Search Directory
Summit Directory » Article Details

Monitor and Control File Access in Real-Time

Date Added: January 27, 2015 10:56:36 AM
Author: Victor Rich
Category: Computers and Internet: Software
What is the file access? The file access is an I/O operation to a file, there are two types of file access: read access and write access, read access will not change the file, write access will change the file data, file information or file security. To access a windows file, you have to invoke the Win32 API which was exported by Windows subsystems service, the most frequently used Windows API to a file is "CreateFile", "ReadFile", "WriteFile", "MoveFile". "DeleteFile". I/O operations are layered, when a user application invokes a Win32 API, the I/O manager intercepts this call, sets up one or more I/O request packets (IRPs), and routes them through possibly layered drivers to physical devices, the filter driver can intercept this I/O, then the filter driver can pass through this I/O to next layer driver or complete this I/O. If the filter driver passes through this I/O, the filter driver can intercept this I/O request which comes back from the Windows file system if the post I/O operation was registered. If the filter driver completes this I/O, the request will not pass down to the Windows file system, the filter driver can return your won status and appropriate data to the user application. The filter driver can register a preoperation callback routine, a postoperation callback routine, or both. When the filter driver intercepts the I/O request, it can get the caller's process name, user's SID (Security Identifier) which it can decode the user name, domain name, the filter driver also can get the current I/O information, the I/O type (create, read, write, rename, delete...), the file name and the file information ( file size, file time, file attributes...). If the filter driver only wants to monitor this I/O request, it can send those informations to the user, if the filter driver wants to control this I/O request, it can denied this I/O request, or modify the I/O data and return status. The applications to use filter driver: 1. Audit File Access and Change in Windows in Real-Time With file system monitor filter you can monitor the file activities on file system level, captures file open, create, overwrite, read, write, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.You can create the file access log, you will know who, when, what files were accessed. 2. File Access Control System With the file system filter driver, you can control the file access with whatever you want as following: 1) Allow or deny the file open or create with the specific access right for some users and processes. 2) Reparse the specific file open to another location. 3) Hide and change the display file names for the specific folders. 4) Replace the read or write data with your own content for specific files. 5) Allow or deny the file rename, delete or modification for the specific users and processes. To develop file systems and file system filter drivers, use the Windows Driver Kit (WDK),which is provided by Microsoft. Even with the resources available in the Windows Driver Kit (WDK) developing file systems is certainly a challenge. To simplify your development and to provide you with a robust and well-tested file system filter driver that works with all versions and patch releases of the Windows operating systems supported by Microsoft, EaseFilter Inc. offers the file system filter driver SDK which provides a complete, modular environment for building active file system filters in your application. With the EaseFilter file system filter driver SDK, you can develop your own filter driver application with c++/c# or other languages. EaseFilter File System Filter Driver SDK is a mature commercial product. It provides a complete modular framework to the developers even without driver development experience to build the filter driver within a day. The SDK includes the modules from code design to the product installation, it includes all the basic features you need to build a filter driver. EaseFilter Inc. is a company who specializes in windows file system filter driver development. It can provide architect, implement and test file system filter drivers for a wide range of functionalities. It also can offer several levels of assistance to meet your specific needs: Provide consulting service for your existing file system filter driver; Customize the SDK to meet your requirement; Create your own filter driver with SDK source code. For more information please go to the website: www.easefilter.com You can download the demo binary and example projects here: http://www.easefilter.com/download/easefilter.zip