Detect SMB Server request!

NTFSD
1

Good day,
Is there a way to differentiate whether the read and write request are
from SMB server or from local apps?
For example, I share a dir in host A, and in host B I map the dir and read
files in that dir. My filter driver is running in host A, can I detect the
requests are from remote access (i.e from SMB server running in host A) as I
don’t want to process those requests? Any information is greatly
appreciated.

Regards,
Sin-Lam

2

Sin-Lam:

The general approach here is heuristic based:

  • In IRP_MJ_CREATE check to see if you are running in a system thread that
    is impersonating; if you are, you are probably being called by SRV or one of
    the other kernel mode file servers (SFU or SFM). Note this fact with your
    per-file-object structure

  • In IRP_MJ_READ/IRP_MJ_WRITE, look at your per-file-object structure and
    note if this call is coming in using one of those file objects.

I hope this helps.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Tan Sin Lam [mailto:xxxxx@lit.org.sg]
Sent: Wednesday, May 29, 2002 7:51 PM
To: File Systems Developers
Subject: [ntfsd] Detect SMB Server request!

Good day,
Is there a way to differentiate whether the read and write request are
from SMB server or from local apps?
For example, I share a dir in host A, and in host B I map the dir and read
files in that dir. My filter driver is running in host A, can I detect the
requests are from remote access (i.e from SMB server running in host A) as I
don’t want to process those requests? Any information is greatly
appreciated.

Regards,
Sin-Lam

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

3

In Windows XP and later there is a new API called "IoIsFileOriginRemote(). This will tell you that the given file object was created to satisfy a remote request. The only caveat with this API is that it can only be used after the Create request has entirely completed.

Neal Christiansen
Microsoft File System Filter Group
?
This posting is provided “AS IS” with no warranties, and confers no rights.

-----Original Message-----
From: Tony Mason [mailto:xxxxx@osr.com]
Sent: Wednesday, May 29, 2002 07:41 PM
To: File Systems Developers
Subject: [ntfsd] RE: Detect SMB Server request!

Sin-Lam:

The general approach here is heuristic based:

  • In IRP_MJ_CREATE check to see if you are running in a system thread that is impersonating; if you are, you are probably being called by SRV or one of the other kernel mode file servers (SFU or SFM). Note this fact with your per-file-object structure

  • In IRP_MJ_READ/IRP_MJ_WRITE, look at your per-file-object structure and note if this call is coming in using one of those file objects.

I hope this helps.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Tan Sin Lam [mailto:xxxxx@lit.org.sg]
Sent: Wednesday, May 29, 2002 7:51 PM
To: File Systems Developers
Subject: [ntfsd] Detect SMB Server request!

Good day,
Is there a way to differentiate whether the read and write request are from SMB server or from local apps? For example, I share a dir in host A, and in host B I map the dir and read files in that dir. My filter driver is running in host A, can I detect the requests are from remote access (i.e from SMB server running in host A) as I don’t want to process those requests? Any information is greatly appreciated.

Regards,
Sin-Lam

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@Windows.Microsoft.com To unsubscribe send a blank email to %%email.unsub%%