Is it possible, to determine that an accessed file is opened from local
machine, or a remote connection?
eg) C:\SharedFolder\test.txt, and someone opens it from somewhere. The
hook can catch the file opening, but how can i decide that a request was
come from the local machine or a remote one ?
Thanks in advance!
Chang Sung, Jung.
Hi,
To decide if request has come from a remote machine use the following.
if( ( pCurrentIrpStack->FileObject->Flags & FO_REMOTE_ORIGIN ) != 0 )
{
// This request came from a remote client
}
Hope that helps. I have been using this code for some time now without
problems.
Regards
Ben
DESlock+ Development Manager
Data Encryption Systems Ltd.
Silver Street House
Silver Street
Taunton, Somerset
UK
-----Original Message-----
From: Chang Sung, Jung. [mailto:xxxxx@korea.com]
Sent: 23 October 2002 10:22
To: File Systems Developers
Subject: [ntfsd] Remote Request?
Is it possible, to determine that an accessed file is opened from local
machine, or a remote connection?
eg) C:\SharedFolder\test.txt, and someone opens it from somewhere. The
hook can catch the file opening, but how can i decide that a request was
come from the local machine or a remote one ?
Thanks in advance!
Chang Sung, Jung.
You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to %%email.unsub%%
what is FO_REMOTE_ORIGIN defined to? I do not see that in ntifs.h or ddk.h
or wdm.h
-Srin.
-----Original Message-----
From: xxxxx@des.co.uk [mailto:xxxxx@des.co.uk]
Sent: Wednesday, October 23, 2002 2:25 AM
To: File Systems Developers
Subject: [ntfsd] RE: Remote Request?
Hi,
To decide if request has come from a remote machine use the following.
if( ( pCurrentIrpStack->FileObject->Flags & FO_REMOTE_ORIGIN ) != 0 )
{
// This request came from a remote client
}
Hope that helps. I have been using this code for some time now without
problems.
Regards
Ben
DESlock+ Development Manager
Data Encryption Systems Ltd.
Silver Street House
Silver Street
Taunton, Somerset
UK
-----Original Message-----
From: Chang Sung, Jung. [mailto:xxxxx@korea.com]
Sent: 23 October 2002 10:22
To: File Systems Developers
Subject: [ntfsd] Remote Request?
Is it possible, to determine that an accessed file is opened from local
machine, or a remote connection?
eg) C:\SharedFolder\test.txt, and someone opens it from somewhere. The
hook can catch the file opening, but how can i decide that a request was
come from the local machine or a remote one ?
Thanks in advance!
Chang Sung, Jung.
You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntfsd as: xxxxx@nai.com
To unsubscribe send a blank email to %%email.unsub%%
Yet another one of those wonderful XP-only features.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@NAI.com
Sent: Wednesday, October 23, 2002 9:57 AM
To: File Systems Developers
Subject: [ntfsd] RE: Remote Request?what is FO_REMOTE_ORIGIN defined to? I do not see that in
ntifs.h or ddk.h or wdm.h-Srin.
-----Original Message-----
From: xxxxx@des.co.uk [mailto:xxxxx@des.co.uk]
Sent: Wednesday, October 23, 2002 2:25 AM
To: File Systems Developers
Subject: [ntfsd] RE: Remote Request?Hi,
To decide if request has come from a remote machine use the following.
if( ( pCurrentIrpStack->FileObject->Flags & FO_REMOTE_ORIGIN
) != 0 ) {
// This request came from a remote client
}Hope that helps. I have been using this code for some time
now without problems.Regards
Ben
DESlock+ Development Manager
Data Encryption Systems Ltd.
Silver Street House
Silver Street
Taunton, Somerset
UK-----Original Message-----
From: Chang Sung, Jung. [mailto:xxxxx@korea.com]
Sent: 23 October 2002 10:22
To: File Systems Developers
Subject: [ntfsd] Remote Request?Is it possible, to determine that an accessed file is opened
from local machine, or a remote connection?
eg) C:\SharedFolder\test.txt, and someone opens it from
somewhere. The hook can catch the file opening, but how can i
decide that a request was come from the local machine or a
remote one ?Thanks in advance!
Chang Sung, Jung.
You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntfsd as: xxxxx@nai.com
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%
Hi all,
I apologize for any inconvenience this has caused! Doesn’t everyone use
XP these days 
Still on this subject, does anyone know the correct way to do this for
Windows NT & 2000?
I am sure there will be an undocumented, “munge tastic” ™ way of doing
something similar!
Ben
-----Original Message-----
From: Nicholas Ryan [mailto:xxxxx@nryan.com]
Sent: 23 October 2002 18:11
To: File Systems Developers
Subject: [ntfsd] RE: Remote Request?
Yet another one of those wonderful XP-only features.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@NAI.com
Sent: Wednesday, October 23, 2002 9:57 AM
To: File Systems Developers
Subject: [ntfsd] RE: Remote Request?what is FO_REMOTE_ORIGIN defined to? I do not see that in
ntifs.h or ddk.h or wdm.h-Srin.
-----Original Message-----
From: xxxxx@des.co.uk [mailto:xxxxx@des.co.uk]
Sent: Wednesday, October 23, 2002 2:25 AM
To: File Systems Developers
Subject: [ntfsd] RE: Remote Request?Hi,
To decide if request has come from a remote machine use the following.
if( ( pCurrentIrpStack->FileObject->Flags & FO_REMOTE_ORIGIN
) != 0 ) {
// This request came from a remote client
}Hope that helps. I have been using this code for some time
now without problems.Regards
Ben
DESlock+ Development Manager
Data Encryption Systems Ltd.
Silver Street House
Silver Street
Taunton, Somerset
UK-----Original Message-----
From: Chang Sung, Jung. [mailto:xxxxx@korea.com]
Sent: 23 October 2002 10:22
To: File Systems Developers
Subject: [ntfsd] Remote Request?Is it possible, to determine that an accessed file is opened
from local machine, or a remote connection?
eg) C:\SharedFolder\test.txt, and someone opens it from
somewhere. The hook can catch the file opening, but how can i
decide that a request was come from the local machine or a
remote one ?Thanks in advance!
Chang Sung, Jung.
You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntfsd as: xxxxx@nai.com
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to %%email.unsub%%
from the wonderful faq in osr’s website
http://www.osr.com/resources_ifsfaq.shtml:
"Q59 How do I determine if the IRP is coming from a local process or over
the network?
In our experience, it is not possible to ascertain this information for
most operations. However, we have found that a solution that works with
IRP_MJ_CREATE is to examine the process context. If the process is the
system process, we then examine the impersonation state of the given thread.
This can be done by trying to open the security token of the current thread
(ZwOpenThreadToken or ZwOpenThreadTokenEx). If the thread is impersonating,
our experience indicates that it is, in fact, operating on behalf of a
remote user. While this is heuristic in nature, it is based upon
observations of how the CIFS/SMB file server is implemented (it is a kernel
mode driver that uses worker threads for processing requests on behalf of
remote systems).
If we need to track this for subsequent operations, we can associate this
state information with the given file object, so that subsequent I/O
operations on this file object will allow us to determine if the original
create operation was done using this impersonation technique. Impersonation
is used during IRP_MJ_CREATE so that the underlying file system performs
security checks using the correct credentials. Subsequently, the operating
system will validate access independent of the thread’s credentials, since
the security decision has already been made for the given FILE_OBJECT."
Ho Mun Chuen
@@ “Not everything that counts can be counted;
<” )~ and not everything that can be counted counts"
//\ … Albert Einstein
----- Original Message -----
From:
To: “File Systems Developers”
Sent: Thursday, October 24, 2002 4:00 PM
Subject: [ntfsd] RE: Remote Request?
Hi all,
I apologize for any inconvenience this has caused! Doesn’t everyone use
XP these days
Still on this subject, does anyone know the correct way to do this for
Windows NT & 2000?
I am sure there will be an undocumented, “munge tastic” ™ way of doing
something similar!
Ben
-----Original Message-----
From: Nicholas Ryan [mailto:xxxxx@nryan.com]
Sent: 23 October 2002 18:11
To: File Systems Developers
Subject: [ntfsd] RE: Remote Request?
Yet another one of those wonderful XP-only features.
- Nicholas Ryan
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@NAI.com
> Sent: Wednesday, October 23, 2002 9:57 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: Remote Request?
>
>
> what is FO_REMOTE_ORIGIN defined to? I do not see that in
> ntifs.h or ddk.h or wdm.h
>
> -Srin.
>
> -----Original Message-----
> From: xxxxx@des.co.uk [mailto:xxxxx@des.co.uk]
> Sent: Wednesday, October 23, 2002 2:25 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: Remote Request?
>
>
>
> Hi,
>
> To decide if request has come from a remote machine use the following.
>
> if( ( pCurrentIrpStack->FileObject->Flags & FO_REMOTE_ORIGIN
> ) != 0 ) {
> // This request came from a remote client
> }
>
> Hope that helps. I have been using this code for some time
> now without problems.
>
> Regards
>
> Ben
>
> DESlock+ Development Manager
> Data Encryption Systems Ltd.
> Silver Street House
> Silver Street
> Taunton, Somerset
> UK
>
> -----Original Message-----
> From: Chang Sung, Jung. [mailto:xxxxx@korea.com]
> Sent: 23 October 2002 10:22
> To: File Systems Developers
> Subject: [ntfsd] Remote Request?
>
>
> Is it possible, to determine that an accessed file is opened
> from local machine, or a remote connection?
> eg) C:\SharedFolder\test.txt, and someone opens it from
> somewhere. The hook can catch the file opening, but how can i
> decide that a request was come from the local machine or a
> remote one ?
>
> Thanks in advance!
>
> Chang Sung, Jung.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@des.co.uk
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nai.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to %%email.unsub%%
>
—
You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
To unsubscribe send a blank email to %%email.unsub%%
XP-only function:
BOOLEAN
IoIsFileOriginRemote(
IN PFILE_OBJECT FileObject
);
----- Original Message -----
From:
To: “File Systems Developers”
Sent: Wednesday, October 23, 2002 7:56 PM
Subject: [ntfsd] RE: Remote Request?
> what is FO_REMOTE_ORIGIN defined to? I do not see that in ntifs.h or
ddk.h
> or wdm.h
>
> -Srin.
>
> -----Original Message-----
> From: xxxxx@des.co.uk [mailto:xxxxx@des.co.uk]
> Sent: Wednesday, October 23, 2002 2:25 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: Remote Request?
>
>
>
> Hi,
>
> To decide if request has come from a remote machine use the
following.
>
> if( ( pCurrentIrpStack->FileObject->Flags & FO_REMOTE_ORIGIN ) !=
0 )
> {
> // This request came from a remote client
> }
>
> Hope that helps. I have been using this code for some time now
without
> problems.
>
> Regards
>
> Ben
>
> DESlock+ Development Manager
> Data Encryption Systems Ltd.
> Silver Street House
> Silver Street
> Taunton, Somerset
> UK
>
> -----Original Message-----
> From: Chang Sung, Jung. [mailto:xxxxx@korea.com]
> Sent: 23 October 2002 10:22
> To: File Systems Developers
> Subject: [ntfsd] Remote Request?
>
>
> Is it possible, to determine that an accessed file is opened from
local
> machine, or a remote connection?
> eg) C:\SharedFolder\test.txt, and someone opens it from somewhere.
The
> hook can catch the file opening, but how can i decide that a request
was
> come from the local machine or a remote one ?
>
> Thanks in advance!
>
> Chang Sung, Jung.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@des.co.uk
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nai.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
Also be aware that the FO_REMOTE_ORIGIN flag is not set until AFTER the
create has completed. This means it will not help you during any part
of IRP_MJ_CREATE processing.
Neal Christiansen
Microsoft File System Filter Group
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Wednesday, October 30, 2002 11:32 PM
To: File Systems Developers
Subject: [ntfsd] RE: Remote Request?
XP-only function:
BOOLEAN
IoIsFileOriginRemote(
IN PFILE_OBJECT FileObject
);
----- Original Message -----
From:
To: “File Systems Developers”
Sent: Wednesday, October 23, 2002 7:56 PM
Subject: [ntfsd] RE: Remote Request?
> what is FO_REMOTE_ORIGIN defined to? I do not see that in ntifs.h or
ddk.h
> or wdm.h
>
> -Srin.
>
> -----Original Message-----
> From: xxxxx@des.co.uk [mailto:xxxxx@des.co.uk]
> Sent: Wednesday, October 23, 2002 2:25 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: Remote Request?
>
>
>
> Hi,
>
> To decide if request has come from a remote machine use the
following.
>
> if( ( pCurrentIrpStack->FileObject->Flags & FO_REMOTE_ORIGIN ) !=
0 )
> {
> // This request came from a remote client
> }
>
> Hope that helps. I have been using this code for some time now
without
> problems.
>
> Regards
>
> Ben
>
> DESlock+ Development Manager
> Data Encryption Systems Ltd.
> Silver Street House
> Silver Street
> Taunton, Somerset
> UK
>
> -----Original Message-----
> From: Chang Sung, Jung. [mailto:xxxxx@korea.com]
> Sent: 23 October 2002 10:22
> To: File Systems Developers
> Subject: [ntfsd] Remote Request?
>
>
> Is it possible, to determine that an accessed file is opened from
local
> machine, or a remote connection?
> eg) C:\SharedFolder\test.txt, and someone opens it from somewhere.
The
> hook can catch the file opening, but how can i decide that a request
was
> come from the local machine or a remote one ?
>
> Thanks in advance!
>
> Chang Sung, Jung.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@des.co.uk
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nai.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
—
You are currently subscribed to ntfsd as: xxxxx@Windows.Microsoft.com
To unsubscribe send a blank email to %%email.unsub%%