return value of ZwQueryInformationToken and user SID

NTFSD
1

Hi,All,

I am writing a file filter. In my IRP_MJ_CREATE dispatch routine, I add some
codes to get the file user SID, meanwhile, SoftICE is used as debugging tool
in boot mode.

However,when I turn on the computer, SoftICE told me that "Assertion failed
" at the line of

“status=ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &RetLen);
ASSERT(STATUS_SUCCESS == status);”

here ZwQueryInformationToken was called to get the necessary buffer length.
According to IFS Kits online help, the return value of
ZwQueryInformationToken would be one of
STATUS_SUCCESS,STATUS_ACCESS_DENIED,STATUS_BUFFER_TOO_SMALL,STATUS_INVALID_H
ANDLE,STATUS_INVALID_INFO_CLASS,or STATUS_OBJECT_TYPE_MISMATCH.

It is weird that I always get “Assertioin failed” even though I tried all of
the possible return values one by one. So what the return value would be?

Can anyone help me with that? My codes added in IRP_MJ_CREATE dispatch
routine are attached as below, thank you in advance:

//
// Purpose of these codes is to get user SID
//

NTSTATUS status;
ULONG RetLen;
HANDLE hToken;
PTOKEN_USER tokenInfoBuffer;
PIO_STACK_LOCATION irpSp;
PACCESS_TOKEN Token;
PSID userSID;

irpSp = IoGetCurrentIrpStackLocation( Irp );
Token
=irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityConte
xt.ClientToken;
if( Token == NULL )

Token=irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurity
Context.PrimaryToken;

// ObOpenObjectByPointer on Token, provides hToken;
status= ObOpenObjectByPointer(Token, 0, NULL, TOKEN_QUERY, NULL,
KernelMode,&hToken );

ASSERT(STATUS_SUCCESS == status);
ObDereferenceObject(Token);

// This returns the size of the SID.
status=ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &RetLen);
ASSERT(STATUS_SUCCESS == status);

//Allocate memory for RetLen bytes, put the pointer to tokenInfoBuffer
variable.
tokenInfoBuffer=(PTOKEN_USER) ExAllocatePool( NonPagedPool, RetLen );
status=ZwQueryInformationToken(hToken, TokenUser,
tokenInfoBuffer,RetLen,&RetLen);
ASSERT(STATUS_SUCCESS == status);

userSID=tokenInfoBuffer->User.Sid;
if(RtlValidSid(userSID))
{
KdPrint((“valid userSID”));
}
else
{
KdPrint((“invalid userSID”));
}

ZwClose(hToken);

2

Have you considered a possibility to examine “status” variable value? If
assertion failure pops up debugger it is trivial and if it doesn’t (and you
have broken ASSERT implementation) just add one DbgPrint.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

From: xxxxx@hotmail.com[SMTP:xxxxx@hotmail.com]
Reply To: xxxxx@lists.osr.com
Sent: Wednesday, September 10, 2003 7:42 PM
To: xxxxx@lists.osr.com
Subject: [ntfsd] return value of ZwQueryInformationToken and user SID

Hi,All,

I am writing a file filter. In my IRP_MJ_CREATE dispatch routine, I add
some
codes to get the file user SID, meanwhile, SoftICE is used as debugging
tool
in boot mode.

However,when I turn on the computer, SoftICE told me that "Assertion
failed
" at the line of

“status=ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &RetLen);
ASSERT(STATUS_SUCCESS == status);”

here ZwQueryInformationToken was called to get the necessary buffer
length.
According to IFS Kits online help, the return value of
ZwQueryInformationToken would be one of
STATUS_SUCCESS,STATUS_ACCESS_DENIED,STATUS_BUFFER_TOO_SMALL,STATUS_INVALID
_H
ANDLE,STATUS_INVALID_INFO_CLASS,or STATUS_OBJECT_TYPE_MISMATCH.

It is weird that I always get “Assertioin failed” even though I tried all
of
the possible return values one by one. So what the return value would be?

Can anyone help me with that? My codes added in IRP_MJ_CREATE dispatch
routine are attached as below, thank you in advance:

//
// Purpose of these codes is to get user SID
//

NTSTATUS status;
ULONG RetLen;
HANDLE hToken;
PTOKEN_USER tokenInfoBuffer;
PIO_STACK_LOCATION irpSp;
PACCESS_TOKEN Token;
PSID userSID;

irpSp = IoGetCurrentIrpStackLocation( Irp );
Token
=irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityCon
te
xt.ClientToken;
if( Token == NULL )

Token=irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecuri
ty
Context.PrimaryToken;

// ObOpenObjectByPointer on Token, provides hToken;
status= ObOpenObjectByPointer(Token, 0, NULL, TOKEN_QUERY, NULL,
KernelMode,&hToken );

ASSERT(STATUS_SUCCESS == status);
ObDereferenceObject(Token);

// This returns the size of the SID.
status=ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &RetLen);
ASSERT(STATUS_SUCCESS == status);

//Allocate memory for RetLen bytes, put the pointer to tokenInfoBuffer
variable.
tokenInfoBuffer=(PTOKEN_USER) ExAllocatePool( NonPagedPool, RetLen );
status=ZwQueryInformationToken(hToken, TokenUser,
tokenInfoBuffer,RetLen,&RetLen);
ASSERT(STATUS_SUCCESS == status);

userSID=tokenInfoBuffer->User.Sid;
if(RtlValidSid(userSID))
{
KdPrint((“valid userSID”));
}
else
{
KdPrint((“invalid userSID”));
}

ZwClose(hToken);

You are currently subscribed to ntfsd as: michal.vodicka@st.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Thank you, Vodicka, but when I inserted the following code in order to show
the “status” variable,

" if( !NT_SUCCESS( status ) )
DbgPrint((“ZwQueryInformation return value is: %x\n”, status ));"

I get the the following compiling error:

‘PCH’ differs in levels of indirection from ‘NTSTATUS’

Any idea how I can show “status” variable?

“Vodicka, Michal” <michal.vodicka> дÈëÏûÏ¢ÐÂÎÅ:xxxxx@ntfsd…
>
> Have you considered a possibility to examine “status” variable value? If
> assertion failure pops up debugger it is trivial and if it doesn’t (and
you
> have broken ASSERT implementation) just add one DbgPrint.
>
> Best regards,
>
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o.
> [michal.vodicka@st.com, http:://www.st.com]
>
> > ----------
> > From: xxxxx@hotmail.com[SMTP:xxxxx@hotmail.com]
> > Reply To: xxxxx@lists.osr.com
> > Sent: Wednesday, September 10, 2003 7:42 PM
> > To: xxxxx@lists.osr.com
> > Subject: [ntfsd] return value of ZwQueryInformationToken and user SID
> >
> > Hi,All,
> >
> > I am writing a file filter. In my IRP_MJ_CREATE dispatch routine, I add
> > some
> > codes to get the file user SID, meanwhile, SoftICE is used as debugging
> > tool
> > in boot mode.
> >
> > However,when I turn on the computer, SoftICE told me that "Assertion
> > failed
> > " at the line of
> >
> > “status=ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &RetLen);
> > ASSERT(STATUS_SUCCESS == status);”
> >
> > here ZwQueryInformationToken was called to get the necessary buffer
> > length.
> > According to IFS Kits online help, the return value of
> > ZwQueryInformationToken would be one of
> >
STATUS_SUCCESS,STATUS_ACCESS_DENIED,STATUS_BUFFER_TOO_SMALL,STATUS_INVALID
> > _H
> > ANDLE,STATUS_INVALID_INFO_CLASS,or STATUS_OBJECT_TYPE_MISMATCH.
> >
> > It is weird that I always get “Assertioin failed” even though I tried
all
> > of
> > the possible return values one by one. So what the return value would
be?
> >
> > Can anyone help me with that? My codes added in IRP_MJ_CREATE dispatch
> > routine are attached as below, thank you in advance:
> >
> > //
> > // Purpose of these codes is to get user SID
> > //
> >
> > NTSTATUS status;
> > ULONG RetLen;
> > HANDLE hToken;
> > PTOKEN_USER tokenInfoBuffer;
> > PIO_STACK_LOCATION irpSp;
> > PACCESS_TOKEN Token;
> > PSID userSID;
> >
> > irpSp = IoGetCurrentIrpStackLocation( Irp );
> > Token
> >
=irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityCon
> > te
> > xt.ClientToken;
> > if( Token == NULL )
> >
> >
Token=irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecuri
> > ty
> > Context.PrimaryToken;
> >
> > // ObOpenObjectByPointer on Token, provides hToken;
> > status= ObOpenObjectByPointer(Token, 0, NULL, TOKEN_QUERY, NULL,
> > KernelMode,&hToken );
> >
> > ASSERT(STATUS_SUCCESS == status);
> > ObDereferenceObject(Token);
> >
> > // This returns the size of the SID.
> > status=ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &RetLen);
> > ASSERT(STATUS_SUCCESS == status);
> >
> > //Allocate memory for RetLen bytes, put the pointer to tokenInfoBuffer
> > variable.
> > tokenInfoBuffer=(PTOKEN_USER) ExAllocatePool( NonPagedPool, RetLen );
> > status=ZwQueryInformationToken(hToken, TokenUser,
> > tokenInfoBuffer,RetLen,&RetLen);
> > ASSERT(STATUS_SUCCESS == status);
> >
> > userSID=tokenInfoBuffer->User.Sid;
> > if(RtlValidSid(userSID))
> > {
> > KdPrint((“valid userSID”));
> > }
> > else
> > {
> > KdPrint((“invalid userSID”));
> > }
> >
> > ZwClose(hToken);
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: michal.vodicka@st.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
></michal.vodicka>