Hi All,
I have a Shared folder on my machine.If some remote user [who has access to shared folder] opens the shared file,i get the calls for this file in the context of System User.
I have used ZwOpenProcessTokenEx & ZwQueryInformationToken in IRP_MJ_CREATE to get SID, but it returns SID of system process & not that of the remote user who is accessing this file.
What should be done, to get SID of the remote user who is accessing my shared files ?
Thanks
Mahesh
I am not sure how it works for remote drive, but did you try to inspect IrpSp->Parameters.Create.SecurityContext->AccessState.SubjectSecurityContext? First inspect in debugger that ClientToken or PrimaryToken are not NULL then you can use SeXXX funcs below.
pSubjectSecurityContext = &IrpSp->Parameters.Create.SecurityContext->AccessState.SubjectSecurityContext;
SeLockSubjectContext(pSubjectSecurityContext);
ClientToken = SeQuerySubjectContextToken(pSubjectSecurityContext);
SeQueryInformationToken(ClientToken, TokenUser,…);
SeUnlockSubjectContext(pSubjectSecurityContext);
-bg
Use Parameters.Create.SecurityContext->ClientToken if it is not NULL
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Hi All,
>
> I have a Shared folder on my machine.If some remote user [who has access to
shared folder] opens the shared file,i get the calls for this file in the
context of System User.
>
> I have used ZwOpenProcessTokenEx & ZwQueryInformationToken in IRP_MJ_CREATE
to get SID, but it returns SID of system process & not that of the remote user
who is accessing this file.
>
> What should be done, to get SID of the remote user who is accessing my shared
files ?
>
>
> Thanks
> Mahesh
>
Hi all,
Thanks Bronislav & Maxim for your inputs.
Using ClientToken [if it is not NULL] i got the SID of remote user who is accessing the shared file.
Thanks
Mahesh
1 Like
Hey Mahesh_Dhannawat, Can you please tell how you get the SID of remote users accessing the file?I am doing the same thing but only getting local system user SID.
@jay96612 You’re asking… just in case the guy is around, 13 years later? Well, that certainly makes sense.
Not.
Do. Not. Necropost.
Peter