How to get file owner in a minifilter?

Hello there,

I have a problem I shall try to explain.

My user mode application is running as a service. A service in windows cannot access files on a network disk. And when my minifilter is detecting a file of interest I send the file name to user mode and trying to detecting the file owner. But if it is a file on a network disk my user mode service could not access to that file.

Is it possible to get the file owner in a minifilter?

/Mattias Lasu

Well, when you say “A service in windows cannot access files on a network disk” I don’t think you are correct. It depends on the credentials the service is running with. You could look into changing that.

Anyway, in a minifilter you can get the owner information using FltQuerySecurityObject (currently at However, this will still require that the minifilter has access to that network file.


Thanks Alex,

Yes you have right that it depends on the credentials the service is running with, my knowledge is that the service must have a user credentials to be enable to access a file on a network disk, but I can have wrong.

I think, correct me if a have wrong, that it is a difference between ?file owners? and ?file object owner?. File object owner is, the owner of that process that opens the file and the file owner is the user that created the file. I won?t to have the ?file owner? the user that created the file. Is that possible and could I use FltQuerySecurityObject for that?

Mattias Lasu

I am a little confused here. From you first query I thought of the “File owner” as the place where the file resides, i.e. a network share or on a local volume. Is that correct? Or are you looking at finding the owner of the file with regards to ACLs/security of the file?

If the first one is what you are looking for, then you can try calling GetDriveType() to find the type of drive in picture. But, this API uses the root directory path with a trailing backslash, something like c:. Is that what you are looking for?

You have no advantage if you know the file owner or security descriptor or whatever. Simply you must act from the service on behalf of the user, who performs the IRP operation. Here the impersonation comes into play. Problem here is how to pass an access token from kernel to your service. The easiest way is to use named pipe. The kernel is the pipe client and Service is the pipe server. In service you can use ImpersonateNamedPipeClient() after you read some request data.

Note also that your minifilter can be called in an arbitrary context, so you should for that case safe an access token in IRP_MJ_CREATE and impersonate into user in minifilter. Take look on API like SeCreateClientSecurity()/SeCreateClientSecurityFromSubjectContext(), SeImpersonateClient(), SeDeleteClientSecurity(). The security subject context is stored somewhere in the IO_STACK_LOCATION.CreateParameters. As you use minifilter, you shoud use probably minifilter related structures.

Good luck,
Bronislav Gabrhelik

Safe should be save in my previous post.

Hi Mattias,

In terms of security I’m not sure there is a difference. Basically, the FILE_OBJECT is an OB (object manager) object and as such it has a set of standard routines. A well known example is the parse procedure that an OB object that implements a namespace can use. Another example is a security procedure that can be used to set or query security for the object. For a FILE_OBJECT that represents a file on a file system the routine will eventually end up sending an IRP_MJ_QUERY_SECURITY to the file system. So i’d say that for a FILE_OBJECT that represents a file on a file system there really isn’t a distinction between the FILE_OBJECT’s security and the security of the file it represents, and so there isn’t a distinction between the owner of a FILE_OBJECT and the owner of the file on the file system from a security perspective.

You can use FltQuerySecurityObject() to query the security attributes and the owner is one of those.