All,
We are developing a IFS mini-filter driver that is used for detecting file
activity. Does anyone know of a method for detecting ownership change? The
activity that we’re trying to detect is when the user does the following:
Right clicks file and selects Properties
Select “Security” Tab.
Click the “Advanced” button
Click the “Change” button on the ownership line.
Enter the name of the new owner in the dialog box.
Thanks in advance.
While I can suggest what I expect (that you’ll see an IRP_MJ_SET_SECURITY on it), I’m curious if you looked. In other words, did you use a file monitoring mechanism (e.g., Procmon or FileSpy) while taking that action?
The owner is in the Security Descriptor, which is why I’d expect to see it there. But setting the owner is also a privileged operation, so I’d expect it to be rare.
Tony
OSR
IRP_MJ_SET_SECURITY
https://msdn.microsoft.com/en-us/library/windows/hardware/ff549407(v=vs.85).aspx
Thanks for your reply Tony.
We’re monitoring IRP_MJ_SET_SECURITY with our IFS. We monitor that entry
point for other purposes so we know it works. I was very surprise to see
that changing ownership of a file does *not* invoke IRP_MJ_SET_SECURITY. I
thought for sure it would …
On Sat, Jun 18, 2016 at 1:56 PM, Tony Mason wrote:
>
>
>
>
> While I can suggest what I expect (that you’ll see an IRP_MJ_SET_SECURITY
> on it), I’m curious if you looked. In other words, did you use a file
> monitoring mechanism (e.g., Procmon or FileSpy) while taking that action?
>
>
>
> The owner is in the Security Descriptor, which is why I’d expect to see it
> there. But setting the owner is also a privileged operation, so I’d expect
> it to be rare.
>
>
>
> Tony
>
> OSR
>
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>