Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
File Access
Utsav_Agarwal
Member Posts: 46
in NTFSD
Hi,
I am writing a minifilter driver to protect some shared files from network access.
In the PreCreate how do I find out from where the file is accessed (local or network)?
Thanks and Regards
Utsav
I am writing a minifilter driver to protect some shared files from network access.
In the PreCreate how do I find out from where the file is accessed (local or network)?
Thanks and Regards
Utsav
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
| Internals & Software Drivers | 4-8 Dec 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
Comments
> Hi,
>
> I am writing a minifilter driver to protect some shared files from network access.
> In the PreCreate how do I find out from where the file is accessed (local or network)?
>
This would depend on where your filter is located. If you are filtering
local volumes then you can be assured that all the file accesses are
local. If you are filtering a network instance, as determined in your
InstanceSetup callback, then you can be assured the files are remote.
Of course implementations of other products above or below you could
alter that assumption but in general it will hold.
Pete
--
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Suppose 'Machine A' has shared some files on the network.
I am writing the driver for Machine A to protect these shared files from other machines on the network.
> I am sorry, I am not much clear in my question.
>
> Suppose 'Machine A' has shared some files on the network.
> I am writing the driver for Machine A to protect these shared files from other machines on the network.
>
This is, in general, difficult to determine reliably. Read this article
for some hints on how to do it.
http://www.osronline.com/article.cfm?article=17#Q59
Basically you need to determine in pre-create whether the access is from
a remote or local process.
Pete
--
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
Check for NETWORK pseudo-SID in the caller's access token.
Actually, just put an ACL on files which will have "NETWORK:No Access".
--
Maxim S. Shatskih
Windows DDK MVP
[email protected]
http://www.storagecraft.com
First I checked for the process, if it is SYSTEM or not
then i got the impersonation level from
Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel
and if the impersonation level is SecurityImpersonation then the file is being accessed from the network.
This is working fine but I don't know if this is the right way or not.
-- Christian [MSFT]
Bill Wandel
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Tuesday, September 27, 2011 5:18 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] File Access
If your filter is running on Windows 7 or higher look for the
GUID_ECP_SRV_OPEN ECP on create. Its presence will tell you that the create
came from the network (and its absence that the file was opened locally).
The associated structure, SRV_OPEN_ECP_CONTEXT, contains information about
the share and the client that opened the file.
-- Christian [MSFT]
---
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
On 9/27/2011 3:59 PM, Bill Wandel wrote:
> I thought that a registry setting had to be set to enable this ECP.
>
> Bill Wandel
>
--
Christian [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
What in case of XP and Vista?
Is the method that I mentioned wrong? Will it not work under all conditions?
Regards
Utsav
about a year ago and finally gave up because I never saw the
SRV_OPEN_ECP_CONTEXT passed in.
Thanks
Doug
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Christian Allred
[MSFT]
Sent: Tuesday, September 27, 2011 8:15 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] File Access
Ah yes, that is true. I'd forgotten about that.
On 9/27/2011 3:59 PM, Bill Wandel wrote:
> I thought that a registry setting had to be set to enable this ECP.
>
> Bill Wandel
>
--
Christian [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
---
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Yeah, IIRC you need to set
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\enableecp = 1
(or maybe enableecps ?)
Bill Wandel
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Doug Nebeker
Sent: Wednesday, September 28, 2011 8:57 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] File Access
Do you know what the registry setting is? I tried getting this to work
about a year ago and finally gave up because I never saw the
SRV_OPEN_ECP_CONTEXT passed in.
Thanks
Doug
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Christian Allred
[MSFT]
Sent: Tuesday, September 27, 2011 8:15 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] File Access
Ah yes, that is true. I'd forgotten about that.
On 9/27/2011 3:59 PM, Bill Wandel wrote:
> I thought that a registry setting had to be set to enable this ECP.
>
> Bill Wandel
>
--
Christian [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
---
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
---
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer