Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How get user name in file system filter dtiver

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Dear Tony and Everyone!
Could you help me with next issuer?
Using IoGetRequestorProcess(Irp) function in my filter driver I can get
process that originate file system request.
Is it possible to retrieve the user name under whose account this process
runs at the moment when "Create" request is intercepted by my filter driver?
Mikhail

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    You can get the SID at kernel level and then pass this data to
    a user mode application. Having the SID you can get the name
    from user mode by means of LookupAccountSid function.

    To get the SID in kernel mode use ZwQueryInformationToken.
    Depending on your thread being impersontaed or not you
    can use ZwOpenThreadToken or ZwOpenProcessToken to
    get a valid handle for use in ZwQueryInformationToken.

    Inaki.

    > -----Original Message-----
    > From: Mikhail Paley
    > Sent: lunes 6 de marzo de 2000 19:44
    > To: File Systems Developers Interest List
    > Subject: [ntfsd] How get user name in file system filter dtiver
    >
    > Dear Tony and Everyone!
    > Could you help me with next issuer?
    > Using IoGetRequestorProcess(Irp) function in my filter driver I can get
    > process that originate file system request.
    > Is it possible to retrieve the user name under whose account this process
    > runs at the moment when "Create" request is intercepted by my filter
    > driver?
    > Mikhail
    >
    >
    > ---
    > You are currently subscribed to ntfsd as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Yes; you do this by obtaining the security ID (SID) of the caller at the
    time the IRP_MJ_CREATE is issued. Then, you should use a user mode service
    to convert the SID to any other form (like the usual "domain\user"
    mechanism.)

    As I recall, I have an example of this in the OSR file systems class. Let
    me know if you can't find it and I'll dig it up.

    Regards,

    Tony

    Tony Mason
    Consulting Partner
    OSR Open Systems Resources, Inc.
    http://www.osr.com

    -----Original Message-----
    From: Mikhail Paley [mailto:[email protected]]
    Sent: Monday, March 06, 2000 1:44 PM
    To: Tony Mason; File Systems Developers Interest List
    Subject: How get user name in file system filter dtiver


    Dear Tony and Everyone!
    Could you help me with next issuer?
    Using IoGetRequestorProcess(Irp) function in my filter driver I can get
    process that originate file system request.
    Is it possible to retrieve the user name under whose account this process
    runs at the moment when "Create" request is intercepted by my filter driver?
    Mikhail
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA