Getting IP address of user requesting file

I’m trying to write a simple spy-like minifilter that records the IP address of a user looking at a file. I think I remember reading that this can’t be done, but that’s never stopped me from trying before

I know in the IRP_MJ_CREATE we can get to the SID of the calling user via the ACCESS_STATE member. And SeQueryInformationToken can query for TokenSource type to get a hint of the source (“Session Manager”, “LAN Manager, “RPC Server”). That’s a hint, but not really what I’m after.

I’ve searched and haven’t found any sort of call that would give a calling context (other than process/thread/SID) which might be why it’s impossible. My assumption is that the only way this is possible at all would be to have a file system driver and some sort of network filter driver. The network filter driver would somehow store information about requests coming in (maybe by SID and threadID???) that the file system driver could use to lookup other info the network filter has recorded. Yuck! Is that the only way?

I’m interested in any opinions.

Thanks
Doug

>I know in the IRP_MJ_CREATE we can get to the SID of the calling user via the

ACCESS_STATE member. And SeQueryInformationToken can query for TokenSource type
to get a hint of the source (???Session Manager???, ???LAN Manager, ???RPC
Server???).

You can probably get machine hostname from user token in peer to peer authentication environment, but what if user is logged into domain, which is more common model?

If you want some generic approach to cover different servers than SMB (I mean IIS, Apache) I think it is not possible. I can imagine some very proprietary solution for SMB. TDI filter cooperating with mini-filter.

-bg