How to trap file access attempts with a filter driver (kernel) and offer dialog to allow/deny (user)?

Question

I\'ve been looking at Windows\'s File System Filter Drivers. I started with this \"FsFilter\" example:

http://www.codeproject.com/Articles/43586/File-System-Filter-Driv

Answer 1

You (a.k.a. I) have pretty much enumerated the possibilities. Either poll the way FileMon does, or pass an event. Passing the event is probably a bit more error prone, and if you aren't a threading guru then there's probably more chance for error. But if you tend to make lots of mistakes then device drivers may not be for you...skydiving might be a poor choice too.

I'll offer taking a look at this project, but please note the disclaimers in the README. (It is only a test and investigation):

https://github.com/hostilefork/CloneLocker

And yes, to the extent that Microsoft and their driver model is to be something one worries about, miniFilters are the better choice these days.