File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than a
few IRP_MJ_CREATE packets are sent. Is there a way to distinguish among
them so that I could log a different message based upon the action taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

What is it, exactly, that you want to do here? If you just want a
driver to be notified whenever a process is created, the Ps API does the
right thing (see PsSetCreateProcessNotifyRoutine in the DDK).

Trying to find out when processes are being started by peeking into what
the file systems are doing is a hard thing to do since file systems
don’t exactly know what the clients are doing with the data – the image
could be opened because someone is backing it up, compressing it,
deleting it, getting attribute information, etc.

JR Tipton

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: chuck m [mailto:chuck.monarch@hp.com]
Sent: Monday, January 06, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than
a
few IRP_MJ_CREATE packets are sent. Is there a way to distinguish among
them so that I could log a different message based upon the action
taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

You are currently subscribed to ntfsd as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

PsSetCreateProcessNotifyRoutine is not that usefull since there is no file
name available in its interface. You may use PsSetLoadImageNotifyRoutine
instead (remember though that there could be no more than 8 such
callbacks). But in any case I would doubt that you can tell what Create
IRP is for the executable’s image.

Vladimir

What is it, exactly, that you want to do here? If you just want a
driver to be notified whenever a process is created, the Ps API does the
right thing (see PsSetCreateProcessNotifyRoutine in the DDK).

Trying to find out when processes are being started by peeking into what
the file systems are doing is a hard thing to do since file systems
don’t exactly know what the clients are doing with the data – the image
could be opened because someone is backing it up, compressing it,
deleting it, getting attribute information, etc.

JR Tipton

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: chuck m [mailto:chuck.monarch@hp.com]=20
Sent: Monday, January 06, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than
a
few IRP_MJ_CREATE packets are sent. Is there a way to distinguish among
them so that I could log a different message based upon the action
taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

---

You are currently subscribed to ntfsd as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

What we’re trying to do is to proto a driver that will provide some
level of application authentication. The method of authentication is TBD
but in the early stages I’d like to determine when an application is
starting, being copied, …

Thanks,

Chuck

-----Original Message-----
From: J.R. Tipton [mailto:xxxxx@winse.microsoft.com]
Sent: Monday, January 06, 2003 6:14 PM
To: File Systems Developers; Monarch, Chuck
Subject: RE: [ntfsd] File Creation Revisited

What is it, exactly, that you want to do here? If you just want a
driver to be notified whenever a process is created, the Ps API does the
right thing (see PsSetCreateProcessNotifyRoutine in the DDK).

Trying to find out when processes are being started by peeking into what
the file systems are doing is a hard thing to do since file systems
don’t exactly know what the clients are doing with the data – the image
could be opened because someone is backing it up, compressing it,
deleting it, getting attribute information, etc.

JR Tipton

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: chuck m [mailto:chuck.monarch@hp.com]
Sent: Monday, January 06, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than
a few IRP_MJ_CREATE packets are sent. Is there a way to distinguish
among them so that I could log a different message based upon the action
taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

This list has a very long history of people trying to do ‘application
authentication’. It’s fundamentally not something that the NT kernel
supports. An ‘application’ is just some sections containing executable
code. Normally, one is derived from a PE with a .EXE in the end, and
others from PE’s with .DLL (or .SYS or .CPL or …) on the end. But that
normal pattern isn’t imposed by the system. An application isn’t a
‘thing’ to the system.

If you need to have a handshake between some piece of code in the kernel
and some particular piece of code outside the kernel, I think that you
are on the road to cryptography. The ‘outside’ code is going to have to
pass in some sort of unfakable token that the inside code can examine.
Good luck in preventing some other party from capturing an image of the
token …

-----Original Message-----
From: Monarch, Chuck [mailto:Chuck.Monarch@hp.com]
Sent: Tuesday, January 07, 2003 10:14 AM
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

What we’re trying to do is to proto a driver that will provide some
level of application authentication. The method of authentication is TBD
but in the early stages I’d like to determine when an application is
starting, being copied, …

Thanks,

Chuck

-----Original Message-----
From: J.R. Tipton [mailto:xxxxx@winse.microsoft.com]
Sent: Monday, January 06, 2003 6:14 PM
To: File Systems Developers; Monarch, Chuck
Subject: RE: [ntfsd] File Creation Revisited

What is it, exactly, that you want to do here? If you just want a
driver to be notified whenever a process is created, the Ps API does the
right thing (see PsSetCreateProcessNotifyRoutine in the DDK).

Trying to find out when processes are being started by peeking into what
the file systems are doing is a hard thing to do since file systems
don’t exactly know what the clients are doing with the data – the image
could be opened because someone is backing it up, compressing it,
deleting it, getting attribute information, etc.

JR Tipton

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: chuck m [mailto:chuck.monarch@hp.com]
Sent: Monday, January 06, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than
a few IRP_MJ_CREATE packets are sent. Is there a way to distinguish
among them so that I could log a different message based upon the action
taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

You are currently subscribed to ntfsd as: xxxxx@basistech.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Felix?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Monarch, Chuck
Sent: Tuesday, January 07, 2003 7:14 AM
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

What we’re trying to do is to proto a driver that will provide some
level of application authentication. The method of authentication is TBD
but in the early stages I’d like to determine when an application is
starting, being copied, …

Thanks,

Chuck

-----Original Message-----
From: J.R. Tipton [mailto:xxxxx@winse.microsoft.com]
Sent: Monday, January 06, 2003 6:14 PM
To: File Systems Developers; Monarch, Chuck
Subject: RE: [ntfsd] File Creation Revisited

What is it, exactly, that you want to do here? If you just want a
driver to be notified whenever a process is created, the Ps API does the
right thing (see PsSetCreateProcessNotifyRoutine in the DDK).

Trying to find out when processes are being started by peeking into what
the file systems are doing is a hard thing to do since file systems
don’t exactly know what the clients are doing with the data – the image
could be opened because someone is backing it up, compressing it,
deleting it, getting attribute information, etc.

JR Tipton

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: chuck m [mailto:chuck.monarch@hp.com]
Sent: Monday, January 06, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than
a few IRP_MJ_CREATE packets are sent. Is there a way to distinguish
among them so that I could log a different message based upon the action
taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

It can be done. It has been done. I have discussed this with Chuck
off-line so to not bore this list to death.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Benson Margulies
Sent: Tuesday, January 07, 2003 7:55 AM
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

This list has a very long history of people trying to do ‘application
authentication’. It’s fundamentally not something that the NT kernel
supports. An ‘application’ is just some sections containing executable
code. Normally, one is derived from a PE with a .EXE in the end, and
others from PE’s with .DLL (or .SYS or .CPL or …) on the end. But that
normal pattern isn’t imposed by the system. An application isn’t a
‘thing’ to the system.

If you need to have a handshake between some piece of code in the kernel
and some particular piece of code outside the kernel, I think that you
are on the road to cryptography. The ‘outside’ code is going to have to
pass in some sort of unfakable token that the inside code can examine.
Good luck in preventing some other party from capturing an image of the
token …

-----Original Message-----
From: Monarch, Chuck [mailto:Chuck.Monarch@hp.com]
Sent: Tuesday, January 07, 2003 10:14 AM
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

What we’re trying to do is to proto a driver that will provide some
level of application authentication. The method of authentication is TBD
but in the early stages I’d like to determine when an application is
starting, being copied, …

Thanks,

Chuck

-----Original Message-----
From: J.R. Tipton [mailto:xxxxx@winse.microsoft.com]
Sent: Monday, January 06, 2003 6:14 PM
To: File Systems Developers; Monarch, Chuck
Subject: RE: [ntfsd] File Creation Revisited

What is it, exactly, that you want to do here? If you just want a
driver to be notified whenever a process is created, the Ps API does the
right thing (see PsSetCreateProcessNotifyRoutine in the DDK).

Trying to find out when processes are being started by peeking into what
the file systems are doing is a hard thing to do since file systems
don’t exactly know what the clients are doing with the data – the image
could be opened because someone is backing it up, compressing it,
deleting it, getting attribute information, etc.

JR Tipton

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: chuck m [mailto:chuck.monarch@hp.com]
Sent: Monday, January 06, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than
a few IRP_MJ_CREATE packets are sent. Is there a way to distinguish
among them so that I could log a different message based upon the action
taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

You are currently subscribed to ntfsd as: xxxxx@basistech.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

We’re working in order to implement something similar to the solution that
Chuck has described but we’re focused on using NtAPI instead of developing a
file system filter driver. At this moment, we are filtering successfuly
several operations (printing, using clipboard, reading and writting to files
and so on) but at this moment we have the following problem: how can I
obtain the complete path of an executable when a new process is created (in
order to calculate an MD5 hash). We have been testing
PsSetCreateProcessNotifyRoutine but we don’t find any way in order to obtain
there the path of the executable and calculate the hash. In the other hand
we intercept NtOpenFile in a very early stage of the process creation. At
this point, we can calculate the file hash but the system hasn’t assign a
PID yet.

Any ideas?

Best regards,

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Jamey Kirby
Enviado el: martes, 07 de enero de 2003 20:17
Para: File Systems Developers
Asunto: [ntfsd] RE: File Creation Revisited

It can be done. It has been done. I have discussed this with Chuck
off-line so to not bore this list to death.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Benson Margulies
Sent: Tuesday, January 07, 2003 7:55 AM
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

This list has a very long history of people trying to do ‘application
authentication’. It’s fundamentally not something that the NT kernel
supports. An ‘application’ is just some sections containing executable
code. Normally, one is derived from a PE with a .EXE in the end, and
others from PE’s with .DLL (or .SYS or .CPL or …) on the end. But that
normal pattern isn’t imposed by the system. An application isn’t a
‘thing’ to the system.

If you need to have a handshake between some piece of code in the kernel
and some particular piece of code outside the kernel, I think that you
are on the road to cryptography. The ‘outside’ code is going to have to
pass in some sort of unfakable token that the inside code can examine.
Good luck in preventing some other party from capturing an image of the
token …

-----Original Message-----
From: Monarch, Chuck [mailto:Chuck.Monarch@hp.com]
Sent: Tuesday, January 07, 2003 10:14 AM
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

What we’re trying to do is to proto a driver that will provide some
level of application authentication. The method of authentication is TBD
but in the early stages I’d like to determine when an application is
starting, being copied, …

Thanks,

Chuck

-----Original Message-----
From: J.R. Tipton [mailto:xxxxx@winse.microsoft.com]
Sent: Monday, January 06, 2003 6:14 PM
To: File Systems Developers; Monarch, Chuck
Subject: RE: [ntfsd] File Creation Revisited

What is it, exactly, that you want to do here? If you just want a
driver to be notified whenever a process is created, the Ps API does the
right thing (see PsSetCreateProcessNotifyRoutine in the DDK).

Trying to find out when processes are being started by peeking into what
the file systems are doing is a hard thing to do since file systems
don’t exactly know what the clients are doing with the data – the image
could be opened because someone is backing it up, compressing it,
deleting it, getting attribute information, etc.

JR Tipton

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: chuck m [mailto:chuck.monarch@hp.com]
Sent: Monday, January 06, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than
a few IRP_MJ_CREATE packets are sent. Is there a way to distinguish
among them so that I could log a different message based upon the action
taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

You are currently subscribed to ntfsd as: xxxxx@basistech.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi, Jamey!

Still busy as a hive of bees? I sure am …

I see you already talked this over with Chuck. I considered doing the
same, but you got there first. The copying part is a bitch, of course;
unless he just wants to catch name changes in which examining the file’s
contents would serve.

Cheers,
Felix.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jamey Kirby
Sent: Tuesday, 7 January 2003 20:15
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

Felix?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Monarch, Chuck
Sent: Tuesday, January 07, 2003 7:14 AM
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

What we’re trying to do is to proto a driver that will provide some
level of application authentication. The method of authentication is TBD
but in the early stages I’d like to determine when an application is
starting, being copied, …

Thanks,

Chuck

-----Original Message-----
From: J.R. Tipton [mailto:xxxxx@winse.microsoft.com]
Sent: Monday, January 06, 2003 6:14 PM
To: File Systems Developers; Monarch, Chuck
Subject: RE: [ntfsd] File Creation Revisited

What is it, exactly, that you want to do here? If you just want a
driver to be notified whenever a process is created, the Ps API does the
right thing (see PsSetCreateProcessNotifyRoutine in the DDK).

Trying to find out when processes are being started by peeking into what
the file systems are doing is a hard thing to do since file systems
don’t exactly know what the clients are doing with the data – the image
could be opened because someone is backing it up, compressing it,
deleting it, getting attribute information, etc.

JR Tipton

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: chuck m [mailto:chuck.monarch@hp.com]
Sent: Monday, January 06, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than
a few IRP_MJ_CREATE packets are sent. Is there a way to distinguish
among them so that I could log a different message based upon the action
taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@mvps.org
To unsubscribe send a blank email to xxxxx@lists.osr.com

I’m sorry to interrupt you, but I think this is not the the place for kind
of personal conversation. The problem discussed is an interesting one.
Perhaps it is boring but I think it’s not as boring as for example
discussion of what is better C or C++. There are people on this list who do
not ask questions but read for answers other people get to their questions.
Please, do not ignore them.

If you don’t mind, Jamey or Felix, could you tell any of your thoughts on
the subject to the public?

----- Original Message -----
From: “Felix Kasza”
To: “File Systems Developers”
Sent: Tuesday, January 07, 2003 11:01 PM
Subject: [ntfsd] RE: File Creation Revisited

Hi, Jamey!

Still busy as a hive of bees? I sure am …

I see you already talked this over with Chuck. I considered doing the
same, but you got there first. The copying part is a bitch, of course;
unless he just wants to catch name changes in which examining the file’s
contents would serve.

Cheers,
Felix.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jamey Kirby
Sent: Tuesday, 7 January 2003 20:15
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

Felix?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Monarch, Chuck
Sent: Tuesday, January 07, 2003 7:14 AM
To: File Systems Developers
Subject: [ntfsd] RE: File Creation Revisited

What we’re trying to do is to proto a driver that will provide some
level of application authentication. The method of authentication is TBD
but in the early stages I’d like to determine when an application is
starting, being copied, …

Thanks,

Chuck

-----Original Message-----
From: J.R. Tipton [mailto:xxxxx@winse.microsoft.com]
Sent: Monday, January 06, 2003 6:14 PM
To: File Systems Developers; Monarch, Chuck
Subject: RE: [ntfsd] File Creation Revisited

What is it, exactly, that you want to do here? If you just want a
driver to be notified whenever a process is created, the Ps API does the
right thing (see PsSetCreateProcessNotifyRoutine in the DDK).

Trying to find out when processes are being started by peeking into what
the file systems are doing is a hard thing to do since file systems
don’t exactly know what the clients are doing with the data – the image
could be opened because someone is backing it up, compressing it,
deleting it, getting attribute information, etc.

JR Tipton

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: chuck m [mailto:chuck.monarch@hp.com]
Sent: Monday, January 06, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] File Creation Revisited

I know this topic was touched upon a couple of weeks ago but I’d like to
pose the question in a different way. When starting a process, more than
a few IRP_MJ_CREATE packets are sent. Is there a way to distinguish
among them so that I could log a different message based upon the action
taken?
Example: The user executes a file say MYFILE.EXE. Quite a few (typically
10+) IRP_MJ_CREATE messages are sent. Could I distinguish among them
enough to log the fact that MYFILE.EXE was launched and do this one and
only one time? Also if the user attempts to copy this file from its
location to another, is there a way to ferret this out and log that
information?

Thanks,

Chuck

—
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@mvps.org
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@vba.com.by
To unsubscribe send a blank email to xxxxx@lists.osr.com