Hello,
I have a minifilter driver which is attached to lanmanredirector and facing the following issue during copying a file on N/W share
- I am copying a file on Network Share.
- While coping in PreCleanupCallback() I save the current thread context using following API
SECURITY_QUALITY_OF_SERVICE sqos;
sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
sqos.ImpersonationLevel = SecurityDelegation;
sqos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
sqos.EffectiveOnly = FALSE;
SECURITY_CLIENT_CONTEXT scc;
SeCreateClientSecurity( PsGetCurrentThread(), &sqos, FALSE, &scc );
- Then in my PreCleanupCallback() logic, the driver gives a synchronous callback to a user mode application executing in system context.
- When the application in system context tries to open same file for read, I impersonate the thread in PreCreateCallback().
- When this original IRP is passes down, it fails with STATUS_ACCESS_DENIED in my PostCreateCallback().
Any pointer which can help me to identify why I am getting this error will be helpful.
Thanks,
Bishnu
Networking isn’t my strong point so I might be missing something here, but
could you please explain why do you assume that the thread on which
IRP_MJ_CLEANUP is sent has privileges on the network server? Is this
guaranteed to be the case by any documentation ?
My recommendation would be to capture the security context on the
IRP_MJ_CREATE for that file (and not from the thread but from the
parameters, see " FLT_PARAMETERS for IRP_MJ_CREATE Union" currently at
http://msdn.microsoft.com/en-us/library/ff544687(v=vs.85).aspx) , store it
in some context (reference, copy or whatever) and then in preCleanup you’d
pick it up from the context and use it to issue your create.
Thanks,
Alex.
My user mode test application is single threaded application so Create and Close is happening on same thread.
I also tried your suggestion but result is same, still getting same STATUS_ACCESS_DENIED error.
Thanks,
Bishnu
What OS? If this is Vista or Win7 you most likely have to run your application at an elevated privilege.
Gary G. Little
----- Original Message -----
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, March 22, 2011 11:14:41 AM
Subject: [ntfsd] Access Denied while access a Network File in an impersnated user context
Hello,
I have a minifilter driver which is attached to lanmanredirector and facing the following issue during copying a file on N/W share
1. I am copying a file on Network Share.
2. While coping in PreCleanupCallback() I save the current thread context using following API
SECURITY_QUALITY_OF_SERVICE sqos;
sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
sqos.ImpersonationLevel = SecurityDelegation;
sqos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
sqos.EffectiveOnly = FALSE;
SECURITY_CLIENT_CONTEXT scc;
SeCreateClientSecurity( PsGetCurrentThread(), &sqos, FALSE, &scc );
3. Then in my PreCleanupCallback() logic, the driver gives a synchronous callback to a user mode application executing in system context.
4. When the application in system context tries to open same file for read, I impersonate the thread in PreCreateCallback().
5. When this original IRP is passes down, it fails with STATUS_ACCESS_DENIED in my PostCreateCallback().
Any pointer which can help me to identify why I am getting this error will be helpful.
Thanks,
Bishnu
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
My OS is Win XP, and my application is running under System user context.
If application is running in local admin context then there is no issue.
But I want to run it under system user context because of my requirement.
So do a right-click and select “Run as …” , or use “Runas” from a command line.
Gary G. Little
----- Original Message -----
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, March 23, 2011 9:59:39 AM
Subject: RE:[ntfsd] Access Denied while access a Network File in an impersnated user context
My OS is Win XP, and my application is running under System user context.
If application is running in local admin context then there is no issue.
But I want to run it under system user context because of my requirement.
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I am a bit confused…
there are two applications we are talking about here.
App1 is the one who performs the copy
App2 is the scanner app which your driver invokes to do the scanning
heuristic.
Which one is running under Local admin and which one is under system
context?
thanks
AB
On Wed, Mar 23, 2011 at 8:29 PM, wrote:
> My OS is Win XP, and my application is running under System user context.
> If application is running in local admin context then there is no issue.
> But I want to run it under system user context because of my requirement.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0
You are right.
There are two application one which is copying the file, lets say that is explorer and another is my Test application. Here explorer is running in local admin context while my test application is running in System user context.
~ Bishnu
Alright, lets see I I have got this correctly…
Explorer(local admin context) send a cleanup call to a remote file. Your
filter intercepts this and hijacks the security context of this cleanup
thread, and then sends a request your *YOUR* own app (lets call it YourApp).
YourApp is running in System user context. YourApp is *single* threaded.
YourApp then sends a Create request on the remote file explorer was trying
to Close (cleanup IRP), in this new create request YourApp uses the
*hijacked security context* from Explorer’s original Cleanup thread.
This new create request suceeds. YourApp can perform it’s heuristics on the
file. However, when you let the original IRP_MJ_CLEANUP go down the stack
(was it stalled till the heuristic completed?), it comes back with an Access
Denied.
As an experiment, have you tried doing this from user land completely?
Please make sure there too the two apps are running as they are now. Local
admin and system.
One other thing is when the initial open where the security context is
acquired - if that open does not have read access, your security context
*wont* be good to open for read.
amit
On Thu, Mar 24, 2011 at 10:05 AM, wrote:
> You are right.
> There are two application one which is copying the file, lets say that is
> explorer and another is my Test application. Here explorer is running in
> local admin context while my test application is running in System user
> context.
>
> ~ Bishnu
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0