How do I get the owner of the request

OSR_Community_User

Hi All,
I have a filter driver which filters on the requests going to the FSD. My
problem is that if I want to distinguish whether the request is a local
request or whether it has come across the Network, how can I find it.

regards,
Shivas

> ----------
> From: Zhou, James
> Reply To: NT Developers Interest List
> Sent: Monday, April 17, 2000 3:32 PM
> To: NT Developers Interest List
> Subject: [ntdev] suspend/resume error message in win98
>
> Hi,
>
> When I do suspend/resume on Win98SE system with ACPI, I found the
> following
> message before the driver received power management notifications. Any
> body
> got any idea?
>
> "CM WARNS: Cannot do S3 because of MyDevice, trying to lighten sleep
> state"
> "CM WARNS: Cannot do S1 because of MyDevice, trying to lighten sleep
> state"
>
> Thanks
>
> James
>
> ---
> You are currently subscribed to ntdev as: [email protected]
> To unsubscribe send a blank email to $subst('Email.Unsub')
>

OSR_Community_User

At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
> I have a filter driver which filters on the requests going
> to the FSD. My problem is that if I want to distinguish whether
> the request is a local request or whether it has come across
> the Network, how can I find it.

You should examine the DeviceObject structure in the current FileObject.
The DeviceObject structure has a field called Characteristics that can have
the following values:
FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.

So to see if a request comes across the network, test for
FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE


With kind regards,

Bartjan Wattel <mailto:[email protected]>
----------------------------------------- Yours, for X-Tra Security !!! ---
ThunderStore HQ
Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
Web: http://www.thunderstore.com

OSR_Community_User

Note that Bartjan ask how to detect the origin of the request for a local
file.
This flag is not used when accesing local files, no matter request origin is
local or remote.
SRV component translates the remote access to a local access.

Inaki.

> -----Original Message-----
> From: Bartjan Wattel
> Sent: lunes 17 de abril de 2000 13:22
> To: NT Developers Interest List
> Subject: [ntdev] Re: How do I get the owner of the request
>
> At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
> > I have a filter driver which filters on the requests going
> > to the FSD. My problem is that if I want to distinguish whether
> > the request is a local request or whether it has come across
> > the Network, how can I find it.
>
> You should examine the DeviceObject structure in the current FileObject.
> The DeviceObject structure has a field called Characteristics that can
> have
> the following values:
> FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
> FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
>
> So to see if a request comes across the network, test for
> FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
>
>
> With kind regards,
>
> Bartjan Wattel <mailto:[email protected]>
> ----------------------------------------- Yours, for X-Tra Security !!!
> ---
> ThunderStore HQ
> Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
> Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
> Web: http://www.thunderstore.com
>
>
>
> ---
> You are currently subscribed to ntdev as: [email protected]
> To unsubscribe send a blank email to $subst('Email.Unsub')

OSR_Community_User

Hi,
Thank you very much for your fast reply.
regards,
Shivas

> ----------
> From: Bartjan Wattel
> Reply To: NT Developers Interest List
> Sent: Monday, April 17, 2000 4:52 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: How do I get the owner of the request
>
> At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
> > I have a filter driver which filters on the requests going
> > to the FSD. My problem is that if I want to distinguish whether
> > the request is a local request or whether it has come across
> > the Network, how can I find it.
>
> You should examine the DeviceObject structure in the current FileObject.
> The DeviceObject structure has a field called Characteristics that can
> have
> the following values:
> FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
> FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
>
> So to see if a request comes across the network, test for
> FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
>
>
> With kind regards,
>
> Bartjan Wattel
> ----------------------------------------- Yours, for X-Tra Security !!!
> ---
> ThunderStore HQ
> Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
> Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
> Web: http://www.thunderstore.com
>
>
>
> ---
> You are currently subscribed to ntdev as: [email protected]
> To unsubscribe send a blank email to $subst('Email.Unsub')
>

OSR_Community_User

Hi I?aki Castillo

Thanks for your reply, now please let me know if there is any way I
can distinguish between the local IRP's and remote Irp's

regards,
Shivas


> ----------
> From: I?aki Castillo
> Reply To: NT Developers Interest List
> Sent: Monday, April 17, 2000 4:58 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: How do I get the owner of the request
>
> Note that Bartjan ask how to detect the origin of the request for a local
> file.
> This flag is not used when accesing local files, no matter request origin
> is
> local or remote.
> SRV component translates the remote access to a local access.
>
> Inaki.
>
> > -----Original Message-----
> > From: Bartjan Wattel
> > Sent: lunes 17 de abril de 2000 13:22
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: How do I get the owner of the request
> >
> > At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
> > > I have a filter driver which filters on the requests going
> > > to the FSD. My problem is that if I want to distinguish whether
> > > the request is a local request or whether it has come across
> > > the Network, how can I find it.
> >
> > You should examine the DeviceObject structure in the current FileObject.
> > The DeviceObject structure has a field called Characteristics that can
> > have
> > the following values:
> > FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
> > FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
> >
> > So to see if a request comes across the network, test for
> > FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
> >
> >
> > With kind regards,
> >
> > Bartjan Wattel
> > ----------------------------------------- Yours, for X-Tra Security !!!
> > ---
> > ThunderStore HQ
> > Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
> > Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
> > Web: http://www.thunderstore.com
> >
> >
> >
> > ---
> > You are currently subscribed to ntdev as: [email protected]
> > To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ---
> You are currently subscribed to ntdev as: [email protected]
> To unsubscribe send a blank email to $subst('Email.Unsub')
>

OSR_Community_User

In general this is not something NT is making available to you. You can get
a lot of information about the initiating user from the create
(IRP_MJ_CREATE) operation, but I don't think that 'user is remote' is part
of this. You could possibly try to figure out who is ABOVE you on the stack.
If srv is above you, this is a rather clear indication that this IO came
from afar rather than locally. So, and I think this is a TERRIBLE HACK, you
could walk up (illegally) the IO_STACK looking at the device objects above
and seeing if any of them are linked to SRV.

The idea in NT is that network security happens above and outside local
filesystems (via srv and the io manager and the object manager and the
security reference monitor etc.) Your local filesystem should only concern
itself with per file persistent security, and then only if it implements per
file persistent security, which so far only NTFS does. The local system has
already blessed this user, you shouldn't have to re-examine his rights to
access the system.

On the other hand, if this is a QOS issue rather than a security issue I
understand your problem.

-----Original Message-----
From: Shiva_Shankar [mailto:[email protected]]
Sent: Monday, April 17, 2000 7:49 AM
To: NT Developers Interest List
Subject: [ntdev] Re: How do I get the owner of the request



Hi I?aki Castillo


Thanks for your reply, now please let me know if there is any way I
can distinguish between the local IRP's and remote Irp's

regards,
Shivas


----------
From: I?aki Castillo
Reply To: NT Developers Interest List
Sent: Monday, April 17, 2000 4:58 PM
To: NT Developers Interest List
Subject: [ntdev] Re: How do I get the owner of the request

Note that Bartjan ask how to detect the origin of the request for a
local
file.
This flag is not used when accesing local files, no matter request origin is

local or remote.
SRV component translates the remote access to a local access.

Inaki.

> -----Original Message-----
> From: Bartjan Wattel
> Sent: lunes 17 de abril de 2000 13:22
> To: NT Developers Interest List
> Subject: [ntdev] Re: How do I get the owner of the request
>
> At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
> > I have a filter driver which filters on the requests going
> > to the FSD. My problem is that if I want to distinguish whether
> > the request is a local request or whether it has come across
> > the Network, how can I find it.
>
> You should examine the DeviceObject structure in the current FileObject.
> The DeviceObject structure has a field called Characteristics that can
> have
> the following values:
> FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
> FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
>
> So to see if a request comes across the network, test for
> FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
>
>
> With kind regards,
>
> Bartjan Wattel < mailto:[email protected] >
> ----------------------------------------- Yours, for X-Tra Security !!!
> ---
> ThunderStore HQ
> Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
> Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
> Web: http://www.thunderstore.com
>
>
>
> ---
> You are currently subscribed to ntdev as: [email protected]
> To unsubscribe send a blank email to $subst('Email.Unsub')

---
You are currently subscribed to ntdev as: [email protected]
To unsubscribe send a blank email to $subst('Email.Unsub')

OSR_Community_User

As I have discussed in a previous mail there is no safe wayt to check this,
but an unsafe check is to check the current process. If it is SYSTEM there
is
a good chance the request is comming in from SRV component,i.e, it is a
remote or at least local mapped request. (of course any filter above you
might
use a system thread to call you )

Also, note that SRV uses a pool of threads to dispatch requests. Whether
these
threads can be indentified or not I dont' know. Maybe someone in this list
know
how to check for these threads.

Another, rather long, test to check for SRV threads is to check the SID for
requesting therad
and get the user name; it gives always "SYSTEM" as user name.


Inaki.

> -----Original Message-----
> From: Shiva_Shankar
> Sent: lunes 17 de abril de 2000 13:49
> To: NT Developers Interest List
> Subject: [ntdev] Re: How do I get the owner of the request
>
> Hi I?aki Castillo
>
>
> Thanks for your reply, now please let me know if there is any way
> I can distinguish between the local IRP's and remote Irp's
>
> regards,
> Shivas
>
>
> ----------
> From: I?aki Castillo
> Reply To: NT Developers Interest List
> Sent: Monday, April 17, 2000 4:58 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: How do I get the owner of the request
>
> Note that Bartjan ask how to detect the origin of the request for a local
> file.
> This flag is not used when accesing local files, no matter request origin
> is
> local or remote.
> SRV component translates the remote access to a local access.
>
> Inaki.
>
> > -----Original Message-----
> > From: Bartjan Wattel
> > Sent: lunes 17 de abril de 2000 13:22
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: How do I get the owner of the request
> >
> > At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
> > > I have a filter driver which filters on the requests going
> > > to the FSD. My problem is that if I want to distinguish whether
> > > the request is a local request or whether it has come across
> > > the Network, how can I find it.
> >
> > You should examine the DeviceObject structure in the current FileObject.
>
> > The DeviceObject structure has a field called Characteristics that can
> > have
> > the following values:
> > FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
> > FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
> >
> > So to see if a request comes across the network, test for
> > FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
> >
> >
> > With kind regards,
> >
> > Bartjan Wattel <
> > ----------------------------------------- Yours, for X-Tra Security !!!
> > ---
> > ThunderStore HQ
> > Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
> > Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
> > Web: <http://www.thunderstore.com&gt;
> >
> >
> >
> > ---
> > You are currently subscribed to ntdev as: [email protected]
> > To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ---
> You are currently subscribed to ntdev as: [email protected]
> To unsubscribe send a blank email to $subst('Email.Unsub')
>