Filespy根据 irp如何 判断是否创建,删除文件 ？

IRP_MJ_CREATE  似乎打开文件也有这个请求
msdn说
The operating system sends an IRP_MJ_CREATE request to open a handle to a file object or device object. For example, when a driver calls ZwCreateFile, the operating system sends an IRP_MJ_CREATE request to perform the actual open operation.


怎么根据 filespy 中的 IrpMajor, IrpMinor,   IrpFlags, NoCache, Paging I/O,
 Synchronous, Synchronous paging, FileName,
 ReturnStatus, FileName  判断？