how can I monitor a file, that I have shared on the network, is accessed and from which computer ? And also what files i access from other computer and also name of that computer.
Look for FO_REMOTE_ORIGIN. This indicates that the file object was opened
from a network location.
Don’t know that you can get the computer from which the request originated.
Gabriel
On Wed, Mar 2, 2016 at 4:23 PM, wrote:
> how can I monitor a file, that I have shared on the network, is accessed
> and from which computer ? And also what files i access from other computer
> and also name of that computer.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
Bercea. G.</http:>
Win7 and later provides an ECP (SRV_OPEN_CONTEXT) that you can use to determine client information. See MSDN:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff556749(v=vs.85).aspx
-scott
OSR
@OSRDrivers
please correct me if i am wrong. FileObject->DeviceObject is the device \Device\HarddiskVolume(1 2 3 or whatever the number of the volume on which the file is located ) ? Am i right ? according to this article ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff545834(v=vs.85).aspx ).
If the above statement is correct would it be right to get the devices of har disk 1 by 1 in a loop until the status says no device found and save all those device in linked list. on IRP_MJ_READ dispatch routine i should check if File->DeviceObject == LinkedList->DeviceObject then print its dos name like LinkedList->name. ???
Sorry i didnt meant to comment here I am so sorry for the inconvenience.