Get the name of the user writing to a file

Zorba_Kov · November 23, 2007, 5:58am

Hello!

Is it possible to get the name of the user that is writing to a file within a filter driver?

Thanks in advance!

rod_widdowson · November 23, 2007, 6:20am

> Is it possible to get the name of the user that is writing to a file

within a filter driver?

Get the SID, pass it up to usermode and let UM worry about the rest.

http://www.osronline.com/article.cfm?id=50

Zorba_Kov · November 23, 2007, 6:27am

Is it possible to get the SID when catching the Write IRP?

Ayush_Gupta-2 · November 23, 2007, 6:31am

>Is it possible to get the name of the user that is writing to a file within a filter driver?

Get a token from the requesting thread and query it. (ZwOpenThreadTokenEx, ZwQueryInformationToken & ZwQueryInformationToken)
You will get the User SID in pTokenInfo->TokenUser.User.
Then you have to map it back to the user name.

Note: User Names DO NOT exist in kernel space. It is a Win32 concept. For uniquely identifying a user, User SID is used in Kernel.

Regards,
Ayush Gupta

Ayush_Gupta-2 · November 23, 2007, 7:28am

>Is it possible to get the SID when catching the Write IRP?

Why not? Just call PsGetCurrentProcess or PsGetCurrentThread. Rather call IoGetRequestorProcess.
You have the pointer to the EPROCESS structure.
Then do as I explained in previous post.

Regards,
Ayush Gupta