Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How do I get the owner of the request

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hi All,
I have a filter driver which filters on the requests going to the FSD. My
problem is that if I want to distinguish whether the request is a local
request or whether it has come across the Network, how can I find it.

regards,
Shivas

> ----------
> From: Zhou, James
> Reply To: NT Developers Interest List
> Sent: Monday, April 17, 2000 3:32 PM
> To: NT Developers Interest List
> Subject: [ntdev] suspend/resume error message in win98
>
> Hi,
>
> When I do suspend/resume on Win98SE system with ACPI, I found the
> following
> message before the driver received power management notifications. Any
> body
> got any idea?
>
> "CM WARNS: Cannot do S3 because of MyDevice, trying to lighten sleep
> state"
> "CM WARNS: Cannot do S1 because of MyDevice, trying to lighten sleep
> state"
>
> Thanks
>
> James
>
> ---
> You are currently subscribed to ntdev as: [email protected]
> To unsubscribe send a blank email to $subst('Email.Unsub')
>

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
    > I have a filter driver which filters on the requests going
    > to the FSD. My problem is that if I want to distinguish whether
    > the request is a local request or whether it has come across
    > the Network, how can I find it.

    You should examine the DeviceObject structure in the current FileObject.
    The DeviceObject structure has a field called Characteristics that can have
    the following values:
    FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
    FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.

    So to see if a request comes across the network, test for
    FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE


    With kind regards,

    Bartjan Wattel <mailto:[email protected]>
    ----------------------------------------- Yours, for X-Tra Security !!! ---
    ThunderStore HQ
    Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
    Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
    Web: http://www.thunderstore.com
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Note that Bartjan ask how to detect the origin of the request for a local
    file.
    This flag is not used when accesing local files, no matter request origin is
    local or remote.
    SRV component translates the remote access to a local access.

    Inaki.

    > -----Original Message-----
    > From: Bartjan Wattel
    > Sent: lunes 17 de abril de 2000 13:22
    > To: NT Developers Interest List
    > Subject: [ntdev] Re: How do I get the owner of the request
    >
    > At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
    > > I have a filter driver which filters on the requests going
    > > to the FSD. My problem is that if I want to distinguish whether
    > > the request is a local request or whether it has come across
    > > the Network, how can I find it.
    >
    > You should examine the DeviceObject structure in the current FileObject.
    > The DeviceObject structure has a field called Characteristics that can
    > have
    > the following values:
    > FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
    > FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
    >
    > So to see if a request comes across the network, test for
    > FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
    >
    >
    > With kind regards,
    >
    > Bartjan Wattel <mailto:[email protected]>
    > ----------------------------------------- Yours, for X-Tra Security !!!
    > ---
    > ThunderStore HQ
    > Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
    > Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
    > Web: http://www.thunderstore.com
    >
    >
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi,
    Thank you very much for your fast reply.
    regards,
    Shivas

    > ----------
    > From: Bartjan Wattel
    > Reply To: NT Developers Interest List
    > Sent: Monday, April 17, 2000 4:52 PM
    > To: NT Developers Interest List
    > Subject: [ntdev] Re: How do I get the owner of the request
    >
    > At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
    > > I have a filter driver which filters on the requests going
    > > to the FSD. My problem is that if I want to distinguish whether
    > > the request is a local request or whether it has come across
    > > the Network, how can I find it.
    >
    > You should examine the DeviceObject structure in the current FileObject.
    > The DeviceObject structure has a field called Characteristics that can
    > have
    > the following values:
    > FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
    > FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
    >
    > So to see if a request comes across the network, test for
    > FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
    >
    >
    > With kind regards,
    >
    > Bartjan Wattel
    > ----------------------------------------- Yours, for X-Tra Security !!!
    > ---
    > ThunderStore HQ
    > Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
    > Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
    > Web: http://www.thunderstore.com
    >
    >
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi I?aki Castillo

    Thanks for your reply, now please let me know if there is any way I
    can distinguish between the local IRP's and remote Irp's

    regards,
    Shivas


    > ----------
    > From: I?aki Castillo
    > Reply To: NT Developers Interest List
    > Sent: Monday, April 17, 2000 4:58 PM
    > To: NT Developers Interest List
    > Subject: [ntdev] Re: How do I get the owner of the request
    >
    > Note that Bartjan ask how to detect the origin of the request for a local
    > file.
    > This flag is not used when accesing local files, no matter request origin
    > is
    > local or remote.
    > SRV component translates the remote access to a local access.
    >
    > Inaki.
    >
    > > -----Original Message-----
    > > From: Bartjan Wattel
    > > Sent: lunes 17 de abril de 2000 13:22
    > > To: NT Developers Interest List
    > > Subject: [ntdev] Re: How do I get the owner of the request
    > >
    > > At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
    > > > I have a filter driver which filters on the requests going
    > > > to the FSD. My problem is that if I want to distinguish whether
    > > > the request is a local request or whether it has come across
    > > > the Network, how can I find it.
    > >
    > > You should examine the DeviceObject structure in the current FileObject.
    > > The DeviceObject structure has a field called Characteristics that can
    > > have
    > > the following values:
    > > FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
    > > FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
    > >
    > > So to see if a request comes across the network, test for
    > > FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
    > >
    > >
    > > With kind regards,
    > >
    > > Bartjan Wattel
    > > ----------------------------------------- Yours, for X-Tra Security !!!
    > > ---
    > > ThunderStore HQ
    > > Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
    > > Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
    > > Web: http://www.thunderstore.com
    > >
    > >
    > >
    > > ---
    > > You are currently subscribed to ntdev as: [email protected]
    > > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    In general this is not something NT is making available to you. You can get
    a lot of information about the initiating user from the create
    (IRP_MJ_CREATE) operation, but I don't think that 'user is remote' is part
    of this. You could possibly try to figure out who is ABOVE you on the stack.
    If srv is above you, this is a rather clear indication that this IO came
    from afar rather than locally. So, and I think this is a TERRIBLE HACK, you
    could walk up (illegally) the IO_STACK looking at the device objects above
    and seeing if any of them are linked to SRV.

    The idea in NT is that network security happens above and outside local
    filesystems (via srv and the io manager and the object manager and the
    security reference monitor etc.) Your local filesystem should only concern
    itself with per file persistent security, and then only if it implements per
    file persistent security, which so far only NTFS does. The local system has
    already blessed this user, you shouldn't have to re-examine his rights to
    access the system.

    On the other hand, if this is a QOS issue rather than a security issue I
    understand your problem.

    -----Original Message-----
    From: Shiva_Shankar [mailto:[email protected]]
    Sent: Monday, April 17, 2000 7:49 AM
    To: NT Developers Interest List
    Subject: [ntdev] Re: How do I get the owner of the request



    Hi I?aki Castillo


    Thanks for your reply, now please let me know if there is any way I
    can distinguish between the local IRP's and remote Irp's

    regards,
    Shivas


    ----------
    From: I?aki Castillo
    Reply To: NT Developers Interest List
    Sent: Monday, April 17, 2000 4:58 PM
    To: NT Developers Interest List
    Subject: [ntdev] Re: How do I get the owner of the request

    Note that Bartjan ask how to detect the origin of the request for a
    local
    file.
    This flag is not used when accesing local files, no matter request origin is

    local or remote.
    SRV component translates the remote access to a local access.

    Inaki.

    > -----Original Message-----
    > From: Bartjan Wattel
    > Sent: lunes 17 de abril de 2000 13:22
    > To: NT Developers Interest List
    > Subject: [ntdev] Re: How do I get the owner of the request
    >
    > At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
    > > I have a filter driver which filters on the requests going
    > > to the FSD. My problem is that if I want to distinguish whether
    > > the request is a local request or whether it has come across
    > > the Network, how can I find it.
    >
    > You should examine the DeviceObject structure in the current FileObject.
    > The DeviceObject structure has a field called Characteristics that can
    > have
    > the following values:
    > FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
    > FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
    >
    > So to see if a request comes across the network, test for
    > FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
    >
    >
    > With kind regards,
    >
    > Bartjan Wattel < mailto:[email protected] >
    > ----------------------------------------- Yours, for X-Tra Security !!!
    > ---
    > ThunderStore HQ
    > Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
    > Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
    > Web: http://www.thunderstore.com
    >
    >
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')

    ---
    You are currently subscribed to ntdev as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    As I have discussed in a previous mail there is no safe wayt to check this,
    but an unsafe check is to check the current process. If it is SYSTEM there
    is
    a good chance the request is comming in from SRV component,i.e, it is a
    remote or at least local mapped request. (of course any filter above you
    might
    use a system thread to call you )

    Also, note that SRV uses a pool of threads to dispatch requests. Whether
    these
    threads can be indentified or not I dont' know. Maybe someone in this list
    know
    how to check for these threads.

    Another, rather long, test to check for SRV threads is to check the SID for
    requesting therad
    and get the user name; it gives always "SYSTEM" as user name.


    Inaki.

    > -----Original Message-----
    > From: Shiva_Shankar
    > Sent: lunes 17 de abril de 2000 13:49
    > To: NT Developers Interest List
    > Subject: [ntdev] Re: How do I get the owner of the request
    >
    > Hi I?aki Castillo
    >
    >
    > Thanks for your reply, now please let me know if there is any way
    > I can distinguish between the local IRP's and remote Irp's
    >
    > regards,
    > Shivas
    >
    >
    > ----------
    > From: I?aki Castillo
    > Reply To: NT Developers Interest List
    > Sent: Monday, April 17, 2000 4:58 PM
    > To: NT Developers Interest List
    > Subject: [ntdev] Re: How do I get the owner of the request
    >
    > Note that Bartjan ask how to detect the origin of the request for a local
    > file.
    > This flag is not used when accesing local files, no matter request origin
    > is
    > local or remote.
    > SRV component translates the remote access to a local access.
    >
    > Inaki.
    >
    > > -----Original Message-----
    > > From: Bartjan Wattel
    > > Sent: lunes 17 de abril de 2000 13:22
    > > To: NT Developers Interest List
    > > Subject: [ntdev] Re: How do I get the owner of the request
    > >
    > > At 4/17/00 04:04 PM +0530, Shiva_Shankar wrote:
    > > > I have a filter driver which filters on the requests going
    > > > to the FSD. My problem is that if I want to distinguish whether
    > > > the request is a local request or whether it has come across
    > > > the Network, how can I find it.
    > >
    > > You should examine the DeviceObject structure in the current FileObject.
    >
    > > The DeviceObject structure has a field called Characteristics that can
    > > have
    > > the following values:
    > > FILE_REMOVABLE_MEDIA, FILE_READ_ONLY_DEVICE, FILE_FLOPPY_DISKETTE,
    > > FILE_WRITE_ONCE_MEDIA or FILE_REMOTE_DEVICE.
    > >
    > > So to see if a request comes across the network, test for
    > > FileObject->DeviceObject->Characteristics & FILE_REMORE_DEVICE
    > >
    > >
    > > With kind regards,
    > >
    > > Bartjan Wattel <
    > > ----------------------------------------- Yours, for X-Tra Security !!!
    > > ---
    > > ThunderStore HQ
    > > Ant. v.d. Heydenstraat 2, 5527 BV HAPERT, The Netherlands
    > > Tel: +31 (0)49 7383 505 / Fax: +31 (0)49 7388 440
    > > Web: <http://www.thunderstore.com&gt;
    > >
    > >
    > >
    > > ---
    > > You are currently subscribed to ntdev as: [email protected]
    > > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 January 2023 Live, Online
Developing Minifilters 20 March 2023 Live, Online
Writing WDF Drivers TBD 2023 Live, Online
Internals & Software Drivers 17 April 2023 Live, Online