Since malware works fast and quiet there is a demand to analyze, track and block such
scrap at some central point. There is nothing as central as the kernel of an operating
system. This white paper describes how to monitor and protect your Windows-based
system by using a minifilter driver intercepting IRP-MJ in its PreOperation-Callback.
The white paper also discusses some basic analyzing and protection drivers I have
written in the past
read more......http://www.bitnuts.de/KernelBasedMonitoring.pdf