Capturing UNC pathname from the server

Jimmy_James · June 1, 2016, 5:08pm

All,
We are developing a file system mini-filter for monitoring the file
activity on a server. The filter is targeted for Server 2008 and beyond.
One of the things that we want to do is to capture the full UNC pathname
that the user entered on the client side. Is there a way to do this in a
file system filter driver or do we need to filter CIFS?

Thanks In Advance. Any help would be greatly appreciated.

Peter_Scott · June 1, 2016, 6:32pm

You’re asking if a filter on the server can know the UNC path name
entered on the client to access the share on the server?

In short, no. You would need to have something on the client to know
this. The share could be mapped in any number of ways to the server. The
server knows the credentials of the client, the path accessed, etc. But
not the UNC path name entered on the client. Of course you could guess
since you know how you are sharing the path to the client but that would
be about it.

Pete

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “JIm james”
To: “Windows File Systems Devs Interest List”
Sent: 6/1/2016 3:07:54 PM
Subject: [ntfsd] Capturing UNC pathname from the server

>All,
>We are developing a file system mini-filter for monitoring the file
>activity on a server. The filter is targeted for Server 2008 and
>beyond. One of the things that we want to do is to capture the full UNC
>pathname that the user entered on the client side. Is there a way to do
>this in a file system filter driver or do we need to filter CIFS?
>
>Thanks In Advance. Any help would be greatly appreciated.
>— NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>WDF, Windows internals and software drivers! Details at To unsubscribe,
>visit the List Server section of OSR Online at

Jimmy_James · June 1, 2016, 6:48pm

Thanks Pete - that is what I’m asking - and I was afraid that would be the
answer.
I know this information comes in through the CIFS network provider. Is it
possible to develop a network filter to capture this data?

On Wed, Jun 1, 2016 at 4:31 PM, PScott wrote:

> You’re asking if a filter on the server can know the UNC path name entered
> on the client to access the share on the server?
>
> In short, no. You would need to have something on the client to know this.
> The share could be mapped in any number of ways to the server. The server
> knows the credentials of the client, the path accessed, etc. But not the
> UNC path name entered on the client. Of course you could guess since you
> know how you are sharing the path to the client but that would be about it.
>
> Pete
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com http:</http:>
> 866.263.9295
>
>
>
> ------ Original Message ------
> From: “JIm james”
> To: “Windows File Systems Devs Interest List”
> Sent: 6/1/2016 3:07:54 PM
> Subject: [ntfsd] Capturing UNC pathname from the server
>
>
> All,
> We are developing a file system mini-filter for monitoring the file
> activity on a server. The filter is targeted for Server 2008 and beyond.
> One of the things that we want to do is to capture the full UNC pathname
> that the user entered on the client side. Is there a way to do this in a
> file system filter driver or do we need to filter CIFS?
>
> Thanks In Advance. Any help would be greatly appreciated.
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>