How get user name in file system filter dtiver

Dear Tony and Everyone!
Could you help me with next issuer?
Using IoGetRequestorProcess(Irp) function in my filter driver I can get
process that originate file system request.
Is it possible to retrieve the user name under whose account this process
runs at the moment when “Create” request is intercepted by my filter driver?
Mikhail

You can get the SID at kernel level and then pass this data to
a user mode application. Having the SID you can get the name
from user mode by means of LookupAccountSid function.

To get the SID in kernel mode use ZwQueryInformationToken.
Depending on your thread being impersontaed or not you
can use ZwOpenThreadToken or ZwOpenProcessToken to
get a valid handle for use in ZwQueryInformationToken.

Inaki.

-----Original Message-----
From: Mikhail Paley
Sent: lunes 6 de marzo de 2000 19:44
To: File Systems Developers Interest List
Subject: [ntfsd] How get user name in file system filter dtiver

Dear Tony and Everyone!
Could you help me with next issuer?
Using IoGetRequestorProcess(Irp) function in my filter driver I can get
process that originate file system request.
Is it possible to retrieve the user name under whose account this process
runs at the moment when “Create” request is intercepted by my filter
driver?
Mikhail


You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

Yes; you do this by obtaining the security ID (SID) of the caller at the
time the IRP_MJ_CREATE is issued. Then, you should use a user mode service
to convert the SID to any other form (like the usual “domain\user”
mechanism.)

As I recall, I have an example of this in the OSR file systems class. Let
me know if you can’t find it and I’ll dig it up.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Mikhail Paley [mailto:xxxxx@pcguardian.com]
Sent: Monday, March 06, 2000 1:44 PM
To: Tony Mason; File Systems Developers Interest List
Subject: How get user name in file system filter dtiver

Dear Tony and Everyone!
Could you help me with next issuer?
Using IoGetRequestorProcess(Irp) function in my filter driver I can get
process that originate file system request.
Is it possible to retrieve the user name under whose account this process
runs at the moment when “Create” request is intercepted by my filter driver?
Mikhail