Anyone know a way to obtain the SID of a process’s logon user from with a driver ? If I go after the IO_SECURITY_CONTEXT at IRP_MJ_CREATE to ACCESS_STATE and then SECURITY_SUBJECT_CONTEXT, the tokens there do not help me when I NtQueryInformationToken. My other thought was to use NtOpenProcess as an avenue to get the access token for the process, but NtOpenProcess seems to be different than the Win32 OpenProcess function.
Any help is appreciated.
Bill
The following sequece opens a process token and gets the TokenUser (SID)
information from it.
Note that there are two calls to ZwQueryInformationToken, one to get the
right size for SID and
other to actually get the data.
Then you can use this data in any place you need a SID, for example in user
space apps.
This code may be used also to get thread token information instead of
process information.
To do this just replace ZwOpenProcessToken by ZwOpenThreadToken.
ZwOpenProcessToken( pHandle, TOKEN_QUERY, FALSE, &tokenHandle);
if(tokenHandle)
{
cb=0;
if(STATUS_BUFFER_TOO_SMALL==ZwQueryInformationToken(tokenHandle, TokenUser,
NULL, 0, &cb))
{
if(cb<=MAX_SID_BUFFER)
{
ptrTokenInformation =
ExAllocatePool(NonPagedPool, cb);
if(ptrTokenInformation)
{
if(STATUS_SUCCESS ==
ZwQueryInformationToken(tokenHandle, TokenUser, ptrTokenInformation, cb,
&cb))
{
//Here you have the SID
information in ptrTokenInformation
etc,etc…
Inaki.
-----Original Message-----
From: Bill
Sent: domingo 16 de abril de 2000 17:26
To: File Systems Developers
Subject: [ntfsd] Getting logon user’s SidAnyone know a way to obtain the SID of a process’s logon user from with a
driver ? If I go after the IO_SECURITY_CONTEXT at IRP_MJ_CREATE to
ACCESS_STATE and then SECURITY_SUBJECT_CONTEXT, the tokens there do not
help me when I NtQueryInformationToken. My other thought was to use
NtOpenProcess as an avenue to get the access token for the process, but
NtOpenProcess seems to be different than the Win32 OpenProcess function.Any help is appreciated.
Bill
Thanks for the information. Unfortunately when I tried it the SID was still
not valid. I tried using the process token and the thread token, neither
produced a valid SID. If this is working for you I’d like to know what NT
version and DDK you are using. I am working with NT 4.0 SP6.
----- Original Message -----
From: “I?aki Castillo”
To: “File Systems Developers”
Sent: Monday, April 17, 2000 5:05 AM
Subject: [ntfsd] RE: Getting logon user’s Sid
> The following sequece opens a process token and gets the TokenUser (SID)
> information from it.
> Note that there are two calls to ZwQueryInformationToken, one to get the
> right size for SID and
> other to actually get the data.
> Then you can use this data in any place you need a SID, for example in
user
> space apps.
> This code may be used also to get thread token information instead of
> process information.
> To do this just replace ZwOpenProcessToken by ZwOpenThreadToken.
>
>
> ZwOpenProcessToken( pHandle, TOKEN_QUERY, FALSE, &tokenHandle);
> if(tokenHandle)
> {
> cb=0;
>
> if(STATUS_BUFFER_TOO_SMALL==ZwQueryInformationToken(tokenHandle,
TokenUser,
> NULL, 0, &cb))
> {
> if(cb<=MAX_SID_BUFFER)
> {
> ptrTokenInformation =
> ExAllocatePool(NonPagedPool, cb);
> if(ptrTokenInformation)
> {
> if(STATUS_SUCCESS ==
> ZwQueryInformationToken(tokenHandle, TokenUser, ptrTokenInformation, cb,
> &cb))
> {
> file://Here you have the SID
> information in ptrTokenInformation
> etc,etc…
>
>
> Inaki.
>
>
> > -----Original Message-----
> > From: Bill
> > Sent: domingo 16 de abril de 2000 17:26
> > To: File Systems Developers
> > Subject: [ntfsd] Getting logon user’s Sid
> >
> > Anyone know a way to obtain the SID of a process’s logon user from with
a
> > driver ? If I go after the IO_SECURITY_CONTEXT at IRP_MJ_CREATE to
> > ACCESS_STATE and then SECURITY_SUBJECT_CONTEXT, the tokens there do not
> > help me when I NtQueryInformationToken. My other thought was to use
> > NtOpenProcess as an avenue to get the access token for the process, but
> > NtOpenProcess seems to be different than the Win32 OpenProcess function.
> >
> > Any help is appreciated.
> >
> > Bill
>
> —
> You are currently subscribed to ntfsd as: xxxxx@optonline.net
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>
Strange…
I have tested it with versions up to SP5 and even under W2000 final release.
I have not tested it under SP6 although I dont believe this may be the
problem.
I use a somewhat old DDK and the Beta 3 IFS Kit.
Perhaps you are not passing the right handle to ZwOpenProcessToken.
Are you getting errors when calling these functions or simply the SID
does not work ?
Is your code reaching the second ZwQueryInformationToken ?
Inaki.
-----Original Message-----
From: Bill
Sent: lunes 17 de abril de 2000 19:58
To: File Systems Developers
Subject: [ntfsd] RE: Getting logon user’s SidThanks for the information. Unfortunately when I tried it the SID was
still
not valid. I tried using the process token and the thread token, neither
produced a valid SID. If this is working for you I’d like to know what NT
version and DDK you are using. I am working with NT 4.0 SP6.----- Original Message -----
From: “I?aki Castillo”
> To: “File Systems Developers”
> Sent: Monday, April 17, 2000 5:05 AM
> Subject: [ntfsd] RE: Getting logon user’s Sid
>
>
> > The following sequece opens a process token and gets the TokenUser (SID)
> > information from it.
> > Note that there are two calls to ZwQueryInformationToken, one to get the
> > right size for SID and
> > other to actually get the data.
> > Then you can use this data in any place you need a SID, for example in
> user
> > space apps.
> > This code may be used also to get thread token information instead of
> > process information.
> > To do this just replace ZwOpenProcessToken by ZwOpenThreadToken.
> >
> >
> > ZwOpenProcessToken( pHandle, TOKEN_QUERY, FALSE, &tokenHandle);
> > if(tokenHandle)
> > {
> > cb=0;
> >
> > if(STATUS_BUFFER_TOO_SMALL==ZwQueryInformationToken(tokenHandle,
> TokenUser,
> > NULL, 0, &cb))
> > {
> > if(cb<=MAX_SID_BUFFER)
> > {
> > ptrTokenInformation =
> > ExAllocatePool(NonPagedPool, cb);
> > if(ptrTokenInformation)
> > {
> > if(STATUS_SUCCESS ==
> > ZwQueryInformationToken(tokenHandle, TokenUser, ptrTokenInformation, cb,
> > &cb))
> > {
> > file://Here you have the SID
> > information in ptrTokenInformation
> > etc,etc…
> >
> >
> > Inaki.
> >
> >
> > > -----Original Message-----
> > > From: Bill
> > > Sent: domingo 16 de abril de 2000 17:26
> > > To: File Systems Developers
> > > Subject: [ntfsd] Getting logon user’s Sid
> > >
> > > Anyone know a way to obtain the SID of a process’s logon user from
> with
> a
> > > driver ? If I go after the IO_SECURITY_CONTEXT at IRP_MJ_CREATE to
> > > ACCESS_STATE and then SECURITY_SUBJECT_CONTEXT, the tokens there do
> not
> > > help me when I NtQueryInformationToken. My other thought was to use
> > > NtOpenProcess as an avenue to get the access token for the process,
> but
> > > NtOpenProcess seems to be different than the Win32 OpenProcess
> function.
> > >
> > > Any help is appreciated.
> > >
> > > Bill
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@optonline.net
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >
> >
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
I used the EPROCESS pointer from PsGetCurrentProcess for the
ZwOpenProcessToken and the ETHREAD pointer from the IRP for the
ZwOpenThreadToken calls.
I don’t have the IFS, only the DDK so I had to create a set of function
prototypes to build the code. Perhaps the contants TOKEN_QUERY and
TokenUser are not correct as I used the Win32 headers for these values. All
calls seem to work, through the 2nd ZwQueryInformationToken. But RtlValidSid
says the SID isn’t any good.
----- Original Message -----
From: “I?aki Castillo”
To: “File Systems Developers”
Sent: Monday, April 17, 2000 2:05 PM
Subject: [ntfsd] RE: Getting logon user’s Sid
> Strange…
> I have tested it with versions up to SP5 and even under W2000 final
release.
> I have not tested it under SP6 although I dont believe this may be the
> problem.
> I use a somewhat old DDK and the Beta 3 IFS Kit.
>
> Perhaps you are not passing the right handle to ZwOpenProcessToken.
> Are you getting errors when calling these functions or simply the SID
> does not work ?
>
> Is your code reaching the second ZwQueryInformationToken ?
>
>
> Inaki.
>
>
>
> > -----Original Message-----
> > From: Bill
> > Sent: lunes 17 de abril de 2000 19:58
> > To: File Systems Developers
> > Subject: [ntfsd] RE: Getting logon user’s Sid
> >
> > Thanks for the information. Unfortunately when I tried it the SID was
> > still
> > not valid. I tried using the process token and the thread token, neither
> > produced a valid SID. If this is working for you I’d like to know what
NT
> > version and DDK you are using. I am working with NT 4.0 SP6.
> >
> > ----- Original Message -----
> > From: “I?aki Castillo”
> > To: “File Systems Developers”
> > Sent: Monday, April 17, 2000 5:05 AM
> > Subject: [ntfsd] RE: Getting logon user’s Sid
> >
> >
> > > The following sequece opens a process token and gets the TokenUser
(SID)
> > > information from it.
> > > Note that there are two calls to ZwQueryInformationToken, one to get
the
> > > right size for SID and
> > > other to actually get the data.
> > > Then you can use this data in any place you need a SID, for example in
> > user
> > > space apps.
> > > This code may be used also to get thread token information instead of
> > > process information.
> > > To do this just replace ZwOpenProcessToken by ZwOpenThreadToken.
> > >
> > >
> > > ZwOpenProcessToken( pHandle, TOKEN_QUERY, FALSE, &tokenHandle);
> > > if(tokenHandle)
> > > {
> > > cb=0;
> > >
> > > if(STATUS_BUFFER_TOO_SMALL==ZwQueryInformationToken(tokenHandle,
> > TokenUser,
> > > NULL, 0, &cb))
> > > {
> > > if(cb<=MAX_SID_BUFFER)
> > > {
> > > ptrTokenInformation =
> > > ExAllocatePool(NonPagedPool, cb);
> > > if(ptrTokenInformation)
> > > {
> > > if(STATUS_SUCCESS ==
> > > ZwQueryInformationToken(tokenHandle, TokenUser, ptrTokenInformation,
cb,
> > > &cb))
> > > {
> > > file://Here you have the SID
> > > information in ptrTokenInformation
> > > etc,etc…
> > >
> > >
> > > Inaki.
> > >
> > >
> > > > -----Original Message-----
> > > > From: Bill
> > > > Sent: domingo 16 de abril de 2000 17:26
> > > > To: File Systems Developers
> > > > Subject: [ntfsd] Getting logon user’s Sid
> > > >
> > > > Anyone know a way to obtain the SID of a process’s logon user from
> > with
> > a
> > > > driver ? If I go after the IO_SECURITY_CONTEXT at IRP_MJ_CREATE to
> > > > ACCESS_STATE and then SECURITY_SUBJECT_CONTEXT, the tokens there do
> > not
> > > > help me when I NtQueryInformationToken. My other thought was to use
> > > > NtOpenProcess as an avenue to get the access token for the process,
> > but
> > > > NtOpenProcess seems to be different than the Win32 OpenProcess
> > function.
> > > >
> > > > Any help is appreciated.
> > > >
> > > > Bill
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@optonline.net
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> > >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
> —
> You are currently subscribed to ntfsd as: xxxxx@optonline.net
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>