Topic: IRP_MJ_READ + notepad =... How to solve without ?
There are already some subjects at forums that IRP_MJ_READ for some reason does not work if file to open a notepad - notepad.exe With the same problem I faced also. For example, for SearchIndexer.exe it works. For System. IO.File. WriteAllBytes (that in this - did not look yet) - too. But for the Notepad, really, no. In subjects of 10-year-old prescription it was offered to put on the functions working with Mapping memory, etc. As I understood, mean SSDT-huki. However with Windows 10 usage of these became very restricted. If it is fair, itself I do not know about what now I speak, on with Win 10 x64 worked But, in general, it is not recommended. How to solve without ? - Ring3 not a variant. Only the driver. - simply in IRP_MJ_CREATE discovery of all files. But there still it is impossible to distinguish, whether there will be this read or write. And algorithms of parsing of any white \black lists here - too big shock on high-speed performance, together with DbgPrint is simply intolerable to debug.