IRP_MJ_CREATE Dispatch Routine
A major portion of Windows security checking occurs inside the IRP_MJ_CREATE dispatch routine. This is because the bulk of the Windows security model is related to access validation. Access validation results are stored as part of the handle that is created as a result of this operation. Subsequent operations are validated against the rights computed at this point.
If the access rights on the file change after the file or directory has been opened, the original access rights provided during the IRP_MJ_CREATE operation continue to be valid. These access rights are associated with the handle, so as long as the handle persists, the access granted under it governs subsequent operations.
This section includes the following topics:
Checking for Traverse Privilege on IRP_MJ_CREATE
Checking for Other Special Cases on IRP_MJ_CREATE
Adding Auditing on IRP_MJ_CREATE
Management of Access Control Lists on IRP_MJ_CREATE
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for