Getting user SID from an IRP (W2000)

NTFSD
1

>Just keep a table mapping PFILE_OBJECTs => PISIDs. Insert an entry in

create and remove it during close. You can get the user who performed the
open on any subsequent io by looking up the record for the target
PFILE_OBJECT.

Ok, but how can i get the SID on the open IRP? I tried the
RtlGetOwnerSecurityDescriptor on
pIrpStack->Parameters.Create.SecurityContext->
AccessState->SecurityDescriptor, but i didn´t work. I keep getting Invalid
Security Descriptor (and that’s because i tested it with
RtlValidSecurityDescriptor(). When i didn´t test it, i got a BSOD).

What am i doing wrong, or is there another way to get the SID from the IRP?

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [mailto:xxxxx@mail.gsd.inesc.pt]
Sent: Friday, March 23, 2001 12:17 PM
To: File Systems Developers
Subject: [ntfsd] Geting user SID from an IRP

How do you correctly get the user SID from an IRP? I tried using
RtlGetOwnerSecurityDescriptor(on the IRP_MJ_CREATE. However, according to
pIrpStack->Parameters.Create.SecurityContext->AccessState->SecurityDescripto
r is an . What am i doing wrong, or is there
another way to get the user SID from an IRP? I need the SID form the user
that issued the i/o call, that’s why i was looking on the IRP and not using
GetCurrentThread/and the likes.

Thanks
Richard

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

I don’t know. I solved the problem slightly different and my requirements
were slightly different. I needed the TOKEN_USER, which I simply retrieved
from the access token in the process context (or thread in the case of
impersonation). I was interested in getting the sid of the user who is
ostensibly opening the file.

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [mailto:xxxxx@mail.gsd.inesc.pt]
Sent: Tuesday, March 27, 2001 5:50 AM
To: File Systems Developers
Subject: [ntfsd] Getting user SID from an IRP (W2000)

Just keep a table mapping PFILE_OBJECTs => PISIDs. Insert an entry in
create and remove it during close. You can get the user who performed the
open on any subsequent io by looking up the record for the target
PFILE_OBJECT.

Ok, but how can i get the SID on the open IRP? I tried the
RtlGetOwnerSecurityDescriptor on
pIrpStack->Parameters.Create.SecurityContext->
AccessState->SecurityDescriptor, but i didn?t work. I keep getting Invalid
Security Descriptor (and that’s because i tested it with
RtlValidSecurityDescriptor(). When i didn?t test it, i got a BSOD).

What am i doing wrong, or is there another way to get the SID from the IRP?

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [mailto:xxxxx@mail.gsd.inesc.pt]
Sent: Friday, March 23, 2001 12:17 PM
To: File Systems Developers
Subject: [ntfsd] Geting user SID from an IRP

How do you correctly get the user SID from an IRP? I tried using
RtlGetOwnerSecurityDescriptor(on the IRP_MJ_CREATE. However, according to
pIrpStack->Parameters.Create.SecurityContext->AccessState->SecurityDescripto
r is an . What am i doing wrong, or is there
another way to get the user SID from an IRP? I need the SID form the user
that issued the i/o call, that’s why i was looking on the IRP and not using
GetCurrentThread/and the likes.

Thanks
Richard

You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Are you trying to get the owner of the file that is the target of
the create, or are you trying to get the user on who’s behalf the create is
being executed?

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [mailto:xxxxx@mail.gsd.inesc.pt]
Sent: Tuesday, March 27, 2001 5:50 AM
To: File Systems Developers
Subject: [ntfsd] Getting user SID from an IRP (W2000)

Just keep a table mapping PFILE_OBJECTs => PISIDs. Insert an entry in
create and remove it during close. You can get the user who performed the
open on any subsequent io by looking up the record for the target
PFILE_OBJECT.

Ok, but how can i get the SID on the open IRP? I tried the
RtlGetOwnerSecurityDescriptor on
pIrpStack->Parameters.Create.SecurityContext->
AccessState->SecurityDescriptor, but i didn?t work. I keep getting Invalid
Security Descriptor (and that’s because i tested it with
RtlValidSecurityDescriptor(). When i didn?t test it, i got a BSOD).

What am i doing wrong, or is there another way to get the SID from the IRP?

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [mailto:xxxxx@mail.gsd.inesc.pt]
Sent: Friday, March 23, 2001 12:17 PM
To: File Systems Developers
Subject: [ntfsd] Geting user SID from an IRP

How do you correctly get the user SID from an IRP? I tried using
RtlGetOwnerSecurityDescriptor(on the IRP_MJ_CREATE. However, according to
pIrpStack->Parameters.Create.SecurityContext->AccessState->SecurityDescripto
r is an . What am i doing wrong, or is there
another way to get the user SID from an IRP? I need the SID form the user
that issued the i/o call, that’s why i was looking on the IRP and not using
GetCurrentThread/and the likes.

Thanks
Richard

You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

RE: [ntfsd] Getting user SID from an IRP (W2000)> Are you trying to
get the owner of the file that is the target of the create, or are you
trying to get the > user on who’s behalf the create is being executed?

I’m trying to get the user on who’s behalf the create is being executed,
i.e., the user that is opening the file.

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [mailto:xxxxx@mail.gsd.inesc.pt]
Sent: Tuesday, March 27, 2001 5:50 AM
To: File Systems Developers
Subject: [ntfsd] Getting user SID from an IRP (W2000)

Just keep a table mapping PFILE_OBJECTs => PISIDs. Insert an entry in
create and remove it during close. You can get the user who performed the
open on any subsequent io by looking up the record for the target
PFILE_OBJECT.
Ok, but how can i get the SID on the open IRP? I tried the
RtlGetOwnerSecurityDescriptor on
pIrpStack->Parameters.Create.SecurityContext->
AccessState->SecurityDescriptor, but i didn´t work. I keep getting Invalid
Security Descriptor (and that’s because i tested it with
RtlValidSecurityDescriptor(). When i didn´t test it, i got a BSOD).
What am i doing wrong, or is there another way to get the SID from the IRP?

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

5

In that case, you need to look in the access token, not the security
descriptor and you need to query for the ‘TOKEN_USER’. You can get the
access token from the context within which you are executing (see the Zw*
routines I posted declarations for a few days ago) or from the irp (there
are access tokens embedded deep within the create parameters - in the
subject context).

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [mailto:xxxxx@mail.gsd.inesc.pt]
Sent: Wednesday, March 28, 2001 8:50 AM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user SID from an IRP (W2000)

RE: [ntfsd] Getting user SID from an IRP (W2000)> Are you trying to
get the owner of the file that is the target of the create, or are you
trying to get the > user on who’s behalf the create is being executed?

I’m trying to get the user on who’s behalf the create is being executed,
i.e., the user that is opening the file.

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [mailto:xxxxx@mail.gsd.inesc.pt]
Sent: Tuesday, March 27, 2001 5:50 AM
To: File Systems Developers
Subject: [ntfsd] Getting user SID from an IRP (W2000)

Just keep a table mapping PFILE_OBJECTs => PISIDs. Insert an entry in
create and remove it during close. You can get the user who performed the
open on any subsequent io by looking up the record for the target
PFILE_OBJECT.
Ok, but how can i get the SID on the open IRP? I tried the
RtlGetOwnerSecurityDescriptor on
pIrpStack->Parameters.Create.SecurityContext->
AccessState->SecurityDescriptor, but i didn?t work. I keep getting Invalid
Security Descriptor (and that’s because i tested it with
RtlValidSecurityDescriptor(). When i didn?t test it, i got a BSOD).
What am i doing wrong, or is there another way to get the SID from the IRP?

You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

6

As Maxim points out in a different thread, getting the access token from
the thread context may not yield expected results: A higher level filter
may pass pend the creates and pass them down form a worker thread (this was
new to me - I didn’t think this was possible for some reason). It appears
that you are better off using the access tokens from the create irp, rather
than extracting them fom the process or thread context.

-Joel

-----Original Message-----
From: Smith, Joel [mailto:xxxxx@ntpsoftware.com]
Sent: Wednesday, March 28, 2001 9:14 AM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user SID from an IRP (W2000)

In that case, you need to look in the access token, not the security
descriptor and you need to query for the ‘TOKEN_USER’. You can get the
access token from the context within which you are executing (see the Zw*
routines I posted declarations for a few days ago) or from the irp (there
are access tokens embedded deep within the create parameters - in the
subject context).

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [ mailto:xxxxx@mail.gsd.inesc.pt
mailto:xxxxx ]
Sent: Wednesday, March 28, 2001 8:50 AM
To: File Systems Developers
Subject: [ntfsd] RE: Getting user SID from an IRP (W2000)

RE: [ntfsd] Getting user SID from an IRP (W2000)> Are you trying to
get the owner of the file that is the target of the create, or are you
trying to get the > user on who’s behalf the create is being executed?

I’m trying to get the user on who’s behalf the create is being executed,
i.e., the user that is opening the file.

-----Original Message-----
From: Paulo Valerio, Ricardo Ramalho [mailto:xxxxx@mail.gsd.inesc.pt
mailto:xxxxx]
Sent: Tuesday, March 27, 2001 5:50 AM
To: File Systems Developers
Subject: [ntfsd] Getting user SID from an IRP (W2000)

>Just keep a table mapping PFILE_OBJECTs => PISIDs. Insert an entry in
>create and remove it during close. You can get the user who performed the
>open on any subsequent io by looking up the record for the target
>PFILE_OBJECT.
Ok, but how can i get the SID on the open IRP? I tried the
RtlGetOwnerSecurityDescriptor on
pIrpStack->Parameters.Create.SecurityContext->
AccessState->SecurityDescriptor, but i didn?t work. I keep getting Invalid
Security Descriptor (and that’s because i tested it with
RtlValidSecurityDescriptor(). When i didn?t test it, i got a BSOD).
What am i doing wrong, or is there another way to get the SID from the IRP?


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@ntpsoftware.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></mailto:xxxxx>