Hello,
I have a problem with filtering files in my file system filter driver.
In the IRP_MJ_CREATE PostCreate function, it sends the filename and
ProcessId to user mode (via a communication port) to decide whether to
allow the file create. It does this in user mode by - amongst other
things - retreiving the user name of the processId supplied.
If I create a new file in explorer on a local drive, the file is created
successfully. However, attempting to create a new file in explorer on a
network drive results in an error. This is because it determines that
the user name of the supplied processId is not one of our authorised
users.
For a local file, the processId retreived by PsGetCurrentProcessId()
returns 612 or whatever explorer.exe happens to be, and explorer.exe is
started by the logged on Windows user (eg User1) so all is ok.
However, on a network volume file create the process Id returned is 4,
which is the “System” process which runs as SYSTEM, so access is denied.
IoGetRequestorProcessId() also returns 4.
Why am I seeing ProcessId 4 instead of the id for explorer.exe which
originated the create file request? How can I retreive the actual
processId?
Thanks
Jon.
Jonathan Oliver
Software Engineer
WinST
BAE Systems Insyte
********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************