EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Real User or System ?

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
Posted: 11/11/2014 00:52:03
by Emile Lugassy (Basic support level)
Joined: 11/11/2014
Posts: 3


Using callbackFilter, i get a huge amount of callbacks. However i'm looking for a way to distingish between system operation and the user operation.

How can i make the difference between a System originated operation and the USER originator operation ?

As an example : when i open a txt file with explorer :
path operation originatorProcess ProcessId Username result
C:\Users\luga\Dropbox\afac\mydoc.txt OpenFileN C:\Windows\explorer.exe 7336 luga SUCCESS
But i have the same signature when the explorer.exe just opens each files for its own reason...

Posted: 11/11/2014 01:06:53
by Eugene Mayevski (EldoS Corp.)

The user doesn't open a file. He tells the computer to do this. And you are looking for a way to distinguish between operations performed by Explorer on user's request and performed by Explorer due to internal logic of Explorer.

Explorer scans directories and opens files in the current directory to get metadata and sometimes thumbnails. This is how it was designed and you can neither detect this behavior nor prevent it.

Moreover the pattern is different for various versions of Windows, so it's not possible to use behavior patterns for detection of "automated" open operations.

Sincerely yours
Eugene Mayevski
Posted: 11/11/2014 02:30:52
by Emile Lugassy (Basic support level)
Joined: 11/11/2014
Posts: 3

True, you formulated my question more correctly than me...

I don't wan't to prevent anything, i 'm just trying to filter because my logic will apply to user originated files.

Any hint, or idea i can search to reduce that number of non-user generated operations ? I don't need to be super precise...
Posted: 11/11/2014 02:32:45
by Eugene Mayevski (EldoS Corp.)

This question is asked frequently for CBFS and the answer is negative.

Sincerely yours
Eugene Mayevski
Posted: 11/11/2014 02:45:39
by Emile Lugassy (Basic support level)
Joined: 11/11/2014
Posts: 3

At least it is clear... thank you
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.



Topic viewed 2825 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!