IRP_MJ_CREATE and remote client impersonation

OSR_Windows_File_Systems · February 22, 2006, 10:25am

I’m developing a mini filter driver which runs on a server with multiple
file shares. In the filter driver I need to determine the user SID when
the server gets requests from remote clients.

I get the SID in the following way:

PACCESS_TOKEN pAcc = SeQuerySubjectContextToken(
&Data->Iopb->Parameters.Create.SecurityContext->
AccessState->SubjectSecurityContext );

PTOKEN_USER tokenInformation = NULL;
status = SeQueryInformationToken(
pAcc,
TokenUser,
&tokenInformation );

PSID sid = tokenInformation->User.Sid;
ExFreePool(tokenInformation);

So far so good. The problem is that I would also like to determine which
remote client process that is the source of the request??

This information should allow me to differentiate between “real” user
activity in a “WINWORD.EXE” process versus autonomous applications such
as the crawler for MSN Desktop Search and Google Desktop Search (both of
which create a lot of IO-requests).

Best Regards,
Jim

OSR_Community_User · February 22, 2006, 12:25pm

> So far so good. The problem is that I would also like to determine which

remote client process that is the source of the request??

I don’t think it’s even possible, unless you are going to write your own
redirector/srv. Even if you will be able to get process ID, it will mean
nothing for you.

L.

OSR_Community_User · February 25, 2006, 3:21pm

> So far so good. The problem is that I would also like to determine which

remote client process that is the source of the request??

Impossible, SMB will not give you this info.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com