What is the IRP message generated on file delete in a filter driver?

Question

I am trying to create a filter driver to block file deletion operations, but I can't identify the IRP message on deleting files.

I worked with the code below; it works in windows 7 but not in windows version 8 or later.

if (pIrp->MajorFunction==IRP_MJ_WRITE || pIrp->MajorFunction==IRP_MJ_SET_INFORMATION ||
            pIrp->MajorFunction==IRP_MJ_SET_VOLUME_INFORMATION || pIrp->MajorFunction==IRP_MJ_SET_SECURITY ||
            pIrp->MajorFunction==IRP_MJ_SET_QUOTA)
    {
                             DbgPrint("fdrv :Read only operation block");
            Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
            Irp->IoStatus.Information = 0;
            IoCompleteRequest(Irp, IO_NO_INCREMENT);
            return STATUS_ACCESS_DENIED;

            }

Answer 1

exist 2 ways to delete file

• open it with FILE_DELETE_ON_CLOSE option (NtCreateFile, NtOpenFile, IoCreateFile or NtDeleteFile also internal open file with FILE_DELETE_ON_CLOSE ). in this case will be IRP_MJ_CREATE
• call ZwSetInformationFile with FileDispositionInformation or FileDispositionInformationEx. in this case will be IRP_MJ_SET_INFORMATION

--

union {
    PVOID Buffer;
    PFILE_DISPOSITION_INFORMATION pfdi;
    PFILE_DISPOSITION_INFORMATION_EX pfdi_ex;
};
PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp);
switch (IrpSp->MajorFunction)
{
case IRP_MJ_SET_INFORMATION:
    Buffer = Irp->AssociatedIrp.SystemBuffer;
    switch (IrpSp->Parameters.SetFile.FileInformationClass)
    {
    case FileDispositionInformation:
        if (pfdi->DeleteFile)
        {
            //
        }
        break;
    case FileDispositionInformationEx:
        if (pfdi_ex->Flags & FILE_DISPOSITION_DELETE)
        {
            //
        }
        break;
    }
    break;
case IRP_MJ_CREATE:
    if (IrpSp->Parameters.Create.Options & FILE_DELETE_ON_CLOSE)
    {
        //
    }
    break;
}