Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


File Access

Utsav_AgarwalUtsav_Agarwal Member Posts: 46
Hi,

I am writing a minifilter driver to protect some shared files from network access.
In the PreCreate how do I find out from where the file is accessed (local or network)?

Thanks and Regards
Utsav

Comments

  • Peter_ScottPeter_Scott Member - All Emails Posts: 750
    On 9/21/2011 4:47 AM, [email protected] wrote:
    > Hi,
    >
    > I am writing a minifilter driver to protect some shared files from network access.
    > In the PreCreate how do I find out from where the file is accessed (local or network)?
    >

    This would depend on where your filter is located. If you are filtering
    local volumes then you can be assured that all the file accesses are
    local. If you are filtering a network instance, as determined in your
    InstanceSetup callback, then you can be assured the files are remote.

    Of course implementations of other products above or below you could
    alter that assumption but in general it will hold.

    Pete

    --
    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

  • Utsav_AgarwalUtsav_Agarwal Member Posts: 46
    I am sorry, I am not much clear in my question.

    Suppose 'Machine A' has shared some files on the network.
    I am writing the driver for Machine A to protect these shared files from other machines on the network.
  • Peter_ScottPeter_Scott Member - All Emails Posts: 750
    On 9/21/2011 6:22 AM, [email protected] wrote:
    > I am sorry, I am not much clear in my question.
    >
    > Suppose 'Machine A' has shared some files on the network.
    > I am writing the driver for Machine A to protect these shared files from other machines on the network.
    >

    This is, in general, difficult to determine reliably. Read this article
    for some hints on how to do it.

    http://www.osronline.com/article.cfm?article=17#Q59

    Basically you need to determine in pre-create whether the access is from
    a remote or local process.

    Pete

    --
    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    > In the PreCreate how do I find out from where the file is accessed (local or network)?

    Check for NETWORK pseudo-SID in the caller's access token.

    Actually, just put an ACL on files which will have "NETWORK:No Access".

    --
    Maxim S. Shatskih
    Windows DDK MVP
    [email protected]
    http://www.storagecraft.com
  • Utsav_AgarwalUtsav_Agarwal Member Posts: 46
    Solved but not sure.

    First I checked for the process, if it is SYSTEM or not
    then i got the impersonation level from
    Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel
    and if the impersonation level is SecurityImpersonation then the file is being accessed from the network.

    This is working fine but I don't know if this is the right way or not.
  • Christian_AllredChristian_Allred Member Posts: 104
    If your filter is running on Windows 7 or higher look for the GUID_ECP_SRV_OPEN ECP on create. Its presence will tell you that the create came from the network (and its absence that the file was opened locally). The associated structure, SRV_OPEN_ECP_CONTEXT, contains information about the share and the client that opened the file.

    -- Christian [MSFT]
  • Bill_WandelBill_Wandel Member - All Emails Posts: 237
    I thought that a registry setting had to be set to enable this ECP.

    Bill Wandel

    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of
    [email protected]
    Sent: Tuesday, September 27, 2011 5:18 PM
    To: Windows File Systems Devs Interest List
    Subject: RE:[ntfsd] File Access

    If your filter is running on Windows 7 or higher look for the
    GUID_ECP_SRV_OPEN ECP on create. Its presence will tell you that the create
    came from the network (and its absence that the file was opened locally).
    The associated structure, SRV_OPEN_ECP_CONTEXT, contains information about
    the share and the client that opened the file.

    -- Christian [MSFT]

    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Christian_AllredChristian_Allred Member Posts: 104
    Ah yes, that is true. I'd forgotten about that.

    On 9/27/2011 3:59 PM, Bill Wandel wrote:
    > I thought that a registry setting had to be set to enable this ECP.
    >
    > Bill Wandel
    >


    --
    Christian [MSFT]
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Utsav_AgarwalUtsav_Agarwal Member Posts: 46
    Thanks Christian and Bill.

    What in case of XP and Vista?

    Is the method that I mentioned wrong? Will it not work under all conditions?

    Regards
    Utsav
  • Doug_NDoug_N Member - All Emails Posts: 105
    Do you know what the registry setting is? I tried getting this to work
    about a year ago and finally gave up because I never saw the
    SRV_OPEN_ECP_CONTEXT passed in.

    Thanks
    Doug

    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of Christian Allred
    [MSFT]
    Sent: Tuesday, September 27, 2011 8:15 PM
    To: Windows File Systems Devs Interest List
    Subject: Re:[ntfsd] File Access

    Ah yes, that is true. I'd forgotten about that.

    On 9/27/2011 3:59 PM, Bill Wandel wrote:
    > I thought that a registry setting had to be set to enable this ECP.
    >
    > Bill Wandel
    >


    --
    Christian [MSFT]
    This posting is provided "AS IS" with no warranties, and confers no rights.

    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Bill_WandelBill_Wandel Member - All Emails Posts: 237
    This is from a previous reply by Alex Carp:

    Yeah, IIRC you need to set
    HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\enableecp = 1
    (or maybe enableecps ?)

    Bill Wandel

    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of Doug Nebeker
    Sent: Wednesday, September 28, 2011 8:57 AM
    To: Windows File Systems Devs Interest List
    Subject: RE: [ntfsd] File Access

    Do you know what the registry setting is? I tried getting this to work
    about a year ago and finally gave up because I never saw the
    SRV_OPEN_ECP_CONTEXT passed in.

    Thanks
    Doug

    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]om] On Behalf Of Christian Allred
    [MSFT]
    Sent: Tuesday, September 27, 2011 8:15 PM
    To: Windows File Systems Devs Interest List
    Subject: Re:[ntfsd] File Access

    Ah yes, that is true. I'd forgotten about that.

    On 9/27/2011 3:59 PM, Bill Wandel wrote:
    > I thought that a registry setting had to be set to enable this ECP.
    >
    > Bill Wandel
    >


    --
    Christian [MSFT]
    This posting is provided "AS IS" with no warranties, and confers no rights.

    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer



    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online