Kernel Driver program to get notified when a file is created in a directory

Question

I want create a kernel driver program to monitor certain kernel events such as creating files, so that I receive a notification whenever a file is created, including the process ID of the process that created the file. I already created a program where I can see the files which are opened in the system, by creating an handler for IRP_MJ_CREATE. I used this project as a reference.

Answer 1

There are several ways to do it, with the file system filter being the most complete. However for simple notifications, the easiest way to do it is through a minifilter.

You have several examples by microsoft: https://github.com/microsoft/Windows-driver-samples/tree/master/filesys/miniFilter

Here is the reference: https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/ifs-reference

Do note however that you can do this without a driver, so unless you have a very good reason to do it in kernel space, you can do it from userspace. See FindFirstChangeNotification: https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-findfirstchangenotificationa