Hello All,

I need to intercept everytime user use delete,shift-delete or use DEL command from command promt, I need to know what API get called when we use DELETE, SHIFT+DELETE and DEL command, I'll be very much obliged if anyone can redirect me to how to intercept-Hook those calls..

Looking forward to see members reply, and i'm using VC 6.0 and WIN DDK 7.1.


Thanks all

You obviously have two requests: 1. Delete and SHIFT+DELETE are keystrokes that you can intercept using SetWindowsHookEx (http://msdn.microsoft.com/en-us/library/ms644990(VS.85).aspx) with WH_KEYBOARD or WH_KEYBOARD_LL hook. As for the DEL command (I'm assuming you mean that command from a Command Prompt), you can watch the folder/file of interest with the FindFirstChangeNotification/FindNextChangeNotification (http://msdn.microsoft.com/en-us/library/aa364417(VS.85).aspx) APIs for file removal.

I don't think he is wanting to hook the keyboard. He wants to intercept calls to DeleteFile.

You obviously have two requests: 1. Delete and SHIFT+DELETE are keystrokes that you can intercept using SetWindowsHookEx (http://msdn.microsoft.com/en-us/library/ms644990(VS.85).aspx) with WH_KEYBOARD or WH_KEYBOARD_LL hook. As for the DEL command (I'm assuming you mean that command from a Command Prompt), you can watch the folder/file of interest with the FindFirstChangeNotification/FindNextChangeNotification (http://msdn.microsoft.com/en-us/library/aa364417(VS.85).aspx) APIs for file removal.



Thanks ahmd and Chris,

My requirement is that whenever any file get deleted i should get the message first and based on some checks on user i decide whether the user can delete the file or not, Now the check part is not in question, But as far as my knowledge we can delete any file using

1. DELETE KEY
2. SHIFT-DELETE KEY
3. DELETE FROM MOUSE
4. DEL COMMAND FROM COMMAND PROMPT
5. DRAG THE FILE TO RECYCLE BIN

As for the DEL command (I'm assuming you mean that command from a Command Prompt), you can watch the folder/file of interest with the FindFirstChangeNotification/FindNextChangeNotification (http://msdn.microsoft.com/en-us/library/aa364417(VS.85).aspx) APIs for file removal.

I think i don't get this point :( , Won't i receive any call instead of watching every single file in particular PC when DEL command from command prompt is fired?

And what if someone directly calls DeleteFile API?

And what if someone directly calls DeleteFile API?

Lol, I don't know, I was thinking that pressing delete will invoke DeleteFile.. I might be thinking vague but how to do it?

Lol, I don't know, I was thinking that pressing delete will invoke DeleteFile.. I might be thinking vague but how to do it?It may invoke SHFileOperation instead.


.. I might be thinking vague but how to do it?To do what? Hook the SHFileOperation/DeleteFile calls? I don't know. Try to google...

It may invoke SHFileOperation instead.


To do what? Hook the SHFileOperation/DeleteFile calls? I don't know. Try to google...

Ok thanks..

Say if i able to know that DEL key has been pressed, what logic should be there to override it? I mean how can i prevent it to deletion unless i performed some checks.. I hope you get my point..

No, I didn't.
Why do you think that pressing DEL key always generates the delete file operation?

No, I didn't.
Why do you think that pressing DEL key always generates the delete file operation?

I'm just guessing, Tried Google also, there are many scenarios when the file can be deleted, Right now i am not thinking of other way but DELETE key..

So i guess it can be bifurcated in two parts..

1. Intercept the delete button.
2. Override the operation.

I completed the part where someone press the DELETE button and i get the event and for checking i'm writing log, But i'm stuck at second part. :(

Your approach of trying to find a base API responsible for deletion of a file is totally wrong. DeleteFile is far from the bottom of this hierarchy. Most certainly it is done by a kernel device driver responsible for the file system I/O operations. And even if you delve into the kernel DDK and find out how to intercept calls to it, there'll be no guarantee that in some version of Windows it won't be done differently.

The way you need to address restrictions on a file deletion by a certain user is by employing security descriptors that are available on all Windows-NT based operating systems and the NTFS file system. Read here (http://msdn.microsoft.com/en-us/library/aa379563%28VS.85%29.aspx) and here (http://msdn.microsoft.com/en-us/library/aa379568%28v=VS.85%29.aspx) for more details.

The way you need to address restrictions on a file deletion by a certain user is by employing security descriptors that are available on all Windows-NT based operating systems and the NTFS file system. Read here (http://msdn.microsoft.com/en-us/library/aa379563%28VS.85%29.aspx) and here (http://msdn.microsoft.com/en-us/library/aa379568%28v=VS.85%29.aspx) for more details.Yep. This is the way to do it. That way, you change it in one place and not have to worry about covering all 100 different edge cases to prevent the user from deleting a file.

Your approach of trying to find a base API responsible for deletion of a file is totally wrong. DeleteFile is far from the bottom of this hierarchy. Most certainly it is done by a kernel device driver responsible for the file system I/O operations. And even if you delve into the kernel DDK and find out how to intercept calls to it, there'll be no guarantee that in some version of Windows it won't be done differently.

The way you need to address restrictions on a file deletion by a certain user is by employing security descriptors that are available on all Windows-NT based operating systems and the NTFS file system. Read here (http://msdn.microsoft.com/en-us/library/aa379563%28VS.85%29.aspx) and here (http://msdn.microsoft.com/en-us/library/aa379568%28v=VS.85%29.aspx) for more details.

Thanks Ahmd,

I am not concern about the different number of OS, The application will be used in win 2000 or 2003 only , So security descriptors is what i need..

Well lot's of R&D then.. Anyways thanks for the information, I'm sure i'll be able to extract useful information from that :)

Most certainly it is done by a kernel device driver responsible for the file system I/O operations. And even if you delve into the kernel DDK and find out how to intercept calls to it, there'll be no guarantee that in some version of Windows it won't be done differently.


Just being curious, How to do it? What's the approach to peek into file I/O operations, There's certainly not an issue of different OS as i've to run in win 2000 or 2003 only.

Just being curious, How to do it? What's the approach to peek into file I/O operations, There's certainly not an issue of different OS as i've to run in win 2000 or 2003 only.
I'll be honest with you, I've never done that myself, so maybe someone else will clue you in. I'd suggest one thing though. Don't try to re-invent the wheel and go with the accepted/easy way.

Can I ask, why do you need all this?

Can I ask, why do you need all this?

It's a control feature where my application will let the legitimate user delete the files not others.

So for that i need to know that file is going to be deleted(Pressing DELETE, SHIFT+DELETE, DEL COMMAND ETC) and before it delete i should pause that operation and invoke another exe which will check whether the user is legitimate or not, If yes then i'll let that user to delete the file else i've to show "ACCESS DENIED" message by altering the behavior of delete.

It seems like you're digging into the anti-virus/firewall type realm. Good luck with that stuff, it's not for the faint hearted... Still, the easiest way to implement what you want is what I suggested in my post above.

hi,


whenever any file get deleted i should get the message first and based on some checks on user i decide whether the user can delete the file or not, Now the check part is not in question, what kind of keys can I use.

thanks for suggestion

regards,
phe9oxis,
http://www.guidebuddha.com