Network shares are the backbone of corporate collaboration, allowing teams to seamlessly share and modify documents. However, this convenience comes with significant security and compliance challenges. Knowing exactly who accessed what file, when they did it, and what changes were made is critical for preventing data breaches, thwarting ransomware, and meeting compliance standards (like HIPAA, GDPR, or PCI-DSS).
While native Windows auditing can log file access, it relies on Event Viewer logs, which can be notoriously noisy, difficult to parse in real-time, and resource-intensive.
This is where a File System Filter Driver comes in. In this post, we’ll explore how you can use the EaseFilter File Monitor SDK and File Control SDK to build a lightweight, highly efficient real-time monitoring solution for network shares.
What is the EaseFilter SDK?
The EaseFilter File Monitor SDK and File Control SDK are a comprehensive suite of development tools that provides developers with a robust File System Filter Driver for Windows. Instead of polling for changes or parsing massive log files, a filter driver sits directly in the Windows kernel I/O stack.
It intercepts file requests (like Create, Read, Write, Rename, and Delete) exactly as they happen, before or after they reach the actual file system. This grants you unprecedented visibility and control over file operations.
How Network Share Tracking Works
When a user on a remote machine accesses a shared folder on a Windows Server via SMB/CIFS, the request travels across the network and is handled by the server's local file system.
From the perspective of the server's local storage, the file I/O operation is typically executed by the Windows System process (PID 4) acting on behalf of the remote user. Because the EaseFilter driver resides in the kernel stack of the server hosting the share, it natively intercepts these requests.
Crucially, the EaseFilter SDK automatically resolves the security context of the thread performing the operation. This means that even though the System process is doing the heavy lifting, the SDK will report the actual remote username, domain, and remote IP address of the user who initiated the request.
Key Benefits of Using EaseFilter for Network Shares
- Real-Time Visibility: Catch unauthorized access or bulk file modifications (a common indicator of ransomware) the exact millisecond they occur.
- Granular Filtering: Instead of monitoring the whole drive, you can tell the driver to only monitor specific shared directories (e.g., C:\CompanyShares\Finance\*).
- Comprehensive Data: Every event captures the file path, the exact operation, the timestamp, the remote user's identity, and the remote IP address.
- Access Control: You aren't just limited to tracking. Because the driver operates in real-time, you can write logic to actively block file access or modifications based on user, time of day, or file type.
What happens in this code?
- Initialization: We initialize the FilterControl with specific threading and connection timeout parameters to ensure it handles heavy network traffic efficiently.
- Targeting the Share: We define a rule targeting the physical path of the network share (C:\SharedData\*).
- Event Filtering: We specify that we only want to be notified about specific file change events: when a file is deleted, renamed, or created.
- Remote Access Verification: Inside the NotifyFileChanged callback, the code explicitly checks e.IsRemoteAccess. This ensures we only log actions initiated by users coming across the network, ignoring local server administrators.
- Audit Logging: If the event was a remote access, the application logs the affected file name, the type of event, the user's name, and crucially, the user's RemoteIp address.
Conclusion
Securing your file servers requires more than just hoping your NTFS permissions are perfectly configured. By integrating a file system filter driver via the EaseFilter File Control SDK and File Monitor SDK, you transition from passive logging to proactive, real-time file intelligence.
Whether you are building a Zero Trust security tool, an audit logging service, or a custom ransomware protection shield, EaseFilter provides the kernel-level hooks you need without the headache of writing C/C++ driver code from scratch.