Discovering user token for file access via network

Alex_Korthny · September 19, 2004, 2:51am

Hello,

My filter driver intercepts IRP_MJ_CREATE requests and need to retrieve user
token for user which tries to access file. If I retrieve token for current
thread( or current process, if current thread have no token ), it seems to
work well, but sometimes, in case of network access, I have wrong
token(usually SYSTEM ).
I tried to use SeQuerySubjectContextToken, but in the case I have always the
same token - currently logged in local user, which is not correct for
network case.

Now I’m looking for reliable solution for the problem that will work on all
platforms starting from Win NT - to Win2k3.

Thanks,
Alex.

MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus

OSR_Community_User · September 19, 2004, 8:29am

Once you’ve determined that it is a SYSTEM thread, you must see who they are
impersonating. Here’s the code I use:

SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
BOOLEAN EffectiveOnly, CopyOnOpen;
PTOKEN_SOURCE lpTokenSource;
PACCESS_TOKEN lpToken;

//
// Is this thread impersonating anyone?
//
lpToken = PsReferenceImpersonationToken( Irp->Tail.Overlay.Thread,
&CopyOnOpen, &EffectiveOnly, &ImpersonationLevel );

if( lpToken != NULL )
{
status = SeQueryInformationToken( lpToken, TokenSource, &lpTokenSource
);

// lpTokenSource is the real (network) user…

PsDereferenceImpersonationToken(lpToken);
}

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Korthny
Sent: Sunday, September 19, 2004 2:50 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Discovering user token for file access via network

Hello,

My filter driver intercepts IRP_MJ_CREATE requests and need to retrieve user

token for user which tries to access file. If I retrieve token for current
thread( or current process, if current thread have no token ), it seems to
work well, but sometimes, in case of network access, I have wrong
token(usually SYSTEM ).
I tried to use SeQuerySubjectContextToken, but in the case I have always the

same token - currently logged in local user, which is not correct for
network case.

Now I’m looking for reliable solution for the problem that will work on all
platforms starting from Win NT - to Win2k3.

Thanks,
Alex.

MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · September 19, 2004, 4:20pm

Query the impersonation token, if no impersonation - query the current
token. This gives the correct results.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Alex Korthny”
To: “Windows File Systems Devs Interest List”
Sent: Sunday, September 19, 2004 10:49 AM
Subject: [ntfsd] Discovering user token for file access via network

> Hello,
>
> My filter driver intercepts IRP_MJ_CREATE requests and need to retrieve user
> token for user which tries to access file. If I retrieve token for current
> thread( or current process, if current thread have no token ), it seems to
> work well, but sometimes, in case of network access, I have wrong
> token(usually SYSTEM ).
> I tried to use SeQuerySubjectContextToken, but in the case I have always the
> same token - currently logged in local user, which is not correct for
> network case.
>
> Now I’m looking for reliable solution for the problem that will work on all
> platforms starting from Win NT - to Win2k3.
>
> Thanks,
> Alex.
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
> http://join.msn.com/?page=features/virus
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Alex_Korthny · September 20, 2004, 2:53am

Thank you for the advice,

Unfortunately part of functions that you suggest to use not supported under
Windows NT( namely SeQueryInformationToken and
PsDereferenceImpersonationToken ).
DDK documentation says that PsReferenceImpersonationToken supported from
Windows XP and later, but closer investigation of ntoskrnl.exe with depends
tool shows that this function being exported
in Windows NT too, but without PsDereferenceImpersonationToken, it not worth
to try call to this function, I think.

SeQueryInformationToken can be substituted with ZwQueryInformationToken, but
how I can retrieve impersonation token for this function? With
ZwOpenThreadToken, setting OpenAsSelf argument to FALSE?

Thanks,
Alex.

“Ken Cross” wrote in message news:xxxxx@ntfsd…
>Once you’ve determined that it is a SYSTEM thread, you must see who they
>are
>impersonating. Here’s the code I use:
>
>
>SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
>BOOLEAN EffectiveOnly, CopyOnOpen;
>PTOKEN_SOURCE lpTokenSource;
>PACCESS_TOKEN lpToken;
>
>//
>// Is this thread impersonating anyone?
>//
>lpToken = PsReferenceImpersonationToken( Irp->Tail.Overlay.Thread,
>&CopyOnOpen, &EffectiveOnly, &ImpersonationLevel );
>
>if( lpToken != NULL )
>{
> status = SeQueryInformationToken( lpToken, TokenSource, &lpTokenSource
>);
>
> // lpTokenSource is the real (network) user…
>
> PsDereferenceImpersonationToken(lpToken);
>}
>
>
>HTH,
>Ken
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Korthny
>Sent: Sunday, September 19, 2004 2:50 AM
>To: Windows File Systems Devs Interest List
>Subject: [ntfsd] Discovering user token for file access via network
>
>Hello,
>
>My filter driver intercepts IRP_MJ_CREATE requests and need to retrieve
>user
>
>token for user which tries to access file. If I retrieve token for current
>thread( or current process, if current thread have no token ), it seems to
>work well, but sometimes, in case of network access, I have wrong
>token(usually SYSTEM ).
>I tried to use SeQuerySubjectContextToken, but in the case I have always
>the
>
>same token - currently logged in local user, which is not correct for
>network case.
>
>Now I’m looking for reliable solution for the problem that will work on all
>platforms starting from Win NT - to Win2k3.
>
>Thanks,
>Alex.
>
>
>MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
>http://join.msn.com/?page=features/virus
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@comcast.net
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail