Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

UNC Path - requestor process

Mark_SharpeMark_Sharpe Member - All Emails Posts: 2
Hello list,

I am working on a minifilter which logs who (process) opened a given file.
I noticed that if open the file using unc path e.g. \\localhost\c$\monitoredDir\monitoredFile.ext the requestor process is system, I'm not monitoring FILE_DEVICE_NETWORK_FILE_SYSTEM file objects.

I understand this is because of how redirection works (as this could be network path):
PRE Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] - app.exe (not monitored file object, fo1)
PRE Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext] - system (monitored file object, fo2)
POST Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext] - system (monitored file object)
POST Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] - app.exe (not monitored file object)

I need to find a reliable way to get real requestor process of monitored file object.
I was trying to connect those 2 file objects (fo1, fo2) to get real requestor process of fo2, but it looks like they are independent, which makes sense.
I focused on local fs file objects as it is easier to determine whether they are interesting or not, based on their paths.
I could probably compare paths of fo1 and fo2 somewhere between 1st PRE create and 1st POST create but I am not sure if that is a good idea.

Is there a way to get the real requestor of fo2? Or I should change my thinking and try to determine whether fo1 path is local and interesting to me?

I would be very grateful for any help,
Mark

Comments

  • Gabriel_BerceaGabriel_Bercea Member - All Emails Posts: 464
    You need to think about it one step further.
    What if you had a share on the OS your minifilter is installed and some
    computer on the network accesses the share. There is no way to tell which
    "process" on the computer on the network is requiring access.
    All you can hope for is to associate the FO_REMOTE_ORIGIN flag in the
    FileObject as to know that the file has been opened over the network.
    You could alternatively try to look at the syste-defined ECPs[1] and see if
    any of the ones there help you in any way although I doubt it.

    [1]
    https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/system-defined-ecps

    Cheers,
    Gabriel
    www.kasardia.com

    On Mon, Jan 29, 2018 at 10:46 AM, xxxxx@gmail.com
    wrote:

    > Hello list,
    >
    > I am working on a minifilter which logs who (process) opened a given file.
    > I noticed that if open the file using unc path e.g.
    > \\localhost\c$\monitoredDir\monitoredFile.ext the requestor process is
    > system, I'm not monitoring FILE_DEVICE_NETWORK_FILE_SYSTEM file objects.
    >
    > I understand this is because of how redirection works (as this could be
    > network path):
    > PRE Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] -
    > app.exe (not monitored file object, fo1)
    > PRE Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext]
    > - system (monitored file object, fo2)
    > POST Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext]
    > - system (monitored file object)
    > POST Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] -
    > app.exe (not monitored file object)
    >
    > I need to find a reliable way to get real requestor process of monitored
    > file object.
    > I was trying to connect those 2 file objects (fo1, fo2) to get real
    > requestor process of fo2, but it looks like they are independent, which
    > makes sense.
    > I focused on local fs file objects as it is easier to determine whether
    > they are interesting or not, based on their paths.
    > I could probably compare paths of fo1 and fo2 somewhere between 1st PRE
    > create and 1st POST create but I am not sure if that is a good idea.
    >
    > Is there a way to get the real requestor of fo2? Or I should change my
    > thinking and try to determine whether fo1 path is local and interesting to
    > me?
    >
    > I would be very grateful for any help,
    > Mark
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >



    --
    Bercea. G.

    Cheers,
    Gabriel

  • Mark_SharpeMark_Sharpe Member - All Emails Posts: 2
    Thank you Gabriel,

    Good point, I was focusing on local files accessed "remote-way" but that
    case will make it even harder to link together the mentioned file objects.
    I will try with your suggestions and update if it helps.

    Best Regards,
    Mark


    2018-01-29 20:56 GMT+01:00 Gabriel Bercea <
    xxxxx@lists.osr.com>:

    > You need to think about it one step further.
    > What if you had a share on the OS your minifilter is installed and some
    > computer on the network accesses the share. There is no way to tell which
    > "process" on the computer on the network is requiring access.
    > All you can hope for is to associate the FO_REMOTE_ORIGIN flag in the
    > FileObject as to know that the file has been opened over the network.
    > You could alternatively try to look at the syste-defined ECPs[1] and see
    > if any of the ones there help you in any way although I doubt it.
    >
    > [1] https://docs.microsoft.com/en-us/windows-hardware/drivers/
    > ifs/system-defined-ecps
    >
    > Cheers,
    > Gabriel
    > www.kasardia.com
    >
    > On Mon, Jan 29, 2018 at 10:46 AM, xxxxx@gmail.com
    > wrote:
    >
    >> Hello list,
    >>
    >> I am working on a minifilter which logs who (process) opened a given file.
    >> I noticed that if open the file using unc path e.g.
    >> \\localhost\c$\monitoredDir\monitoredFile.ext the requestor process is
    >> system, I'm not monitoring FILE_DEVICE_NETWORK_FILE_SYSTEM file objects.
    >>
    >> I understand this is because of how redirection works (as this could be
    >> network path):
    >> PRE Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] -
    >> app.exe (not monitored file object, fo1)
    >> PRE Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext]
    >> - system (monitored file object, fo2)
    >> POST Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext]
    >> - system (monitored file object)
    >> POST Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] -
    >> app.exe (not monitored file object)
    >>
    >> I need to find a reliable way to get real requestor process of monitored
    >> file object.
    >> I was trying to connect those 2 file objects (fo1, fo2) to get real
    >> requestor process of fo2, but it looks like they are independent, which
    >> makes sense.
    >> I focused on local fs file objects as it is easier to determine whether
    >> they are interesting or not, based on their paths.
    >> I could probably compare paths of fo1 and fo2 somewhere between 1st PRE
    >> create and 1st POST create but I am not sure if that is a good idea.
    >>
    >> Is there a way to get the real requestor of fo2? Or I should change my
    >> thinking and try to determine whether fo1 path is local and interesting to
    >> me?
    >>
    >> I would be very grateful for any help,
    >> Mark
    >>
    >> ---
    >> NTFSD is sponsored by OSR
    >>
    >>
    >> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    >> software drivers!
    >> Details at
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at <
    >> http://www.osronline.com/page.cfm?name=ListServer>;
    >>
    >
    >
    >
    > --
    > Bercea. G.
    > --- NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
    > WDF, Windows internals and software drivers! Details at To unsubscribe,
    > visit the List Server section of OSR Online at
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!