Minifiliter and LanmanServer/FILE_DEVICE_NETWORK - error 0x801f0014

NTFSD
1

Hi,

I tried to use minifilter to filter LanmanServer device, but it seems problematic (if not impossible) to attach to it. In minifilter I have to specify volume to attach to, but when I try to force this with fltmc (fltmc attach FilterName “\Device\LanmanServer” -i “FilterName Instance”) I get an error 0x801f0014. Also fltmc and FltEnumerateVolumes don’t show LanmanServer as available volume. That’s probably because LanmanServer is FILE_DEVICE_NETWORK, not FILE_DEVICE_NETWORK_FILE_SYSTEM.

The question is: can minifiliter be attached to \Device\LanmanServer? If so, how?

Thanks.

2

> The question is: can minifiliter be attached to \Device\LanmanServer? If so, how?

No, it cannot.

You can attach the old-style Windows filter (IoGetDeviceObjectPointer) to it, and listen to the flow of undocumented management requests to the SRV module.

You will not see the data anyway this way.

If you need to filter SMB traffic - attach the minifilter to local filesystems on the server, and only pay attention to the requests with Network pseudo-group in the security token.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

3

Just to be clear: Don’t you, by any chance, mean \Device\LanmanRedirector instead of \Device\LanmanServer?

4

I need to monitor access (data such as IP, file, SID, success/failure) to SMB server, that’s why I’m interested in \Device\LanmanServer. So if I would attach the minifilter to local filesystems, I suppose it would be impossible to monitor any failed (with incorrect credentials) connections? If that’s the case, that’s not good.

I could try with legacy filter driver to attach to SRV module, but the biggest problem is that I can’t see any official samples with this type of driver. I cant’ see any in the available DDKs (DDK for Windows Server 2003 SP1 and Windows Driver Kit Version 7.1.0, there is also DDK for Windows 2000 but I can’t even install that on Win7 x64). It seems that they were available only in the paid IFS Kit. And if you say that I would’t see any data…

So what method would you suggest to achieve SMB monitoring on the server side? I don’t need contents of transferred data, only their metadata (path, filename) and be informed of successful and *failed* connect attempts.

5

>I need to monitor access (data such as IP, file, SID, success/failure) to SMB server, that’s why I’m

interested in \Device\LanmanServer.

\Device\LanmanServer is just plain not used in accessing the SMB server from the network.

This name is the management interface to SRV, called by the user-mode stuff like the LanmanServer (srvsvc.dll) service which provides DCE RPC-based remoting to manage SRV remotely.

The RPC client for this RPC interface is in netapi32.dll, the calls of NetXxxDoSomething which manage SRV.

The UI control panels/applets are calling netapi32.dll.

failed (with incorrect credentials) connections? If that’s the case, that’s not good.

Then monitor the network traffic using WFP (or TDI filter on pre-Vista), and parse all SMB protocol yourself.

No other ways. You cannot dig into the internals of SRV.

I could try with legacy filter driver to attach to SRV module

You cannot. This driver will not see the real SMB traffic.

SRV is, actually, a consumer/client of 2 interfaces: a) TDI or WSK b) filesystems. Note that b) is not using the usual NtRead/WriteFile syscalls, and using some optimized paths, for instance, the FastIo MDL IO.

You can filter a) using TDI filter or WFP, yes, with the need of parsing the SMB itself.

Also, you can filter b) using FltMgr’s minifilter.

b) is much easier, but you will not see the failed connection events using b).

You can, though, filter all file accesses using b) (note: you will not know any share names, only the local pathname there) and filter SRV logons using some LSA notify packages and such.

available only in the paid IFS Kit

Long ago deceased and merged to a free WDK.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com