DeleteFile Hook

[itsmeash]

Hello All,

I need to intercept everytime user use delete,shift-delete or use DEL command from command promt, I need to know what API get called when we use DELETE, SHIFT+DELETE and DEL command, I'll be very much obliged if anyone can redirect me to how to intercept-Hook those calls..

Looking forward to see members reply, and i'm using VC 6.0 and WIN DDK 7.1.


Thanks all

[ahmd]

You obviously have two requests: 1. Delete and SHIFT+DELETE are keystrokes that you can intercept using SetWindowsHookEx with WH_KEYBOARD or WH_KEYBOARD_LL hook. As for the DEL command (I'm assuming you mean that command from a Command Prompt), you can watch the folder/file of interest with the FindFirstChangeNotification/FindNextChangeNotification APIs for file removal.

[Chris_F]

I don't think he is wanting to hook the keyboard. He wants to intercept calls to DeleteFile.

[itsmeash]

You obviously have two requests: 1. Delete and SHIFT+DELETE are keystrokes that you can intercept using SetWindowsHookEx with WH_KEYBOARD or WH_KEYBOARD_LL hook. As for the DEL command (I'm assuming you mean that command from a Command Prompt), you can watch the folder/file of interest with the FindFirstChangeNotification/FindNextChangeNotification APIs for file removal.

Thanks ahmd and Chris,

My requirement is that whenever any file get deleted i should get the message first and based on some checks on user i decide whether the user can delete the file or not, Now the check part is not in question, But as far as my knowledge we can delete any file using

1. DELETE KEY
2. SHIFT-DELETE KEY
3. DELETE FROM MOUSE
4. DEL COMMAND FROM COMMAND PROMPT
5. DRAG THE FILE TO RECYCLE BIN

As for the DEL command (I'm assuming you mean that command from a Command Prompt), you can watch the folder/file of interest with the FindFirstChangeNotification/FindNextChangeNotification APIs for file removal.

I think i don't get this point , Won't i receive any call instead of watching every single file in particular PC when DEL command from command prompt is fired?

[VictorN]

And what if someone directly calls DeleteFile API?

[itsmeash]

And what if someone directly calls DeleteFile API?

Lol, I don't know, I was thinking that pressing delete will invoke DeleteFile.. I might be thinking vague but how to do it?

[VictorN]

Lol, I don't know, I was thinking that pressing delete will invoke DeleteFile.. I might be thinking vague but how to do it?

It may invoke SHFileOperation instead.

.. I might be thinking vague but how to do it?

To do what? Hook the SHFileOperation/DeleteFile calls? I don't know. Try to google...

[itsmeash]

It may invoke SHFileOperation instead.


To do what? Hook the SHFileOperation/DeleteFile calls? I don't know. Try to google...

Ok thanks..

[itsmeash]

Say if i able to know that DEL key has been pressed, what logic should be there to override it? I mean how can i prevent it to deletion unless i performed some checks.. I hope you get my point..

[VictorN]

No, I didn't.
Why do you think that pressing DEL key always generates the delete file operation?

[itsmeash]

No, I didn't.
Why do you think that pressing DEL key always generates the delete file operation?

I'm just guessing, Tried Google also, there are many scenarios when the file can be deleted, Right now i am not thinking of other way but DELETE key..

So i guess it can be bifurcated in two parts..

1. Intercept the delete button.
2. Override the operation.

I completed the part where someone press the DELETE button and i get the event and for checking i'm writing log, But i'm stuck at second part.

[ahmd]

Your approach of trying to find a base API responsible for deletion of a file is totally wrong. DeleteFile is far from the bottom of this hierarchy. Most certainly it is done by a kernel device driver responsible for the file system I/O operations. And even if you delve into the kernel DDK and find out how to intercept calls to it, there'll be no guarantee that in some version of Windows it won't be done differently.

The way you need to address restrictions on a file deletion by a certain user is by employing security descriptors that are available on all Windows-NT based operating systems and the NTFS file system. Read here and here for more details.

[Arjay]

The way you need to address restrictions on a file deletion by a certain user is by employing security descriptors that are available on all Windows-NT based operating systems and the NTFS file system. Read here and here for more details.

Yep. This is the way to do it. That way, you change it in one place and not have to worry about covering all 100 different edge cases to prevent the user from deleting a file.

[itsmeash]

Your approach of trying to find a base API responsible for deletion of a file is totally wrong. DeleteFile is far from the bottom of this hierarchy. Most certainly it is done by a kernel device driver responsible for the file system I/O operations. And even if you delve into the kernel DDK and find out how to intercept calls to it, there'll be no guarantee that in some version of Windows it won't be done differently.

The way you need to address restrictions on a file deletion by a certain user is by employing security descriptors that are available on all Windows-NT based operating systems and the NTFS file system. Read here and here for more details.

Thanks Ahmd,

I am not concern about the different number of OS, The application will be used in win 2000 or 2003 only , So security descriptors is what i need..

Well lot's of R&D then.. Anyways thanks for the information, I'm sure i'll be able to extract useful information from that

[itsmeash]

Most certainly it is done by a kernel device driver responsible for the file system I/O operations. And even if you delve into the kernel DDK and find out how to intercept calls to it, there'll be no guarantee that in some version of Windows it won't be done differently.

Just being curious, How to do it? What's the approach to peek into file I/O operations, There's certainly not an issue of different OS as i've to run in win 2000 or 2003 only.