Protect a file from being deleted or corrupted using windows kernel file system mini-filter driver.

Tested on Windows 10 1909 x64.

Using file system mini-filter driver we intercept every PreCreateFile operation, PreWriteFile operation and PreSetFileInformation.

Delete protector:

If create file was called to one of our protected files with FILE_DELETE_ON_CLOSE the driver will fail it with STATUS_ACCESS_DENIED.

If set file information was called to one of our protected files with FileDispositionInformation and DeleteFile is true the driver will fail it with STATUS_ACCESS_DENIED.

Rename protector:

If set file information was called to one of our protected files with FileRenameInformation the driver will fail it with STATUS_ACCESS_DENIED.

Write protector:

If write file was called to one of our protected files the driver will fail it with STATUS_ACCESS_DENIED.

Open cmd as Administrator:

rundll32 syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 {path to the driver inf file}

sc start FileProtector

Now any file that you want to be unchangeable and protected (like backups) add to its name "_protected".

For example: I got file backup.txt which contains an important backup. In order to protect it, I will change its name to backup_protected.txt and now, the file is protected by our driver.

DONE!!!