Impersonation on FltCreateFileEx2


I’m having some troubles related to impersonation when my SFO minifilter driver makes a call to FltCreateFileEx2 to create/open the lower FO.

When IRP_MJ_CREATE reaches, I call SeCreateClientSecurityFromSubjectContext/SeImpersonateClientEx using data from Iopb->Parameters.Create.SecurityContext, then call FltCreateFileEx2 with IO_FORCE_ACCESS_CHECK and then PsRevertToSelf.

Then I realized the thread can be already impersonating so I added calls to PsReferenceImpersonationToken/PsImpersonateClient/PsDereferenceImpersonationToken to restore original impersonation, if any but things get worst because some apps started crashing.

How should I handle impersonation? Is really needed or IO_FORCE_ACCESS_CHECK should be enough and reuse current thread impersonation?

Also (may be incorrect), can an IRP have a different security context (with a client token) different to the active client token?