Delete File System Minifilter Driver
The Delete minifilter is an example that demonstrates how to detect deletions of files or streams. Deletions are reported as debug output.
Universal Windows Driver Compliant
This sample builds a Universal Windows Driver. It uses only APIs and DDIs that are included in OneCoreUAP.
Design and Operation
The delete minifilter illustrates how to detect deletion of files and streams. It monitors IRP_MJ_CREATE requests for the FILE_DELETE_ON_CLOSE flag. Also, it detects IRP_MJ_SET_INFORMATION requests for setting FileDispositionInformation/FileDispositionInformationEx. The sample also illustrates how to handle racing deletes (in the form of multiple parallel IRP_MJ_SET_INFORMATION operations), and how to distinguish deletion of an entire file from deletion of just one stream of the file.
Note
Because of the way in which the Windows operating system deletes files, it is not possible for the minifilter to detect in advance that a file or stream will be deleted. The minifilter can only detect operations that may cause a deletion, and then determine if the deletion took place after the operation completes.
For more information on file system minifilter design, start with the File System Minifilter Drivers section in the Installable File Systems Design Guide.