Local SMB request

Hi folks.

I have simple minifilter driver that is intercepting PreCreate.

  1. If one will use “local” UNC path to given sahe (e.g using loopback \127.0.0.1) inside my minifilter I see two requests: one coming from application that is issuing NtCreateFile (which is obvious). My driver is intercepting this call.
    After that (here is my question to confirm it whether my understanding is correct) fltmgr will redirect this request to Mup (as parsed path will look MUP alike) and it will go thru SMB. in few cycles later I can see srv2 is opening same file, but this time file is properly resolved to local path. I understand right after “first” fltmgr call sytem is reparsing this request to use SMB - correct?

  2. As I can see request coming from SMB is in fact always executed in SYSTEM thread context. I understant this is because there is thread/pool of threads working on behalf of SMB that are serving incoming requests from outside - is that correct (srv2!RfspThreadPoolNodeWorkerRun)?

  3. I presume I know what will be the answer, but :wink: … is it possible to anyhow find ProcessId on behalf of which given (in fact local) SMB request is performing? (Im talking about really local SMB requests)?

Some explanation.
My minifilter is working just fine with pre-create on really local requests. Once I started to use loopback to access files some issues arised becuase I cannot find what is real accessed path - in other words - I cannot map UNC path to local drive (I guess having post callback woudl have it resolved already). If however I could process SMB requests which contains local path (but I cannot find real requestor ID) it would be enough.

Thanks.

The SRV_OPEN_ECP_CONTEXT on the SRV create should tell you that it’s a loopback request, though AFAIK there’s no available way to get the PID.