Getting user name

Hi,

I’ve seen two posts on this subject, but no answers (they were
dated 1997-1998), so I’m asking the question.

How do I get the name of the user accessing a file? Some code
samples would be appreciated.


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hi,

RegMon at www.sysinternals.com has some code that retrieves the user’s SID
during file I/O. You can take this SID and ‘transfer’ it to your user-mode
component. The user-mode component in turn can call LookupAccountSid or a
similar function and return the user’s name to your driver.

The preferred mechanism for kernel-to-user-mode communication and back is
by using shared events.

Best,
Bartjan Wattel
ThunderStore BV, The Netherlands.

At 02:41 22-8-2001 +0200, you wrote:

Hi,

I’ve seen two posts on this subject, but no answers (they were
dated 1997-1998), so I’m asking the question.

How do I get the name of the user accessing a file? Some code
samples would be appreciated.


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Dejan,
Basically, you’ll need to ferret the sid for the accessing user from
the security context in the create irp when the file is opened. You should
not rely on the access token from the process (or thread, if impersonation
is underway).
Once you have the SID of the user performing the open, you’ll need
to send the sid to some user mode program for resolving the binary sid to a
user name. There are many schemes for sharing data between the driver and a
user program, as you know.
If you need to access the sid of the user that opened the file at
some point after create, it would be best if you cached the sid in some sort
of table indexed by the file object during your create dispatch handler
(removing the cached record when that file object is closed).
I’m sorry, I can’t send any code samples at this time :slight_smile:

-Joel

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Tuesday, August 21, 2001 8:42 PM
To: File Systems Developers
Subject: [ntfsd] Getting user name

Hi,

I’ve seen two posts on this subject, but no answers (they were
dated 1997-1998), so I’m asking the question.

How do I get the name of the user accessing a file? Some code
samples would be appreciated.


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

RegMon? I think I have the latest source, but I can’t find anything that
even relates to SIDs in RegMon source.

Regards, Dejan.

Bartjan Wattel wrote:

Hi,

RegMon at www.sysinternals.com has some code that retrieves the user’s SID
during file I/O. You can take this SID and ‘transfer’ it to your user-mode
component. The user-mode component in turn can call LookupAccountSid or a
similar function and return the user’s name to your driver.

The preferred mechanism for kernel-to-user-mode communication and back is
by using shared events.

Best,
Bartjan Wattel
ThunderStore BV, The Netherlands.

At 02:41 22-8-2001 +0200, you wrote:

> Hi,
>
> I’ve seen two posts on this subject, but no answers (they were
>dated 1997-1998), so I’m asking the question.
>
> How do I get the name of the user accessing a file? Some code
>samples would be appreciated.
>
>–
>Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

How to I ferret the SID from the SC in Create? Hashing it isn’t
hard, but getting it is.
I can get the name from the SID in user mode, and I don’ need to
send it back (the idea is for the user mode to have the name, the name
is not important in the driver at all), but I don’t know how to get the
SID. The Security_Context structure doesn’t seems to have the SID.

Regards, Dejan.

“Smith, Joel” wrote:

Dejan,
Basically, you’ll need to ferret the sid for the accessing
user from
the security context in the create irp when the file is opened. You
should
not rely on the access token from the process (or thread, if
impersonation
is underway).
Once you have the SID of the user performing the open, you’ll
need
to send the sid to some user mode program for resolving the binary sid
to a
user name. There are many schemes for sharing data between the driver
and a
user program, as you know.
If you need to access the sid of the user that opened the file
at
some point after create, it would be best if you cached the sid in
some sort
of table indexed by the file object during your create dispatch
handler
(removing the cached record when that file object is closed).
I’m sorry, I can’t send any code samples at this time :slight_smile:


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Try FUNDELETE instead of RegMon.

Don Burn
Windows 2000 Device Driver and Filesystem consulting

----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Wednesday, August 22, 2001 11:10 AM
Subject: [ntfsd] Re: Getting user name

>
> RegMon? I think I have the latest source, but I can’t find anything
that
> even relates to SIDs in RegMon source.
>
> Regards, Dejan.
>
> Bartjan Wattel wrote:
>
> > Hi,
> >
> > RegMon at www.sysinternals.com has some code that retrieves the user’s
SID
> > during file I/O. You can take this SID and ‘transfer’ it to your
user-mode
> > component. The user-mode component in turn can call LookupAccountSid or
a
> > similar function and return the user’s name to your driver.
> >
> > The preferred mechanism for kernel-to-user-mode communication and back
is
> > by using shared events.
> >
> > Best,
> > Bartjan Wattel
> > ThunderStore BV, The Netherlands.
> >
> > At 02:41 22-8-2001 +0200, you wrote:
> >
> > > Hi,
> > >
> > > I’ve seen two posts on this subject, but no answers (they were
> > >dated 1997-1998), so I’m asking the question.
> > >
> > > How do I get the name of the user accessing a file? Some code
> > >samples would be appreciated.
> > >
> > >–
> > >Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> –
> Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
> E-mail: xxxxx@alfasp.com
> ICQ#: 56570367
> Professional file&system related components and libraries for Win32
> developers.
> Alfa File Monitor - #1 file monitoring system for Win32 developers.
> Alfa File Protector - #1 file protection and hiding system for Win32
> developers.
> Alfa Units - #1 file and system handling units for Delphi.
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@acm.org
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Oops… Sorry about that. Of course I meant the Undelete tool at SysInternals.

Best,

Bartjan Wattel
ThunderStore B.V., The Netherlands

At 05:10 PM 8/22/01 +0200, you wrote:

RegMon? I think I have the latest source, but I can’t find anything that
even relates to SIDs in RegMon source.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

It looks like FUNDELETE’s technique will not properly deal with
impersonation or the possibility of a filter driver above Dejan’s pending
the create irp. This could lead to the wrong user being tagged.

-----Original Message-----
From: Don Burn [mailto:xxxxx@acm.org]
Sent: Wednesday, August 22, 2001 11:14 AM
To: File Systems Developers
Subject: [ntfsd] Re: Getting user name

Try FUNDELETE instead of RegMon.

Don Burn
Windows 2000 Device Driver and Filesystem consulting

----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Wednesday, August 22, 2001 11:10 AM
Subject: [ntfsd] Re: Getting user name

>
> RegMon? I think I have the latest source, but I can’t find anything
that
> even relates to SIDs in RegMon source.
>
> Regards, Dejan.
>
> Bartjan Wattel wrote:
>
> > Hi,
> >
> > RegMon at www.sysinternals.com has some code that retrieves the user’s
SID
> > during file I/O. You can take this SID and ‘transfer’ it to your
user-mode
> > component. The user-mode component in turn can call LookupAccountSid or
a
> > similar function and return the user’s name to your driver.
> >
> > The preferred mechanism for kernel-to-user-mode communication and back
is
> > by using shared events.
> >
> > Best,
> > Bartjan Wattel
> > ThunderStore BV, The Netherlands.
> >
> > At 02:41 22-8-2001 +0200, you wrote:
> >
> > > Hi,
> > >
> > > I’ve seen two posts on this subject, but no answers (they were
> > >dated 1997-1998), so I’m asking the question.
> > >
> > > How do I get the name of the user accessing a file? Some code
> > >samples would be appreciated.
> > >
> > >–
> > >Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> –
> Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
> E-mail: xxxxx@alfasp.com
> ICQ#: 56570367
> Professional file&system related components and libraries for Win32
> developers.
> Alfa File Monitor - #1 file monitoring system for Win32 developers.
> Alfa File Protector - #1 file protection and hiding system for Win32
> developers.
> Alfa Units - #1 file and system handling units for Delphi.
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@acm.org
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

In the current Irp stack location ->Parameters.Create.SecurityContext
is a pointer to the IO_SECURITY_CONTEXT structure. It contains
a member ->AccessState, pointer to type ACCESS_STATE structure
containing structure SubjectSecurityContext of the
SECURITY_SUBJECT_CONTEXT type.
And that final structure contains two pointers to ACCESS_TOKEN,
ClientToken and PrimaryToken. ClientToken should be NULL in case the
thread has no token, but the PrimaryToken should always be non-NULL.
So if the ClientToken is non-NULL you should use it, else use
PrimaryToken.

But the last question remains: what to do with the PACCESS_TOKEN to
obtain
the TokenUser information of it ?

I recommend open the handle for this pointer using
ObOpenObjectByPointer,
the query the desired information using ZwQueryInformationToken and
finally
close the handle using ZwClose (or NtClose directly, it doesn’t matter).

Or does have anybody some better idea ?

Hope this helps

Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dejan Maksimovic
Sent: Wednesday, August 22, 2001 5:13 PM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

How to I ferret the SID from the SC in Create? Hashing it isn’t
hard, but getting it is.
I can get the name from the SID in user mode, and I don’ need to
send it back (the idea is for the user mode to have the name, the name
is not important in the driver at all), but I don’t know how to get the
SID. The Security_Context structure doesn’t seems to have the SID.

Regards, Dejan.

“Smith, Joel” wrote:

Dejan,
Basically, you’ll need to ferret the sid for the accessing
user from
the security context in the create irp when the file is opened. You
should
not rely on the access token from the process (or thread, if
impersonation
is underway).
Once you have the SID of the user performing the open, you’ll
need
to send the sid to some user mode program for resolving the binary sid
to a
user name. There are many schemes for sharing data between the driver
and a
user program, as you know.
If you need to access the sid of the user that opened the file
at
some point after create, it would be best if you cached the sid in
some sort
of table indexed by the file object during your create dispatch
handler
(removing the cached record when that file object is closed).
I’m sorry, I can’t send any code samples at this time :slight_smile:


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

There’s a macro in ntifs.h that will always return the appropriate token:

#define SeQuerySubjectContextToken( SubjectContext ) \
( ARGUMENT_PRESENT( ((PSECURITY_SUBJECT_CONTEXT)
SubjectContext)->ClientToken) ? \
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken : \
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->PrimaryToken )

In order to get the user from the token, you could use:

NTKERNELAPI
NTSTATUS
SeQueryInformationToken (
IN PACCESS_TOKEN Token,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
OUT PVOID *TokenInformation
);

Forgive me if this function is not exported for NT4…

-----Original Message-----
From: Pavel Hrdina [mailto:xxxxx@compelson.com]
Sent: Wednesday, August 22, 2001 12:14 PM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

In the current Irp stack location ->Parameters.Create.SecurityContext
is a pointer to the IO_SECURITY_CONTEXT structure. It contains
a member ->AccessState, pointer to type ACCESS_STATE structure
containing structure SubjectSecurityContext of the
SECURITY_SUBJECT_CONTEXT type.
And that final structure contains two pointers to ACCESS_TOKEN,
ClientToken and PrimaryToken. ClientToken should be NULL in case the
thread has no token, but the PrimaryToken should always be non-NULL.
So if the ClientToken is non-NULL you should use it, else use
PrimaryToken.

But the last question remains: what to do with the PACCESS_TOKEN to
obtain
the TokenUser information of it ?

I recommend open the handle for this pointer using
ObOpenObjectByPointer,
the query the desired information using ZwQueryInformationToken and
finally
close the handle using ZwClose (or NtClose directly, it doesn’t matter).

Or does have anybody some better idea ?

Hope this helps

Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dejan Maksimovic
Sent: Wednesday, August 22, 2001 5:13 PM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

How to I ferret the SID from the SC in Create? Hashing it isn’t
hard, but getting it is.
I can get the name from the SID in user mode, and I don’ need to
send it back (the idea is for the user mode to have the name, the name
is not important in the driver at all), but I don’t know how to get the
SID. The Security_Context structure doesn’t seems to have the SID.

Regards, Dejan.

“Smith, Joel” wrote:

Dejan,
Basically, you’ll need to ferret the sid for the accessing
user from
the security context in the create irp when the file is opened. You
should
not rely on the access token from the process (or thread, if
impersonation
is underway).
Once you have the SID of the user performing the open, you’ll
need
to send the sid to some user mode program for resolving the binary sid
to a
user name. There are many schemes for sharing data between the driver
and a
user program, as you know.
If you need to access the sid of the user that opened the file
at
some point after create, it would be best if you cached the sid in
some sort
of table indexed by the file object during your create dispatch
handler
(removing the cached record when that file object is closed).
I’m sorry, I can’t send any code samples at this time :slight_smile:


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Both the macro and the routine aren’t present in NT4 NTIFS.H resp.
NTOSKRNL.EXE.
So your simplification can be done on W2K, but on old NT the more
complicated one
is neccessary.

Paul

PS: Of course the macro can be defined in custom header even on NT4
:-)),
so only the querying of the token should be done using the old
method.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Smith, Joel
Sent: Wednesday, August 22, 2001 6:12 PM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

There’s a macro in ntifs.h that will always return the appropriate
token:

#define SeQuerySubjectContextToken( SubjectContext ) \
( ARGUMENT_PRESENT( ((PSECURITY_SUBJECT_CONTEXT)
SubjectContext)->ClientToken) ? \
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken :
\
((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->PrimaryToken )

In order to get the user from the token, you could use:

NTKERNELAPI
NTSTATUS
SeQueryInformationToken (
IN PACCESS_TOKEN Token,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
OUT PVOID *TokenInformation
);

Forgive me if this function is not exported for NT4…

-----Original Message-----
From: Pavel Hrdina [ mailto:xxxxx@compelson.com
mailto:xxxxx ]
Sent: Wednesday, August 22, 2001 12:14 PM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

In the current Irp stack location ->Parameters.Create.SecurityContext
is a pointer to the IO_SECURITY_CONTEXT structure. It contains
a member ->AccessState, pointer to type ACCESS_STATE structure
containing structure SubjectSecurityContext of the
SECURITY_SUBJECT_CONTEXT type.
And that final structure contains two pointers to ACCESS_TOKEN,
ClientToken and PrimaryToken. ClientToken should be NULL in case the
thread has no token, but the PrimaryToken should always be non-NULL.
So if the ClientToken is non-NULL you should use it, else use
PrimaryToken.

But the last question remains: what to do with the PACCESS_TOKEN to
obtain
the TokenUser information of it ?

I recommend open the handle for this pointer using
ObOpenObjectByPointer,
the query the desired information using ZwQueryInformationToken and
finally
close the handle using ZwClose (or NtClose directly, it doesn’t matter).

Or does have anybody some better idea ?

Hope this helps

Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com
mailto:xxxxx]On Behalf Of Dejan Maksimovic
Sent: Wednesday, August 22, 2001 5:13 PM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

How to I ferret the SID from the SC in Create? Hashing it isn’t
hard, but getting it is.
I can get the name from the SID in user mode, and I don’ need to
send it back (the idea is for the user mode to have the name, the name
is not important in the driver at all), but I don’t know how to get the
SID. The Security_Context structure doesn’t seems to have the SID.

Regards, Dejan.

“Smith, Joel” wrote:

> Dejan,
> Basically, you’ll need to ferret the sid for the accessing
> user from
> the security context in the create irp when the file is opened. You
> should
> not rely on the access token from the process (or thread, if
> impersonation
> is underway).
> Once you have the SID of the user performing the open, you’ll
> need
> to send the sid to some user mode program for resolving the binary sid

> to a
> user name. There are many schemes for sharing data between the driver

> and a
> user program, as you know.
> If you need to access the sid of the user that opened the file

> at
> some point after create, it would be best if you cached the sid in
> some sort
> of table indexed by the file object during your create dispatch
> handler
> (removing the cached record when that file object is closed).
> I’m sorry, I can’t send any code samples at this time :slight_smile:


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></mailto:xxxxx>

OK - gonna check that.

Regards, Dejan.

Bartjan Wattel wrote:

Oops… Sorry about that. Of course I meant the Undelete tool at SysInternals.

Best,

Bartjan Wattel
ThunderStore B.V., The Netherlands

At 05:10 PM 8/22/01 +0200, you wrote:
> RegMon? I think I have the latest source, but I can’t find anything that
>even relates to SIDs in RegMon source.


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32 developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32 developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Interesting technique uses System Internals TokenMon driver. It calls
GetSecurityUserInfo routine from KSecDD driver. Download source, it contains
both prototype and ksedd.lib file which was included int NT4 DDK but removed
later (it seems to be back in XP DDK). I’m not sure if it is useful for
original problem, I haven’t examined it thoroughly. Necessary logon ID can
be get using SeQueryAuthenticationIdToken() or using other methods mentioned
before.

BTW, isn’t logon ID enough to distinguish users (logon sessions)?

Best regards,

Michal Vodicka
Veridicom
(RKK - Skytale)
[WWW: http://www.veridicom.com , http://www.skytale.com]


From: Pavel Hrdina[SMTP:xxxxx@compelson.com]
Reply To: File Systems Developers
Sent: Wednesday, August 22, 2001 6:33 PM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

Both the macro and the routine aren’t present in NT4 NTIFS.H resp.
NTOSKRNL.EXE.
So your simplification can be done on W2K, but on old NT the more
complicated one
is neccessary.

Paul

PS: Of course the macro can be defined in custom header even on NT4
:-)),
so only the querying of the token should be done using the old
method.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> Interesting technique uses System Internals TokenMon driver. It calls

GetSecurityUserInfo routine from KSecDD driver. Download source, it contains
both prototype and ksedd.lib file which was included int NT4 DDK but removed
later (it seems to be back in XP DDK). I’m not sure if it is useful for
original problem, I haven’t examined it thoroughly. Necessary logon ID can be
get using SeQueryAuthenticationIdToken() or using other methods mentioned
before.

This seems to require making a work item and do the work in a system thread,
and wait on it - not something I’d like, since the code may need to be run in
the completion routine.
Any other ideas?

BTW, isn’t logon ID enough to distinguish users (logon sessions)?

I don’t know - how about when logging on twice?
That’s not what I need though, I just need the user name.


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32 developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32 developers.

Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> But the last question remains: what to do with the PACCESS_TOKEN to

obtain the TokenUser information of it ?

I recommend open the handle for this pointer using
ObOpenObjectByPointer, the query the desired information using
ZwQueryInformationToken and finally close the handle using ZwClose (or
NtClose directly, it doesn’t matter).

Will this work in IRP_MJ_CREATE Dispatch routine? Or do I need to queue
this to a worker thread?
When I get TokenUserInfo, I have the SID, which I can then pass to a
user mode code, if needed. This may open the problem of the SID pointer
being freed when the user mode needs it:-)


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Yes, it’s definitely possible to execute such code in IRP_MJ_CREATE,
moreover it’s the only place where you can do it that way :slight_smile:
But do it right in the create dispatch, not in the completion routine
because as we all know it can be called at DISPATCH_LEVEL which
is not safe for all three routines (they are paged, of course).

As far as the SID is concerned I don’t see some other problem with
passing
it to some user mode code - for eg. in output buffer of some dedicated
device I/O control. Don’t you think so ?
(of course the buffer to which the SID is returned by
ZwQueryInformationToken
is your buffer so you’re the only one who has the exclusive right to
control it

  • and deallocate it when it is no longer needed)

Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dejan Maksimovic
Sent: Thursday, August 23, 2001 12:37 AM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

But the last question remains: what to do with the PACCESS_TOKEN to
obtain the TokenUser information of it ?

I recommend open the handle for this pointer using
ObOpenObjectByPointer, the query the desired information using
ZwQueryInformationToken and finally close the handle using ZwClose (or
NtClose directly, it doesn’t matter).

Will this work in IRP_MJ_CREATE Dispatch routine? Or do I need to
queue
this to a worker thread?
When I get TokenUserInfo, I have the SID, which I can then pass to a
user mode code, if needed. This may open the problem of the SID pointer
being freed when the user mode needs it:-)


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Well, freeing the buffer isn’t easy - it has to be copied to output
buffer, and then I have to have another IOCTL to free previous buffers:-)))
Any way to get the user name directly in the driver, during
IRP_MJ_CREATE, WITHOUT going into a worker thread? (I say this because the
technique shown in TokenMon requires the code to run the System worker
thread:-(

Regards, Dejan.

Pavel Hrdina wrote:

Yes, it’s definitely possible to execute such code in IRP_MJ_CREATE,
moreover it’s the only place where you can do it that way :slight_smile:
But do it right in the create dispatch, not in the completion routine
because as we all know it can be called at DISPATCH_LEVEL which
is not safe for all three routines (they are paged, of course).

As far as the SID is concerned I don’t see some other problem with
passing
it to some user mode code - for eg. in output buffer of some dedicated
device I/O control. Don’t you think so ?
(of course the buffer to which the SID is returned by
ZwQueryInformationToken
is your buffer so you’re the only one who has the exclusive right to
control it

  • and deallocate it when it is no longer needed)

Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Dejan Maksimovic
Sent: Thursday, August 23, 2001 12:37 AM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

> But the last question remains: what to do with the PACCESS_TOKEN to
> obtain the TokenUser information of it ?
>
> I recommend open the handle for this pointer using
> ObOpenObjectByPointer, the query the desired information using
> ZwQueryInformationToken and finally close the handle using ZwClose (or
> NtClose directly, it doesn’t matter).

Will this work in IRP_MJ_CREATE Dispatch routine? Or do I need to
queue
this to a worker thread?
When I get TokenUserInfo, I have the SID, which I can then pass to a
user mode code, if needed. This may open the problem of the SID pointer
being freed when the user mode needs it:-)


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> ----------

From: Dejan Maksimovic[SMTP:xxxxx@alfasp.com]
Reply To: File Systems Developers
Sent: Thursday, August 23, 2001 7:26 PM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user name

Well, freeing the buffer isn’t easy - it has to be copied to output
buffer, and then I have to have another IOCTL to free previous
buffers:-)))
Any way to get the user name directly in the driver, during
IRP_MJ_CREATE, WITHOUT going into a worker thread? (I say this because the
technique shown in TokenMon requires the code to run the System worker
thread:-(

TokenMon queues work item and waits for the result. The only necessary thing
for it is running at PASSIVE_LEVEL which is probably required for all other
methods. Don’t believe there is a way which can be used at DISPATCH_LEVEL.

Best regards,

Michal Vodicka
Veridicom
(RKK - Skytale)
[WWW: http://www.veridicom.com , http://www.skytale.com]


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> > Well, freeing the buffer isn’t easy - it has to be copied to output

> buffer, and then I have to have another IOCTL to free previous
> buffers:-)))
> Any way to get the user name directly in the driver, during
> IRP_MJ_CREATE, WITHOUT going into a worker thread? (I say this because the
> technique shown in TokenMon requires the code to run the System worker
> thread:-(
>
TokenMon queues work item and waits for the result. The only necessary thing
for it is running at PASSIVE_LEVEL which is probably required for all other
methods. Don’t believe there is a way which can be used at DISPATCH_LEVEL.

This doesn’t seem to be the case. I can the correct SID ONLY if I queue to a
worker thread. If I try to use the same method in plain IRP_MJ_CREATE it fails,
except for some special SID, but I can never get my own.
Speaking of SIDs, how do I convert a string SID into SID, in Win32? (What
are user mode equs of RtlConvertSidToString and RtlConvertStringToSid?)


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32 developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32 developers.

Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Dejan,

The approach that I’ve always taken to this is to capture the SID of the
caller during the IRP_MJ_CREATE handling.

Here is the code that we routinely use. It does not use the ACCESS_TOKEN in
the IRP and it can be called successfully in the IRP_MJ_CREATE entry path
because you’re a highest level driver (and hence guaranteed to be called at
IRQL_PASSIVE_LEVEL) and you are called with correct security context.

//
// Demonstrate how to retrieve the SID for the caller. Typically, this
information is
// sent to the user application for further processing. We’ve included
it here
// simply to demonstrate how to retrieve this information.
//
// The approach we use is to first try and open the thread token. If
that fails, we
// open the process token (which always works) and then use the token
handle (in either
// case) to query the SID information for the token.
//

code = ZwOpenThreadToken(NtCurrentThread(), TOKEN_READ, TRUE, &handle);

if (code == STATUS_NO_TOKEN) {

//
// Since we don’t have a thread level token we’ll use the process
// level token. This is the common case (in fact) since the only
// time a thread has a token is when it is impersonating.
//

code = ZwOpenProcessToken(NtCurrentProcess(), TOKEN_READ, &handle);

}

ASSERT(NT_SUCCESS(code));

//
// Retrieve the user information from the token. Note that this can be
used to query
// twice (once to get the size of the needed buffer.) For this example
we’ve allocated
// a buffer that should always be large enough.
//

code = ZwQueryInformationToken(handle, TokenUser, buffer,
sizeof(buffer), &tokenInfoLength);

//
// This call should always work.
//

ASSERT(NT_SUCCESS(code));

//
// For this example, we print out the SID contents. If you wanted to
pass it to the user
// mode caller, you’d copy it into their buffer (wherever you’d like!)
//

DbgPrint((“*** BEGIN SID Dump ***”));

DbgPrint(“Caller’s SID (Revision %u, SubAuthorityCount %u):\n”,
sid->Revision,
sid->SubAuthorityCount);

DbgPrint(“\tIdentifierAuthority = %u-%u-%u-%u-%u-%u\n”,
sid->IdentifierAuthority.Value[0],
sid->IdentifierAuthority.Value[1],
sid->IdentifierAuthority.Value[2],
sid->IdentifierAuthority.Value[3],
sid->IdentifierAuthority.Value[4],
sid->IdentifierAuthority.Value[5]);

if (sid->SubAuthorityCount) {
DbgPrint(“\tSubAuthority =”);

for (index = 0; index < sid->SubAuthorityCount;index++) {

if (index) {
DbgPrint(“-”);
}

DbgPrint(“%u”, sid->SubAuthority[index]);

}

DbgPrint(“\n”);

}

DbgPrint((“*** END SID Dump ***”));

I thought I’d previously provided this code sample; perhaps this doesn’t
work for your case for some reason?

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Tuesday, August 21, 2001 8:42 PM
To: File Systems Developers
Subject: [ntfsd] Getting user name

Hi,

I’ve seen two posts on this subject, but no answers (they were
dated 1997-1998), so I’m asking the question.

How do I get the name of the user accessing a file? Some code
samples would be appreciated.


Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32
developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com