If userA in Machine A is opening a mounted remote device in MachineB, I
have a filter driver running in that machineB, it always give me the
process id of “system” as the openning process? How can I get the original
process ID in MachineA. Can I use IoGetRequestorProcessId? Furthermore,
will SeCaptureSubjectContext give me the context for userA or for somebody
else?
Thanks.
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> If userA in Machine A is opening a mounted remote device in MachineB, I
have a filter driver running in that machineB, it always give me the
process id of “system” as the openning process?
No, you have wrong filter code.
For SRV’s thread, the PrimaryToken is LocalSystem, while the ImpersonationToken is the real user’s (who accesses the files) token.
Also note - SRV sometimes accesses the share directory from LocalSystem account for its internal needs.
Max
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com