause the
NotifyCreateFile event to fire; refer to the
File Create/Open Events topic for more information.
FS_NE_READ
Value: 0x00000004L
Fire for read operations.
The
NotifyReadFile event will fire anytime the OS reads data from a file.
FS_NE_WRITE
Value: 0x00000008L
Fire for write operations.
The
NotifyWriteFile event will fire anytime the OS writes data to a file.
FS_NE_CLEANUP
Value: 0x00000020L
Fire for file handle cleanup operations.
The
NotifyCleanupFile event will fire anytime a process closes a file or directory handle.
FS_NE_CLOSE
Value: 0x00000040L
Fire for file close operations.
The
NotifyCloseFile event will fire anytime the OS closes a file or directory.
FS_NE_CAN_DELETE
Value: 0x00000080L
Fire for 'can be deleted' operations.
The
NotifyCanFileBeDeleted event will fire anytime the OS checks whether or not a file or directory can be deleted.
FS_NE_DELETE
Value: 0x00000100L
Fire for delete operations.
The
NotifyDeleteFile event will fire anytime the OS deletes a file or directory.
FS_NE_RENAME
Value: 0x00000200L
Fire for rename/move operations.
The
NotifyRenameOrMoveFile event will fire anytime the OS renames or moves a file or directory.
FS_NE_GET_SECURITY
Value: 0x00000400L
Fire for get security operations.
The
NotifyGetFileSecurity event will fire anytime the OS queries the security attributes of a file or directory.
FS_NE_ENUMERATE_DIRECTORY
Value: 0x00000800L
Fire for directory enumeration operations.
The
NotifyEnumerateDirectory event will fire anytime the OS retrieves a directory entry during directory enumeration.
FS_NE_QUERY_FILE_INFO
Value: 0x00001000L
Fire for QueryFileInformation operations.
The
NotifyQueryFileInfo event will fire anytime the OS retrieves information about a file or directory.
FS_NE_GET_SIZES
Value: 0x00002000L
Fire for get size operations.
The
NotifyGetFileSizes event will fire anytime the OS retrieves a file's size information.
FS_NE_SET_SECURITY
Value: 0x00004000L
Fire for set security operations.
The
NotifySetFileSecurity event will fire anytime the OS changes the security attributes of a file or directory.
FS_NE_SET_ATTRIBUTES
Value: 0x00008000L
Fire for file attribute update operations.
The
NotifySetFileAttributes event will fire anytime the OS changes the attributes of a file or directory.
FS_NE_SET_SIZES
Value: 0x00010000L
Fire for file resize operations.
The
NotifySetFileSize event will fire anytime the OS resizes a file, and the
NotifySetAllocationSize event will fire anytime the OS changes a file's allocation size.
FS_NE_CREATE_HARD_LINK
Value: 0x00020000L
Fire for hard link creation operations.
The
NotifyCreateHardLink event will fire anytime the OS creates a hard link.
FS_NE_FSCTL
Value: 0x00040000L
Fire for FSCTL operations.
The
NotifyFsctl event will fire anytime an
IRP_MJ_FILE_SYSTEM_CONTROL operation occurs.
FS_NE_IOCTL
Value: 0x00080000L
Fire for IOCTL operations.
The
NotifyIoctl event will fire anytime an
IRP_MJ_DEVICE_CONTROL operation occurs.
FS_NE_SET_FILE_INFO
Value: 0x00100000L
Fire for SetFileInformation operations.
The
NotifySetFileInfo event will fire anytime the OS changes information about a file or directory.
FS_NE_SET_EA
Value: 0x00200000L
Fire for Set Extended Attributes operations.
The
NotifySetEa event will fire anytime the OS sets extended attributes of a file.
FS_NE_QUERY_EA
Value: 0x00400000L
Fire for Query Extended Attributes operations.
The
NotifyQueryEa event will fire anytime the OS retrieves extended attributes of a file.
FS_NE_GET_REPARSE_POINT
Value: 0x00800000L
Fire for Get Reparse Point operations.
The
NotifyGetReparsePoint event will fire anytime the OS reads reparse point information of a file or directory.
FS_NE_SET_REPARSE_POINT
Value: 0x01000000L
Fire for Set Reparse Point operations.
The
NotifySetReparsePoint event will fire anytime the OS sets or updates reparse point information for a file or directory.
FS_NE_DELETE_REPARSE_POINT
Value: 0x02000000L
Fire for Delete Reparse Point operations.
The
NotifyDeleteReparsePoint event will fire anytime the OS deletes reparse point information from a file or directory.
FS_BYPASS_IO
Value: 0x40000000L
Fire for BypassIO operations.
The
BypassIORequest event will fire anytime the OS sends a BypassIO request related to some file.
This flag should be passed with notification flags, even though the event is synchronous.
Fire for all filesystem operations.
Notification Events will fire for all filesystem operations that the class tracks.
Directory Enumeration flags
FS_ENUM_RESTART_SCAN
Value: 1
The requestor specified that directory enumeration must be restarted.
FS_ENUM_RETURN_SINGLE_ENTRY
Value: 2
One entry should be returned.
FS_ENUM_INDEX_SPECIFIED
Value: 4
The requestor specified the index to start enumeration from.
Filesystem Reparse Flags
FS_REPARSE_CHANGE_PATH
Value: 0
Perform redirection by modifying the path directly using the CBFilter system driver.
FS_REPARSE_USE_REPARSE_POINT
Value: 1
Perform redirection by having the CBFilter system driver emulate real reparse point behavior.
This option will cause the driver to report that a file or directory's
parent directory is a
reparse point of the SYMLINK variety.
Redirection performed in this manner is more consistent with Windows' behavior; however, some software may fail to correctly handle paths that cross such symbolic links.
Filesystem Request Directions
FS_REQUEST_DIR_USER_NONCACHED
Value: 0
Operations performed in the
user mode application <--> filesystem direction.
FS_REQUEST_DIR_USER_CACHED
Value: 1
Operations performed in the
user mode application <--> system cache direction.
FS_REQUEST_DIR_SYSTEM_NONCACHED
Value: 2
Operations performed in the
system cache <--> filesystem direction.
FS_REQUEST_DIR_SYSTEM_CACHED
Value: 3
Operations performed in the
system component <--> system cache direction.
Filesystem Volume Mount Events
Don't fire any events when volumes are mounted or unmounted.
Fire all events when volumes are mounted or unmounted.
File Flushing Behavior Flags
FS_FLUSH_FILES_ON_OPEN
Value: 1
Whether memory-mapped file data should be flushed to disk before files are opened.
This flag indicates that the class's system driver should flush any cached and memory-mapped file data, leftover from the last time a file was opened, before opening it again.
Doing so ensures that file data are read directly from the disk rather than from the old memory mapping.
Applications that modify file data as it is being read may need to set this flag to function correctly.
For example, applications that provide on-the-fly encryption should set this flag to ensure that file data are always read from the disk (and thus have a chance to get decrypted) when a file is opened.
Applications that do not modify file data as it is being read should leave this flag unset to maintain optimal performance when opening files.
FS_FLUSH_FILES_ON_CLOSE
Value: 2
Whether file buffers must be flushed when files are closed.
This flag indicates that the class's system driver should flush and clear the buffers of files that are opened for writing (and have had data written to them) when they are closed.
Applications that modify file data as it is being written may need to set this flag to function correctly.
For example, applications that provide on-the-fly encryption should set this flag to ensure that all file data are flushed to the disk (and thus has a chance to get encrypted)
when a file is closed.
Applications that do not modify file data as it is being written can unset this flag.
After a file is flushed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information.
FS_CLOSE_FILES_ON_STOPFILTER
Value: 4
Whether files opened for writing must be closed when the application stops filtering.
This flag indicates that the class's system driver should close files that are opened for writing (and have had data written to them) when the application calls
StopFilter.
Applications that modify file data as it is being written (e.g., on-the-fly encryption) may need to set this flag to prevent further operations against the file data from being performed.
Applications that do not modify file data as it is being written can leave this flag unset.
Note: If memory mappings of some file exist, these mappings will remain active; only the open handles to such files are closed.
When the file is closed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information.
Applications can control whether file data are flushed before files are closed using the FS_FLUSH_FILES_ON_STOPFILTER flag; any data that are not flushed get discarded.
FS_FLUSH_FILES_ON_STOPFILTER
Value: 8
Whether file buffers must be flushed when the application stops filtering.
This flag indicates that the class's system driver should flush and clear the buffers of files that are opened for writing (and have had data written to them) when the application calls
StopFilter.
Applications that modify file data as it is being written (e.g., on-the-fly encryption) may need to set this flag to ensure that no unprotected data are kept in memory, but rather has a chance to be encrypted and written out to disk.
Applications that do not modify file data as it is being written can leave this flag unset.
If the application will not be able to perform on-the-fly data modification at the moment when StopFilter is called (e.g., because a cryptographic hardware module is unplugged), then this flag should be unset before calling StopFilter.
After a file is flushed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information.
FS_CLOSE_FILES_ON_CRASH
Value: 16
Whether files opened for writing must be closed if the application terminates unexpectedly.
This flag indicates that the class's system driver should close files that are opened for writing (and have had data written to them) if the driver detects that the application has terminated.
Applications that modify file data as it is being written (e.g., on-the-fly encryption) may need to set this flag to prevent further operations against the file data from being performed.
Applications that do not modify file data as it is being written can leave this flag unset.
Note: If memory mappings of some file exist, these mappings will remain active; only the open handles to such files are closed.
When the file is closed, all in-memory buffers and memory mappings are cleared to avoid leakage of unprotected information.
FS_FLUSH_FILES_ON_CRASH
Value: 32
Whether file buffers must be flushed if the application terminates unexpectedly.
This flag indicates that the class's system driver should flush and clear the buffers of files that are opened for writing (and have had data written to them) if the driver detects that the application has terminated.
Applications that do not modify data as it is being written may set this flag if necessary.
Applications that modify data as it is being written (e.g., on-the-fly encryption) should not set this flag, because such flushing could cause unprotected data to be written out to disk.
Delete request types
DEL_REQ_OPEN_FLAG
Value: 0x1
The file or directory is opened with the FILE_FLAG_DELETE_ON_CLOSE flag
DEL_REQ_SET_DISPOSITION
Value: 0x2
The system has sent the IRP_MJ_SET_INFORMATION request with SetFileDisposition structure as a parameter.
This request usually is sent using the
NtSetInformationFile() Windows native API function.
Process Event Flags
Don't fire for any process operations.
Events will not fire for any process operations.
PROC_EVT_PROCESS_CREATION
Value: 1
Fire during process creation operations.
The
ProcessCreation event will fire anytime the OS attempts to create a process.
PROC_EVT_PROCESS_TERMINATION
Value: 2
Fire during process closing/termination.
The
ProcessTermination event will fire when a process is being terminated.
PROC_EVT_PROCESS_HANDLE_OPERATION
Value: 4
Fire during process handle creation or duplication.
The
ProcessHandleOperation event will fire when a process
handle is being created or duplicated.
PROC_EVT_THREAD_CREATION
Value: 8
Fire during thread creation operations.
The
ThreadCreation event will fire when a thread is being created, before it is started.
PROC_EVT_THREAD_TERMINATION
Value: 0x10
Fire during thread termination operations.
The
ThreadTermination event will fire when a thread is being terminated.
PROC_EVT_THREAD_HANDLE_OPERATION
Value: 0x20
Fire during thread handle creation or duplication.
The
ThreadHandleOperation event will fire when a thread
handle is being created or duplicated.
Fire for all process and thread operations.
Events will fire for all thread operations.
Registry Control Event Flags
Don't fire for any registry operations.
Control Events will not fire for any registry operations.
REG_CE_BEFORE_CREATE_KEY
Value: 0x00000001L
Fire before registry key creation operations.
The
BeforeCreateKey event will fire anytime the OS attempts to create a registry key.
REG_CE_AFTER_CREATE_KEY
Value: 0x00000002L
Fire after registry key creation operations.
The
AfterCreateKey event will fire after a registry key creation request has been processed, before the response is returned.
REG_CE_BEFORE_OPEN_KEY
Value: 0x00000004L
Fire before registry key open operations.
The
BeforeOpenKey event will fire anytime the OS attempts to open a registry key.
REG_CE_AFTER_OPEN_KEY
Value: 0x00000008L
Fire after registry key open operations.
The
AfterOpenKey event will fire after a registry key open request has been processed, before the response is returned.
REG_CE_BEFORE_CLOSE_KEY
Value: 0x00000010L
Fire before registry key close operations.
The
BeforeCloseKey event will fire anytime the OS closes a registry key.
REG_CE_AFTER_CLOSE_KEY
Value: 0x00000020L
Fire after registry key close operations.
The
AfterCloseKey event will fire after a registry key close request has been processed, before the response is returned.
REG_CE_BEFORE_DELETE_KEY
Value: 0x00000040L
Fire before registry key delete operations.
The
BeforeDeleteKey event will fire anytime the OS attempts to delete a registry key.
REG_CE_AFTER_DELETE_KEY
Value: 0x00000080L
Fire after registry key delete operations.
The
AfterDeleteKey event will fire after a registry key delete request has been processed, before the response is returned.
REG_CE_BEFORE_RENAME_KEY
Value: 0x00000100L
Fire before registry key rename operations.
The
BeforeRenameKey event will fire anytime the OS attempts to rename a registry key.
REG_CE_AFTER_RENAME_KEY
Value: 0x00000200L
Fire after registry key rename operations.
The
AfterRenameKey event will fire after a registry key rename request has been processed, before the response is returned.
REG_CE_BEFORE_ENUM_KEY
Value: 0x00000400L
Fire before subkey enumeration operations.
The
BeforeEnumerateKey event will fire anytime the OS attempts to enumerate a registry key's subkeys.
REG_CE_AFTER_ENUM_KEY
Value: 0x00000800L
Fire after subkey enumeration operations.
The
AfterEnumerateKey event will fire after a subkey enumeration request has been processed, before the response is returned.
REG_CE_BEFORE_QUERY_KEY
Value: 0x00001000L
Fire before registry key metadata retrieval operations.
The
BeforeQueryKey event will fire anytime the OS attempts to retrieve a registry key's metadata.
REG_CE_AFTER_QUERY_KEY
Value: 0x00002000L
Fire after registry key metadata retrieval operations.
The
AfterQueryKey event will fire after a registry key metadata retrieval request has been processed, before the response is returned.
REG_CE_BEFORE_SET_KEY
Value: 0x00004000L
Fire before registry key metadata update operations.
The
BeforeSetKey event will fire anytime the OS attempts to update a registry key's metadata.
REG_CE_AFTER_SET_KEY
Value: 0x00008000L
Fire after registry key metadata update operations.
The
AfterSetKey event will fire after a registry key metadata update request has been processed, before the response is returned.
REG_CE_BEFORE_DELETE_VALUE
Value: 0x00010000L
Fire before registry value delete operations.
The
BeforeDeleteValue event will fire anytime the OS attempts to delete a registry value.
REG_CE_AFTER_DELETE_VALUE
Value: 0x00020000L
Fire after registry value delete operations.
The
AfterDeleteValue event will fire after a registry value delete request has been processed, before the response is returned.
REG_CE_BEFORE_ENUM_VALUE
Value: 0x00040000L
Fire before value enumeration operations.
The
BeforeEnumerateValue event will fire anytime the OS attempts to enumerate a registry key's values.
REG_CE_AFTER_ENUM_VALUE
Value: 0x00080000L
Fire after value enumeration operations.
The
AfterEnumerateValue event will fire after a value enumeration request has been processed, before the response is returned.
REG_CE_BEFORE_QUERY_VALUE
Value: 0x00100000L
Fire before registry value query operations.
The
BeforeQueryValue event will fire anytime the OS attempts to query a registry value.
REG_CE_AFTER_QUERY_VALUE
Value: 0x00200000L
Fire after registry value query operations.
The
AfterQueryValue event will fire after a registry value query request has been processed, before the response is returned.
REG_CE_BEFORE_SET_VALUE
Value: 0x00400000L
Fire before registry value set/update operations.
The
BeforeSetValue event will fire anytime the OS attempts to set or update a registry value.
REG_CE_AFTER_SET_VALUE
Value: 0x00800000L
Fire after registry value set/update operations.
The
AfterSetValue event will fire after a registry value set or update request has been processed, before the response is returned.
REG_CE_BEFORE_GET_KEY_SECURITY
Value: 0x001000000L
Fire before get registry key security operations.
The
BeforeGetKeySecurity event will fire before the OS queries the security attributes of a registry key.
REG_CE_AFTER_GET_KEY_SECURITY
Value: 0x002000000L
Fire after registry value query operations.
The
AfterGetKeySecurity event will fire after a get security operation has been processed, before the response is returned.
REG_CE_BEFORE_SET_KEY_SECURITY
Value: 0x004000000L
Fire before registry value set/update operations.
The
BeforeSetValue event will fire anytime the OS needs to change the security attributes of a registry key.
REG_CE_AFTER_SET_KEY_SECURITY
Value: 0x008000000L
Fire after registry value set/update operations.
The
AfterSetValue event will fire after a security attributes change request has been processed, before the response is returned.
Fire for all registry operations.
Control Events will fire for all registry operations.
Registry Key Fields
REG_KEYFIELD_LASTWRITETIME
Value: 1
A registry key's last write time.
REG_KEYFIELD_NAME
Value: 2
A registry key's name.
REG_KEYFIELD_MAXNAMELENGTH
Value: 4
A registry key's longest subkey name.
REG_KEYFIELD_CLASSNAME
Value: 8
A registry key's class name.
REG_KEYFIELD_MAXCLASSNAMELENGTH
Value: 16
A registry key's longest subkey class name.
REG_KEYFIELD_SUBKEYS
Value: 32
The number of subkeys a registry key has.
REG_KEYFIELD_VALUES
Value: 64
The number of values a registry key has.
REG_KEYFIELD_MAXVALUENAMELENGTH
Value: 128
A registry key's longest value name.
REG_KEYFIELD_MAXVALUEDATASIZE
Value: 256
A registry key's largest value data size.
REG_KEYFIELD_VIRTUALIZATIONINFO
Value: 512
A registry key's virtualization information.
Registry Value Fields
REG_VALUEFIELD_TYPE
Value: 1
A registry value's type.
REG_VALUEFIELD_NAME
Value: 2
A registry value's name.
REG_VALUEFIELD_DATA
Value: 4
A registry value's data.
Registry Value Types
REG_VALUETYPE_SZ
Value: 1
A unicode string.
REG_VALUETYPE_EXPAND_SZ
Value: 2
A unicode string that contains environmental variable references.
REG_VALUETYPE_BINARY
Value: 3
Binary data.
REG_VALUETYPE_DWORD
Value: 4
A 32-bit number.
REG_VALUETYPE_MULTI_SZ
Value: 7
Multiple unicode strings.
REG_VALUETYPE_QWORD
Value: 11
A 64-bit number.
Install Flags
INSTALL_REMOVE_OLD_VERSIONS
Value: 0x00000001
Uninstall drivers from previous class versions (e.g., 2017).
INSTALL_KEEP_START_TYPE
Value: 0x00000002
Keep the driver's current start type setting in the registry.
If this flag is not set (default), the installation logic will reset the driver's start type setting in the Windows registry to the default value.
Setting this flag causes the installation logic to preserve the current value, which may be necessary if the user (or the application) set it previously.
INSTALL_OVERWRITE_SAME_VERSION
Value: 0x00000004
Install the driver file when its version and build number is the same as the version of the already installed driver.
INSTALL_REQUESTS_VIA_DRIVER_STACK
Value: 0x00001000
Whether internal requests to the filesystem are sent directly to the filesystem driver or through the stack of filesystem filter drivers.
This flag is applicable only for
CBFilter and
CBMonitor.
After installation, the effects of this flag can be changed using the SendRequestsViaDriverStack configuration setting.
INSTALL_ALWAYS_PREPARE_FILES
Value: 0x00010000
Whether the driver should keep track of information for files that are already open when (i.e., were opened before) the class is initialized.
This flag is applicable only for
CBFilter and
CBMonitor.
If this flag is set, the driver will prepare information about each file as it is opened, regardless of whether a CBFilter/CBMonitor-based application is actually running at the time. This information then allows applications to receive events for any files that are already open when the CBFilter/CBMonitor class is initialized.
Note: These preparations will slow down all file open operations; do not enable this feature unless it is actually necessary.
After installation, the effects of this flag can be changed using the AlwaysPrepareFiles configuration setting.
INSTALL_FORCE_APP_PERMISSION_CHECK
Value: 0x00020000
Whether the driver should require the controller process to have elevated or system privileges.
This flag is not applicable for
CBProcess.
If this flag is set, the driver will verify that the controller process is a system service (or is executing with elevated privileges) anytime a file is opened. If the controller process does not meet these requirements, the file will be skipped (i.e., not filtered in any way).
Note: This additional verification will slow down all file open operations.
After installation, the effects of this flag can be changed using the ForceAppPermissionCheck configuration setting.
INSTALL_FORCE_SECURITY_CHECKS
Value: 0x00040000
Whether the driver should prevent the controller process from filtering files that it would not normally have access to.
This flag is not applicable for
CBProcess.
If this flag is set, the driver will check the security permissions of the controller process anytime a file is opened to verify that the process has access to the file.
If the controller process does not have access to the file, the file will be skipped (i.e., not filtered in any way).
For example, if this flag is set and the controller process is running with limited privileges, then the driver will not allow it to filter files that require greater privileges to access.
Note: This additional verification will slow down all file open operations.
After installation, the effects of this flag can be changed using the ForceSecurityChecks configuration setting.
Uninstall Version Flags
UNINSTALL_VERSION_PREVIOUS
Value: 0x00000001
Uninstall modules from previous product versions.
Note: This functionality is only available in Windows.
UNINSTALL_VERSION_CURRENT
Value: 0x00000002
Uninstall modules from the current product version.
Note: This functionality is only available in Windows.
UNINSTALL_VERSION_ALL
Value: 0x00000003
Uninstall modules from all product versions.
Note: This functionality is only available in Windows.
Module Status Flags
MODULE_STATUS_NOT_PRESENT
Value: 0x00000000
The specified module is not present on the system.
Note: This functionality is only available in Windows.
MODULE_STATUS_STOPPED
Value: 0x00000001
The specified module is in the Stopped state.
Note: This functionality is only available in Windows.
MODULE_STATUS_RUNNING
Value: 0x00000004
The specified module is loaded and running.
Note: This functionality is only available in Windows.
File Attributes
FILE_SYS_ATTR_READ_ONLY
Value: 0x00000001
The file is read-only.
Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories.
FILE_SYS_ATTR_HIDDEN
Value: 0x00000002
The file or directory is hidden.
The file is not included in an ordinary directory listing.
FILE_SYS_ATTR_SYSTEM
Value: 0x00000004
A file or directory that the operating system uses a part of, or uses exclusively.
FILE_SYS_ATTR_DIRECTORY
Value: 0x00000010
The entry is a directory.
FILE_SYS_ATTR_ARCHIVE
Value: 0x00000020
The entry is an archive file or directory.
Applications typically use this attribute to mark files for backup or removal.
FILE_SYS_ATTR_NORMAL
Value: 0x00000080
A file doesn't have other attributes set.
This attribute is valid only when used alone.
FILE_SYS_ATTR_TEMPORARY
Value: 0x00000100
A file that is being used for temporary storage.
File systems avoid writing data back to mass storage if sufficient cache memory is available, because typically, an application deletes a temporary file after the handle is closed. In that scenario, the system can entirely avoid writing the data. Otherwise, the data are written after the handle is closed.
FILE_SYS_ATTR_SPARSE_FILE
Value: 0x00000200
A file that is a sparse file.
FILE_SYS_ATTR_REPARSE_POINT
Value: 0x00000400
A file that is a reparse point or a symbolic link.
FILE_SYS_ATTR_COMPRESSED
Value: 0x00000800
A file or directory that is compressed.
For a file, all of the data in the file are compressed. For a directory, compression is the default for newly created files and subdirectories. A filesystem implementation can make use of this attribute by setting the
SupportCompressedAttribute property to
true and then properly handling the
GetFileInfo,
EnumerateDirectory, and
SetFileAttributes events.
FILE_SYS_ATTR_OFFLINE
Value: 0x00001000
The data of a file are not available immediately.
This attribute indicates that the file data are physically moved to offline storage.
FILE_SYS_ATTR_NOT_CONTENT_INDEXED
Value: 0x00002000
The file or directory is not to be indexed by the content indexing service.
FILE_SYS_ATTR_ENCRYPTED
Value: 0x00004000
A file or directory that is encrypted.
For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.
Note: This flag is used by NTFS and the OS sends undocumented requests to the filesystem based on this flag. The flag should not be used for files in custom filesystem implementations.
FILE_SYS_ATTR_VIRTUAL
Value: 0x00010000
Reserved.
Note: This flag is reserved by the OS and should not be used for files in custom filesystem implementations.
FILE_SYS_ATTR_RECALL_ON_OPEN
Value: 0x00040000
The file or directory has no physical representation on the local system; the item is virtual.
Opening the item will be more expensive than normal (e.g., it will cause at least some of it to be fetched from a remote store). This flag is reported by filesystems during directory enumerations.
File Desired Access Flags
DESIRED_ACCESS_FILE_LIST_DIRECTORY
Value: 0x00000001
For a directory, the right to list the contents of the directory.
DESIRED_ACCESS_FILE_READ_DATA
Value: 0x00000001
For a file object, the right to read the corresponding file data.
For a directory object, the right to read the corresponding directory data.
DESIRED_ACCESS_FILE_ADD_FILE
Value: 0x00000002
For a directory, the right to create a file in the directory.
DESIRED_ACCESS_FILE_WRITE_DATA
Value: 0x00000002
For a file object, the right to write data to the file.
For a directory object, the right to create a file in the directory
DESIRED_ACCESS_FILE_ADD_SUBDIRECTORY
Value: 0x00000004
For a directory, the right to create a subdirectory.
DESIRED_ACCESS_FILE_APPEND_DATA
Value: 0x00000004
For a file object, the right to append data to the file.
(For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.) For a directory object, the right to create a subdirectory (FILE_ADD_SUBDIRECTORY).
DESIRED_ACCESS_FILE_READ_EA
Value: 0x00000008
The right to read extended file attributes.
DESIRED_ACCESS_FILE_WRITE_EA
Value: 0x00000010
The right to write extended file attributes.
DESIRED_ACCESS_FILE_EXECUTE
Value: 0x00000020
For a native code file, the right to execute the file.
This access right given to scripts may cause the script to be executable, depending on the script interpreter.
DESIRED_ACCESS_FILE_DELETE_CHILD
Value: 0x00000040
For a directory, the right to delete a directory and all the files it contains, including read-only files.
DESIRED_ACCESS_FILE_READ_ATTRIBUTES
Value: 0x00000080
The right to read file attributes.
DESIRED_ACCESS_FILE_WRITE_ATTRIBUTES
Value: 0x00000100
The right to write file attributes.
DESIRED_ACCESS_READ_CONTROL
Value: 0x00020000
The right to read the information in the file or directory object's security descriptor.
This does not include the information in the SACL.
DESIRED_ACCESS_STANDARD_RIGHTS_READ
Value: 0x00020000
Includes READ_CONTROL, which is the right to read the information in the file or directory object's security descriptor.
This does not include the information in the SACL.
DESIRED_ACCESS_STANDARD_RIGHTS_WRITE
Value: 0x00020000
Same as STANDARD_RIGHTS_READ
DESIRED_ACCESS_STANDARD_RIGHTS_EXECUTE
Value: 0x00020000
Same as STANDARD_RIGHTS_READ
DESIRED_ACCESS_SYNCHRONIZE
Value: 0x00100000
The right to use the object for synchronization.
This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
DESIRED_ACCESS_FILE_ALL_ACCESS
Value: 0x001F01FF
All possible access rights for a file.
DESIRED_ACCESS_FILE_GENERIC_READ
Value: 0x00120089
A combinarion of flags that allow reading of the file.
Note: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.
DESIRED_ACCESS_FILE_GENERIC_WRITE
Value: 0x00120116
A combinarion of flags that allow modifications to the file.
Note: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.
DESIRED_ACCESS_FILE_GENERIC_EXECUTE
Value: 0x001200A0
A combinarion of flags that allow execution of the file.
Note: Don't match received values against this flag. Instead, use flags that specify the rights that you want to verify or add/remove.
Creation Disposition flags
FILE_DISPOSITION_CREATE_NEW
Value: 0x00000001
Creates a new file, only if it does not already exist.
If the specified file exists, the operation fails with an "already exists" error.
FILE_DISPOSITION_CREATE_ALWAYS
Value: 0x00000002
Creates a new file, always.
If the specified file exists and is writable, the system overwrites the file. If the specified file does not exist and is a valid path, a new file is created.
FILE_DISPOSITION_OPEN_EXISTING
Value: 0x00000003
Opens a file, only if it exists
If the specified file does not exist, opening fails.
FILE_DISPOSITION_OPEN_ALWAYS
Value: 0x00000004
Opens a file, always.
If the specified file exists, the operation succeeds. If the specified file does not exist and is a valid path to a writable location, the a file is created.
FILE_DISPOSITION_TRUNCATE_EXISTING
Value: 0x00000005
Opens a file and truncates it so that its size is zero bytes, only if it exists.
If the specified file does not exist, the operation fails with a "file not found" error.
Share Mode Flags
FILESYS_SHARE_NONE
Value: 0x00000000
Prevents any process from opening a file or device if it requests delete, read, or write access.
FILESYS_SHARE_READ
Value: 0x00000001
Enables subsequent open operations on a file or device to request read access.
Enables subsequent open operations to request read access; otherwise, no process can open the file or device if it requests read access. If this flag is not specified, but the file or device has been opened for read access, the function fails.
FILESYS_SHARE_WRITE
Value: 0x00000002
Enables subsequent open operations on a file or device to request write access.
Enables subsequent open operations to request write access; otherwise, no process can open the file or device if it requests write access.
If this flag is not specified, but the file or device has been opened for write access or has a file mapping with write access, the function fails.
FILESYS_SHARE_DELETE
Value: 0x00000004
Enables subsequent open operations on a file or device to request delete access.
Enables subsequent open operations to request delete access; otherwise, no process can open the file or device if it requests delete access. If this flag is not specified, but the file or device has been opened for delete access, the function fails.
Note: Delete access allows both delete and rename operations.
CBFILTER_IGNORE_SHARE_ACCESS_CHECK
Value: 0x10000000
Specifies that the driver should pass IO_IGNORE_SHARE_ACCESS_CHECK flag to the system functions.
Use this flag to bypass sharing checks performed by the I/O manager when opening local files.
Note: The filesystem still may perform these checks. Also, the internal structures are not updated with the share mode values, passed in this call. This means that subsequent file open operations will not know about the previous share mode and may succeed where they would have to fail.
Creation Status values
CREATION_STATUS_SUPERSEDED
Value: 0x00000000
An existing file was superseded by the new file.
The previous version of a file may still exist if it had hard links other than the name used in the operation.
CREATION_STATUS_OPENED
Value: 0x00000001
The file existed before the operation and was opened.
CREATION_STATUS_CREATED
Value: 0x00000002
The file didn't exist before the operation and was created.
CREATION_STATUS_OVERWRITTEN
Value: 0x00000003
The file exists, and its contents have been replaced.
CREATION_STATUS_EXISTS
Value: 0x00000004
The file existed before the operation, and no action was taken.
CREATION_STATUS_DOES_NOT_EXIST
Value: 0x000000055
The file did not exist before the operation, and no action was taken.
BypassIO operations
Requests that BypassIO be enabled for the given file, which means an application might not see all non-cached reads for that file.
Informs that BypassIO is being disabled on the specified file.
Queries whether BypassIO can be enabled for the given file.
BPIO_OP_VOLUME_STACK_PAUSE
Value: 4
Requests that BypassIO be paused on the specified volume/storage stack.
BPIO_OP_VOLUME_STACK_RESUME
Value: 5
Requests that BypassIO processing be resumed on the given volume.
BPIO_OP_STREAM_PAUSE
Value: 6
Requests that BypassIO processing be paused on a stream.
BPIO_OP_STREAM_RESUME
Value: 7
Requests that BypassIO processing be resumed on a stream.
BPIO_OP_GET_INFO
Value: 8
Requests information about the BypassIO state of the volume.