I'm trying to make a small program that could intercept the open process of a file.

The purpose is when an user double-click on a file in a given folder, windows would inform to the software, then it process that petition and return windows the data of the file.

Maybe there would be another solution like monitoring Open messages and force Windows to wait while the program prepare the contents of the file.

One application of this concept, could be to manage desencryption of a file in a transparent way to the user. In this context, the encrypted file would be on the disk and when the user open it ( with double-click on it or with some application such as notepad ), the background process would intercept that open event, desencrypt the file and give the contents of that file to the asking application.

It's a little bit strange concept, it could be like "Man In The Middle" network concept, but with files instead of network packets.

Thanks for reading.


The best way to do it to cover all cases of opening from any program would be via a file system filter driver. This may be too complex for your needs though.


You can use the trick that Process Explorer uses to replace itself with task manager. Basically create a key like this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

Where you replace 'taskmgr.exe' with the name of the process to intercept. Then add a string value called 'Debugger' that has the path to your executable. E.g:

Debugger -> "C:\windows\system32\notepad.exe"

Every a process is run that matches the image name your process will actually be called as a debugger for that process with the path to the actual process as an argument.


You could use code injection and API redirection. You'd start your target process and then inject a DLL which hooks the windows API functions that you want to intercept. You then get called when the target process thinks it's calling OpenFile() or whatever and you can do what you like before passing the call on to the real API.

Google for "IAT hooking".