How to get SID of Remote User accessing the Shared files

Mahesh_Dhannawat · December 17, 2007, 2:39am

Hi All,

I have a Shared folder on my machine.If some remote user [who has access to shared folder] opens the shared file,i get the calls for this file in the context of System User.

I have used ZwOpenProcessTokenEx & ZwQueryInformationToken in IRP_MJ_CREATE to get SID, but it returns SID of system process & not that of the remote user who is accessing this file.

What should be done, to get SID of the remote user who is accessing my shared files ?

Thanks
Mahesh

Bronislav_Gabrhelik · December 17, 2007, 3:57am

I am not sure how it works for remote drive, but did you try to inspect IrpSp->Parameters.Create.SecurityContext->AccessState.SubjectSecurityContext? First inspect in debugger that ClientToken or PrimaryToken are not NULL then you can use SeXXX funcs below.

pSubjectSecurityContext = &IrpSp->Parameters.Create.SecurityContext->AccessState.SubjectSecurityContext;
SeLockSubjectContext(pSubjectSecurityContext);
ClientToken = SeQuerySubjectContextToken(pSubjectSecurityContext);
SeQueryInformationToken(ClientToken, TokenUser,…);
SeUnlockSubjectContext(pSubjectSecurityContext);

-bg

OSR_Community_User · December 17, 2007, 7:11am

Use Parameters.Create.SecurityContext->ClientToken if it is not NULL

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Hi All,
>
> I have a Shared folder on my machine.If some remote user [who has access to
shared folder] opens the shared file,i get the calls for this file in the
context of System User.
>
> I have used ZwOpenProcessTokenEx & ZwQueryInformationToken in IRP_MJ_CREATE
to get SID, but it returns SID of system process & not that of the remote user
who is accessing this file.
>
> What should be done, to get SID of the remote user who is accessing my shared
files ?
>
>
> Thanks
> Mahesh
>

Mahesh_Dhannawat · December 18, 2007, 8:22am

Hi all,

Thanks Bronislav & Maxim for your inputs.

Using ClientToken [if it is not NULL] i got the SID of remote user who is accessing the shared file.

Thanks
Mahesh

jay96612 · September 2, 2020, 10:09am

Hey Mahesh_Dhannawat, Can you please tell how you get the SID of remote users accessing the file?I am doing the same thing but only getting local system user SID.

Peter_Viscarola_OSR · September 2, 2020, 12:33pm

@jay96612 You’re asking… just in case the guy is around, 13 years later? Well, that certainly makes sense.

Not.

Do. Not. Necropost.

Peter