How do I protect directory contents from modifications?

Possible modifications include creation of the file or directory, writing to the file, renaming of a file or directory, and deletion of a file or directory.

To prevent creation of a file or directory,

  1. add a filter rule using the AddFilterRule method and set the rule with FS_CE_BEFORE_CREATE flag;
  2. handle the BeforeCreateFile event. In the event handler, set the ResultCode parameter to ERROR_ACCESS_DENIED (numeric code 5) and the ProcessRequest parameter to false.

To prevent modification of a file or directory,

  1. add a filter rule using the AddFilterRule method and set the rule with FS_CE_BEFORE_CREATE flag;
  2. handle the BeforeOpenFile event. In the event handler, inspect the DesiredAccess parameter. If it includes the flags that indicate the right to modify file data or attributes, your application has two options:
    1. allow the file or directory to be opened only for reading by modifying the DesiredAccess parameter and removing the corresponding flags. Set the ProcessRequest parameter to true to pass the request to the filesystem and let the file or directory be opened;
    2. prevent opening of a file completely by setting the ResultCode parameter to ERROR_ACCESS_DENIED (numeric code 5) and the ProcessRequest parameter to false.
    Which option to use depends on the primary scenarios of application operation. Some applications open files for reading and writing even when they are not going to modify the data. In this case, prevention of file open operations will prevent such application from being able to work with such file. On the other hand, if your application modifies the DesiredAccess and removes the flags that request modifications, other processes might be unable to handle the situation when they seemingly successfully open the file and then are not able to write the data into it.

To prevent file or directory deletion,

  1. add a filter rule using the AddFilterRule method and set the rule with FS_CE_BEFORE_CAN_DELETE flag;
  2. handle the BeforeCanFileBeDeleted event. In the event handler, set both CanDelete and ProcessRequest parameters to false.

To prevent renaming of a file or directory,

  1. add a filter rule using the AddFilterRule method and set the rule with FS_CE_BEFORE_RENAME flag;
  2. handle the BeforeRenameOrMoveFile event. As the file can be moved in or out of the directory, you need to inspect the current and new names to figure out whether you want to block the particular operation. If you do, set the ResultCode parameter to ERROR_ACCESS_DENIED (numeric code 5) and the ProcessRequest parameter to false.

In some cases, you might need to let your application make modifications in the directory while letting other applications only read the directory data. This is done in two ways. First, the CBFilter driver is by default set to ignore file operations coming from the controlling application. This is done to prevent deadlocks during development. If you keep the FilterOwnRequests config setting intact, you don’t need to do anything else - the above prevention measures won’t affect your application and it will be able to modify directory contents. If you change the config setting to true, then you need to filter out your own requests in the event handlers. This can be done by calling the GetOriginatorProcessId method and comparing the PID of the request originator with the PID of your own process. Then, you block requests as described above but only if PIDs don't match.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@callback.com.