Add QueryOnCreate (QoC) information to file informer - Githubissues

winsiderss / systeminformer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com

https://systeminformer.sourceforge.io

MIT License

10.53k stars 1.36k forks source link

Add QueryOnCreate (QoC) information to file informer #2120

Open jxy-s opened 2 days ago

jxy-s commented 2 days ago

Description of the feature, modification, idea or suggestion

It would be nice to include the QoC information in the file informer for the traceability of file activity on the system through the mini-filter.

https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltretrievefileinfooncreatecompletionex

Proposed implementation details (optional)

Add an informer option for each of the QoC file information, checking it when looking for options: https://github.com/winsiderss/systeminformer/blob/25c4f8219cb7300f7ad84bd1bf93efcce310d792/KSystemInformer/informer_fileop.c#L142-L153

If enabled, in pre-op for IRP_MJ_CREATE request the information be made available for post-op by calling FltRequestFileInfoOnCreateCompletion with the appropriate QoCFile* flags https://github.com/winsiderss/systeminformer/blob/25c4f8219cb7300f7ad84bd1bf93efcce310d792/KSystemInformer/informer_fileop.c#L2127-L2143

In post-op for IRP_MJ_CREATE retrieve any information requested from pre-create by calling FltRetrieveFileInfoOnCreateCompletionEx and fill it into the file informer message: https://github.com/winsiderss/systeminformer/blob/25c4f8219cb7300f7ad84bd1bf93efcce310d792/KSystemInformer/informer_fileop.c#L1231-L1243