Here I am trying to open a CIFS file in kernel mode. I have created a user mode service which does login functionality and calls a ioctl. Here I call SeCreateClientSecurity and then in different thread I call SeImpersonateClientEx. Please note here driver is a block level driver sitting at highest level of stack.

It is working

SeCreateClientSecurity require Thread as input parameter. Here we are assuming ioctl will be running in user context. It seems 99% it is guarded it will be in same context. But to understand I like to know

? How to verify whether current thread is running in user context in driver?

? What if I kill the Process after calling SeCreateClientSecurity. I have tried it is working. But I like to know what will be the life of token here

? Is there any other way to get the token from user mode? Please note user service is 32bit and driver is 64bit. It may matter if we pass some pointer

? To get the current thread which should be preferred PsGetCurrentThread() or Irp->Tail.Overlay.Thread