2

After looking at a few different options I have, I've decided it's necessary for my application to hook network-related file operations (talked about here Retrieve who created/modified/deleted a file). Anyways, I've been doing some research on how to get a solid and reliable hooking scheme in place. Basically, I need to be able to monitor my Windows 2008 server for create/read/write/delete requests on an SMB share, and deny them if needed. I know this can be done using a minifilter driver, but I'm looking for a quicker solution, if there is one. Does anyone know of a solution?

Oops! I managed to leave out a huge requirement in the original post. I also need to be able to track which username has created/deleted/modified files in one of the shares. For this reason, I believe that a file system filter is not what I'm looking for.

Community
  • 1
  • 1
jbq
  • 181
  • 3
  • 4
  • 13
  • 1
    Usually you can just use ACLs to deny requests. What do you want to do that ACLs can't handle? – Gabe Aug 02 '12 at 05:42
  • Please see the revised original post. – jbq Aug 02 '12 at 20:05
  • 1
    The audit log is designed for keeping track of who created/deleted/modified files. With the proper audit ACLs it will tell you who opened each file and what access was granted. If you want an exact list of who did what, though, you will need to write your own filter. – Gabe Aug 03 '12 at 17:35

1 Answers1

1

If you just want to monitor file changes happening within a directory, you can try this Obtaining Directory Change Notifications. Incase you want to .Net/C# way try this FileSystemWatcher.

But this will just notify about the changes, you will not be able to control the operation (allow or deny).

If you have to control the operation minifilter is the way.

Rohan
  • 52,392
  • 12
  • 90
  • 87
  • These are are great suggestions, but none of them actually address pragmatically intercepting which user made the changes (create, write, delete) to the file. Has anyone found such a solution? – jbq Aug 07 '12 at 18:17
  • 1
    You can get which user doing the operation in minifilter using `SubjectSecurityContext` parameter in callback data and `SeQueryInformationToken` – Rohan Aug 08 '12 at 04:32