Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


query on remote process accessing files

vvlsekvvlsek Member Posts: 13

Hi,

I have an application in Machine A which needs to monitor the remote process accessing my shared drive or modifying Items in shared drive. Is there a possibility to know the Process Name or hash of the Remote process from Machine A? I was trying with procmon to see if the utility gets, it was showing as a local system process. I did not see the actual remote process name. Is it possible to get the data? Is there a way?

Any pointers would help.
Thanks in advance

Comments

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,538

    Is it possible? Sure, just have some agent on every system that can access the local system remotely. What you have access to on the local system is pretty much limited to the SID of the account being used.

  • vvlsekvvlsek Member Posts: 13

    Could you elaborate more. currently I keep monitoring the shared drive. However all I could get is IP address of the remote machine modifying the contents. I don't get the name of the remote process modifying it.

  • vvlsekvvlsek Member Posts: 13

    Do you mean to say that the reason I am getting Remote process as "system process" is very much dependent on the SID of the account?

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,538

    No it's always going to be the system process, but it will be using the creds of the remote user for file access.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,317

    You may be expecting too much. Remember that the only communication between the two systems is the SMB protocol, which was designed to transfer sectors of files. Your system has no visibility into the other system at all -- all you get is whatever came in the SMB packets. You get a SID, but no other identifying information.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • vvlsekvvlsek Member Posts: 13

    Got it. Thanks the details. This helps.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online