Attaching a Filter to a File System or Volume

A file system filter driver attaches itself to one or more mounted volumes and filters all I/O operations on them. But how does it determine which volumes to attach itself to? The sample filter drivers in the Windows Driver Kit (WDK) illustrate the two most common ways in which this is done:

  • The end user can specify the volumes to filter by, for example, typing in the drive letters for the volumes. The end user's commands are relayed to the filter driver as a private IRP_MJ_DEVICE_CONTROL request.

  • The file system filter driver can attach to one or more file system drivers, listen for IRP_MJ_FILE_SYSTEM_CONTROL, IRP_MN_MOUNT_VOLUME requests, and attach to volumes as they are mounted.

Note   You should generally assume that the mapping of volumes to drive letters is one-to-many, not one-to-one. This is because of advanced storage features, such as dynamic volumes and volume mount points.

Note   You should not assume that IRP_MN_MOUNT_VOLUME requests are always handled synchronously by the file system. For example, a floppy drive may be mounted asynchronously if there is no floppy disk in the drive. Thus your filter driver should be prepared to propagate the PendingReturned flag in its mount completion routine. For more information, see "Checking the PendingReturned Flag."

File system filter drivers can attach to, and filter I/O for, any file system volume. They cannot attach directly to storage devices, such as disk drives or partitions. Also, they cannot attach to individual directories or files.

For more information, see the following topics:

Creating the Filter Device Object

Attaching the Filter Device Object to the Target Device Object

Propagating the DO_BUFFERED_IO and DO_DIRECT_IO Flags

Propagating the FILE_DEVICE_SECURE_OPEN Flag