Remote file permission error Of Winword

NTFSD
1

Very strange.

My filesystem filter hooks the PreCreate rountine. When the IRP_MJ_CREATE open a remote file, I open and process another remote file at the same time ( for record some logs ).

If the process is WinWord, it would cause a “network or file permission error”. The WinWord save the file to a network path likes “\192.168.3.5\NewFolder\a.docx”.

But, if I map the “\192.168.3.5\NewFolder” to Z: . And save the to Z: . It succeeded!

What’s the difference between “\192.168…” and the mapped driver ?

2

Additionally, I print the logs in my minifilter driver.
Whether the path “192.168…” or the mapped driver have the same target path : “\Device\LanmanRedirector\192.168.3.5\NewFolder\a.docx”.

3

Can any one tell me what’s the difference between “\192.168…” and the mapped driver ?

4

> Can any one tell me what’s the difference between “\192.168…” and

the mapped driver ?

I cannot, but if I was debugging this I’d look at the security context you
get with the create. When you mapped the drive, did you specify a
username/password?

5

Yes I did.

I checked the security context. My code likes:

PETHREAD ThreadPtr;
PACCESS_TOKEN AccessTokenPtr;
PEPROCESS ProcessPtr;
BOOLEAN bImpersonate = FALSE;
BOOLEAN CopyOnOpen = TRUE;

SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
SecurityQualityOfService.EffectiveOnly = TRUE;

SecurityQualityOfService.Length = sizeof( SECURITY_QUALITY_OF_SERVICE );
obj.SecurityQualityOfService = &SecurityQualityOfService;

obj.SecurityDescriptor = IrpSp->Parameters.Create.SecurityContext->AccessState->SecurityDescriptor;

ThreadPtr = lpIrp->Tail.Overlay.Thread;
AccessTokenPtr = PsReferenceImpersonationToken(
ThreadPtr, &CopyOnOpen, &EffectiveOnly, &ImpersonationLevel );

//if (AccessTokenPtr == NULL)
//{
// ProcessPtr = IoGetRequestorProcess( lpIrp );
// AccessTokenPtr = PsReferencePrimaryToken( ProcessPtr );
//}

if( AccessTokenPtr )
{
status = PsImpersonateClient( PsGetCurrentThread(), AccessTokenPtr, CopyOnOpen, EffectiveOnly, ImpersonationLevel );
if( NT_SUCCESS(status) )
{
bImpersonate = TRUE;
}
}

And then I call CreateFile. But it doesn’t work.

1 Like
6

Yes, but is the security context *different* in the two cases? It might
(just might) give you a hint…

7

> Can any one tell me what’s the difference between “\192.168…” and the mapped driver ?

Separate connections from RDR to SRV, to begin with.

More so, one connection (with numeric IP) can be over port 445 with this new “direct SMB over TCP”, while the name-based connection can be over NetBIOS and port 139.

So, for RDR, these are 2 different servers.

And yes, the credentials/security context can differ. When you map the drive, you could provide some credentials different from the current Windows user.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

8

> My filesystem filter hooks the PreCreate rountine. When the IRP_MJ_CREATE open a remote file, I

open and process another remote file at the same time ( for record some logs ).

If the process is WinWord, it would cause a “network or file permission error”. The WinWord save
the file to a network path likes “\192.168.3.5\NewFolder\a.docx”.

And what errors occur internally in your code?


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

9

Yes, I think so. May be I miss something of security context.
But I have little experience in the security.
Could you give me some hint about security context?

10

I tried many times. No matter what I do, it fails all the time with the same error.
Could you give me some hint about security context?
Thanks.