I used the reference of this project where it creates a handler for IRP_MJ_CREATE. which displays all the files which are created or opened the system.The documentation of IRP_MJ_CREATE is this:
The I/O Manager sends an IRP_MJ_CREATE request when a new file ordirectory is being created, or when an existing file, device,directory, or volume is being opened.
Normally this IRP is sent on behalf of a user-mode application thathas called a Microsoft Win32 function such as CreateFile or on behalfof a kernel-mode component that has called a function such asIoCreateFile, IoCreateFileSpecifyDeviceObjectHint, ZwCreateFile, orZwOpenFile.
If the create request is completed successfully, the application orkernel-mode component receives a handle to the file object.
This program below prints all the files or volumes which are opened, created.
main.c
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; ++i) { DriverObject->MajorFunction[i] = FsFilterDispatchPassThrough; }//creating handle for IRP_MJ_CREATE. DriverObject->MajorFunction[IRP_MJ_CREATE] = FsFilterDispatchCreate;// IRP_MJ_CREATE IRP HandlerNTSTATUS FsFilterDispatchCreate( __in PDEVICE_OBJECT DeviceObject, __in PIRP Irp ){ PFILE_OBJECT pFileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject; DbgPrint("%wZ\n", &pFileObject->FileName); return FsFilterDispatchPassThrough(DeviceObject, Irp);}I just need the driver to print only when a file or directory is created.