Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Best way to retrieve user name in combined kernel/user mode system?

AlorynnAlorynn Member Posts: 13

One of the features of a minifilter->user mode server system I'm helping build requires us to log user access attempts to certain files. There are a number of ways to get user IDs in both KM and UM but I was just wondering if there's a "best practices" way of doing so, ensuring the user ID I log belongs to the Windows account that actually tried to open the file, and not a system/admin/etc. account running the minifilter and server?

Advice appreciated, especially for a UM solution as I'd prefer not to monkey with our driver code! :)

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,442

    If you're in Pre/Post IRP_MJ_CREATE you can retrieve the SID of the requestor using the following:

    _Use_decl_annotations_
    VOID
    FsUtilGetRequestorSid(
        PFLT_CALLBACK_DATA Data,
        PSE_SID SeSid)
    {
        SID_IDENTIFIER_AUTHORITY  nullAuthority = SECURITY_NULL_SID_AUTHORITY;
        PACCESS_STATE             accessState;
        PACCESS_TOKEN             requestorToken;
        PTOKEN_USER               tokenUserInfo = NULL;
        NTSTATUS                  status;
        PSECURITY_SUBJECT_CONTEXT requestorSubjectContext;
    
        //
        // This routine returns a NULL SID if we fail to query
        //
        RtlInitializeSid(&SeSid->Sid,
                         &nullAuthority, 
                         1);
    
        accessState = Data->Iopb->Parameters.Create.SecurityContext->AccessState;
    
        requestorSubjectContext = &accessState->SubjectSecurityContext;
    
        SeLockSubjectContext(requestorSubjectContext);
    
        // 
        // SeQuerySubjectContextToken does the right thing and returns us either the
        // impersonation token or the process token of the requestor
        // 
        requestorToken = SeQuerySubjectContextToken(requestorSubjectContext);
    
        // 
        // This doesn't fail, there is always one or the other
        // 
        ASSERT(requestorToken);
    
        // 
        // Query the token to retrieve the user SID
        //  
        status = SeQueryInformationToken(requestorToken,
                                         TokenUser,
                                         (PVOID *)&tokenUserInfo);
    
        if (!NT_SUCCESS(status)) {
    
            goto Exit;
    
        }
    
    
        RtlCopyMemory(&SeSid->Sid,
                      tokenUserInfo->User.Sid,
                      RtlLengthSid(tokenUserInfo->User.Sid));
    
    Exit:
    
        SeUnlockSubjectContext(requestorSubjectContext);
    
        if (tokenUserInfo != NULL) {
    
            ExFreePool(tokenUserInfo);
    
        }
    
        return;
    
    }
    
    

    User mode can then easily translate the SID to a user name (e.g. LookupAccountSid).

    -scott
    OSR

  • MBond2MBond2 Member Posts: 304

    if you are going to log, log the invariant SID - the user name can change, but this can't. Then in a tool that views the log, perform the conversion based on the then current name etc. for that SID. This often comes up when people change their names after marriage etc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 2 August 2021 Live, Online
Kernel Debugging 27 Sept 2021 Live, Online