File Access

Hi,

I am writing a minifilter driver to protect some shared files from network access.
In the PreCreate how do I find out from where the file is accessed (local or network)?

Thanks and Regards
Utsav

On 9/21/2011 4:47 AM, xxxxx@gmail.com wrote:

Hi,

I am writing a minifilter driver to protect some shared files from network access.
In the PreCreate how do I find out from where the file is accessed (local or network)?

This would depend on where your filter is located. If you are filtering
local volumes then you can be assured that all the file accesses are
local. If you are filtering a network instance, as determined in your
InstanceSetup callback, then you can be assured the files are remote.

Of course implementations of other products above or below you could
alter that assumption but in general it will hold.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

I am sorry, I am not much clear in my question.

Suppose ‘Machine A’ has shared some files on the network.
I am writing the driver for Machine A to protect these shared files from other machines on the network.

On 9/21/2011 6:22 AM, xxxxx@gmail.com wrote:

I am sorry, I am not much clear in my question.

Suppose ‘Machine A’ has shared some files on the network.
I am writing the driver for Machine A to protect these shared files from other machines on the network.

This is, in general, difficult to determine reliably. Read this article
for some hints on how to do it.

http://www.osronline.com/article.cfm?article=17#Q59

Basically you need to determine in pre-create whether the access is from
a remote or local process.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

> In the PreCreate how do I find out from where the file is accessed (local or network)?

Check for NETWORK pseudo-SID in the caller’s access token.

Actually, just put an ACL on files which will have “NETWORK:No Access”.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Solved but not sure.

First I checked for the process, if it is SYSTEM or not
then i got the impersonation level from
Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel
and if the impersonation level is SecurityImpersonation then the file is being accessed from the network.

This is working fine but I don’t know if this is the right way or not.

If your filter is running on Windows 7 or higher look for the GUID_ECP_SRV_OPEN ECP on create. Its presence will tell you that the create came from the network (and its absence that the file was opened locally). The associated structure, SRV_OPEN_ECP_CONTEXT, contains information about the share and the client that opened the file.

– Christian [MSFT]

I thought that a registry setting had to be set to enable this ECP.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@microsoft.com
Sent: Tuesday, September 27, 2011 5:18 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] File Access

If your filter is running on Windows 7 or higher look for the
GUID_ECP_SRV_OPEN ECP on create. Its presence will tell you that the create
came from the network (and its absence that the file was opened locally).
The associated structure, SRV_OPEN_ECP_CONTEXT, contains information about
the share and the client that opened the file.

– Christian [MSFT]


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Ah yes, that is true. I’d forgotten about that.

On 9/27/2011 3:59 PM, Bill Wandel wrote:

I thought that a registry setting had to be set to enable this ECP.

Bill Wandel


Christian [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.

Thanks Christian and Bill.

What in case of XP and Vista?

Is the method that I mentioned wrong? Will it not work under all conditions?

Regards
Utsav

Do you know what the registry setting is? I tried getting this to work
about a year ago and finally gave up because I never saw the
SRV_OPEN_ECP_CONTEXT passed in.

Thanks
Doug

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Christian Allred
[MSFT]
Sent: Tuesday, September 27, 2011 8:15 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] File Access

Ah yes, that is true. I’d forgotten about that.

On 9/27/2011 3:59 PM, Bill Wandel wrote:

I thought that a registry setting had to be set to enable this ECP.

Bill Wandel


Christian [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

This is from a previous reply by Alex Carp:

Yeah, IIRC you need to set
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\enableecp = 1
(or maybe enableecps ?)

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doug Nebeker
Sent: Wednesday, September 28, 2011 8:57 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] File Access

Do you know what the registry setting is? I tried getting this to work
about a year ago and finally gave up because I never saw the
SRV_OPEN_ECP_CONTEXT passed in.

Thanks
Doug

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Christian Allred
[MSFT]
Sent: Tuesday, September 27, 2011 8:15 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] File Access

Ah yes, that is true. I’d forgotten about that.

On 9/27/2011 3:59 PM, Bill Wandel wrote:

I thought that a registry setting had to be set to enable this ECP.

Bill Wandel


Christian [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer