Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Retrieving Integrity Level in Post-Read

IanMIanM Member - All Emails Posts: 34

I have a filesystem MiniFilter driver and I want my post-read callback to know the integrity level of the process which initiated the IRP (or opened the file handle). I can't use ObOpenObjectByPointer with a PACCESS_TOKEN argument in the callback itself because ObOpenObjectByPointer requires IRQL <= APC_LEVEL, nor can I use a stream handle context because FltGetStreamHandleContext also needs IRQL <= APC_LEVEL.

Could someone suggest how I can get this information through to my post-read handler please?

Thanks very much,



  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,032
    > Could someone suggest how I can get this information through to my
    > post-read handler please?

    1) FLT_PREO_SYNCHRONIZE, bearing in mind that it will clobber performance
    2) Grab the stream handle context in pre and pass it across as the
    CompletionContext. You might have to post the dereference.
    3) Or do the dance to get filter manager to call you at <= APC_LEVEL (I
    cannot remember the name because I never use it because it can fail which is
    not a particularly useful paradigm IMO) and get the stream handle context

    I must admit to being surprised that there was a IRQL limit, I guess its one
    of those things that you remember every time you start a new minifilter
  • Slava_ImameevSlava_Imameev Member Posts: 480
    Why do you need ObOpenObjectByPointer ?

    Query the integrity level in pre-read with SeQueryInformationToken and pass it to the post-read callback. As we are talking about a read operation the performance impact from SeQueryInformationToken will be negligible as it normally copies data from the token structure. You can also be assured about pre-read IRQL being <= APC_LEVEL.

    SeQueryInformationToken( Token,
    &IntegrityLevel );
  • IanMIanM Member - All Emails Posts: 34
    Thank you both very much. Slava is right that I didn't need the ObOpenObjectByPointer so my code now looks a bit like this:

    PACCESS_TOKEN pAccessToken = PsReferencePrimaryToken(pEProcess);
    status = SeQueryInformationToken(pAccessToken, TokenIntegrityLevel, &Integrity);
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA