I've coded a mini-filter that blocks all JPG images with relative success. Except when the file is being opened by 'Windows Photos'. The mini-filter is registered to all MJ_CREATE's and in WinDbg I can see my code being called to block JPG images when being opened by Windows Photos. However, the image still loads successfully.
Testing Environment:
Images are copied over before the filter is loaded. The filter is installed then the system is rebooted.
Problem:
Images can still be accessed by Windows Photos after system reboot. (Filter is loaded on start-up so technically the images should be blocked after reboot).
All other operations are blocked successfully, e.g. (Copy,Paste, Opening with another program like paint). Any new JPG images attempting to be opened or transferred after boot are blocked successfully as well.
What I have tried:
PostOperatonCallback:
if (RtlCompareUnicodeString(&fileDetails->Extension, &jpgExt, TRUE) == 0)
{
DbgPrint("Blocking JPG file...\n");
FltCancelFileOpen(FltObjects->Instance, FltObjects->FileObject);
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
FltReleaseFileNameInformation(fileDetails);
return FLT_POSTOP_FINISHED_PROCESSING;
}
Filter Startup parameters:
StartType = 0
Class = "ActivityMonitor"
Altitude= "370030"
I'm wondering what I am missing? Are some images being loaded so early that it bypasses the FilterManager? Is there an IRP I may be missing? My end goal for now is just to block all JPG's from being loaded (if possible including the thumbnail).
A massive thank-you to everyone who has taken the time to read my question and to anyone who can help.
Cheers,
Bryce Woods
Submit an article or tip