Is there a way to detect deletion of a file before windows performs the deletion? I found FileSystemWatcher class but the event is raised only after the delete action is performed but I want to trap the delete action once the user/process chooses to delete it. You can monitor the file system table but looking for a better approach. Thanks for your help.
Asked
Active
Viewed 1,022 times
1
-
Did it by hoooking NtSetFileInformation API using mhook library, Worked like a charm. Thanks guys. – vgeta Jun 05 '12 at 15:33
3 Answers
1
You need a filesystem filter driver. However I strongly suggest that if you don't know the answer you probably shouldn't be doing it.
http://msdn.microsoft.com/en-us/library/windows/hardware/gg462968.aspx
Ben
- 34,935
- 6
- 74
- 113
-
Thanks, but not looking for driver level solutions. Writting a driver is not feasible one for me :). I was looking for api level solution. – vgeta May 23 '12 at 21:20
-
I may be completely wrong, Is it possible to run a service that holds a lock on the file so that whenever something tries to delete it, My service can find it out. – vgeta May 23 '12 at 21:23
-
If you want to PREVENT deletion, just hold an open handle (open with access FILE_READ_ATTRIBUTES) but without FILE_SHARE_DELETE. Finding out that someone attempted to delete it is harder. – Ben May 23 '12 at 21:32
-
Oh... but I want to let the deletion happen eventually after I make a copy of the file.Thanks. – vgeta May 23 '12 at 21:37
-
1This sort of low-level file trickery really belongs in a filter driver, not an application. (For example, you can hang the other application by doing a `Sleep(INFINITE)` in your "last-second copy" code. Which becomes a security issue if the other application is running under a different security context.) Maybe you can just dig an old copy of the file out of the volume snapshot database. – Raymond Chen May 23 '12 at 21:46
-
1@Gopikanna, have you looked at shadow copy services (VSS)? Edit: As Raymond Chen suggests... – Ben May 23 '12 at 21:46
-
@Ben Raymond I am not sure whether I can use it but will look into it. Thanks. – vgeta May 23 '12 at 22:00
1
I think the simpliest way is to use a hook to get notified (and eventually to stop) the process. It can't be done in .NET so you have to DllImport a lot of structures and few functions to P/Invoke.
Let's start your job with the NtSetFileInformation (undocumented) function. It's the function called by anything else when a file need to be deleted (with the FileDispositionInformation structure).
Now the problem is how to hook that function (good luck, it's not easy). A good choice can be to use Microsoft Detours. Take a look to this article for an example. Its problem is that it's not free. An alternative solution (with a reasonable price and with a .NET interface) is Deviare but I never tried even their free version so I don't know how much it's good. If someone else knows a good interception tool...
Adriano Repetti
- 65,416
- 20
- 137
- 208
-
Thanks, I actually dont want to stop the process from deleting the file. I want to make a secure copy of the file and let deletion happen. – vgeta May 23 '12 at 21:34
-
@Gopikanna it's the same (hard) way. The big problem is to **detect** when someone/something is trying to delete a file (different functions use different methods, NtSetFileInformation is just the deepest one). When you're there what to do is (kind) trivial. – Adriano Repetti May 23 '12 at 21:36
-
-
@Gopikanna a small tip for a complex task: start with the linked article on CodeProject, it's good (if you'll use detour). – Adriano Repetti May 23 '12 at 21:53
-
I have a doubt, If I successfully write an API hook for NtSetFileInformation using Detours, does that mean any number of processes that may call this api will go through the detour function I wrote. Thanks. – vgeta May 24 '12 at 14:33
-
Yes. Everyone that will call NtSetFileInformation will first pass by your function, no matters which method they're using to delete a file (shell, _basic_ Windows API, NtSetFileInformation directly or whatever else). – Adriano Repetti May 24 '12 at 15:25
-
Thanks.. I am trying to find NtSetFileINformation but its nowhere. Do you have any idea where to find it. – vgeta May 24 '12 at 22:24
-
1Oh.. It is this one I guess http://msdn.microsoft.com/en-us/library/windows/hardware/ff557671(v=vs.85).aspx.. – vgeta May 24 '12 at 22:33
1
Or may try ICopyHook interface.
http://msdn.microsoft.com/en-us/library/windows/desktop/bb776049%28v=vs.85%29.aspx
In CopyCallback method use FO_DELETE in wFunc parameter, to specify delete operation.
Disadvantage: Only prevent deletion in Windows Shell.
Xearinox
- 3,224
- 2
- 24
- 38