Security context of a system process' impersonating thread

OSR_Community_User · December 3, 2004, 4:46pm

Hi

I’m developing a file system filter driver and I need to know on behalf of
which user is the call is done. Everything works fine, except that I can’t get
the impersonating user of a kernel thread in the system process.

In the following windbg output I did a !token to get the active thread token.
We can see : “Thread is not impersonating”. But if I look by myself in the
_ETHREAD structure, I can see that ImpersonationLevel is set to 2, so there is
an impersonation. (And the token referred in the ImpersonationInfo is really
the token of the user that the thread is supposed to impersonate)

It is a bug or I miss something?

Let me know I you want the complete output of windbg.

Thank you

Nicolas Sylvain

kd> !thread
THREAD ffb7b020 Cid 0004.0688 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
IRP List:
f5b6ee70: (0006,0190) Flags: 40000884 Mdl: 00000000
Not impersonating
DeviceMap e1004940
Owning Process 8125eda0
Wait Start TickCount 199218 Elapsed Ticks: 0
Context Switch Count 300
UserTime 00:00:00.0000
KernelTime 00:00:05.0515
Start Address srv!WorkerThread (0xfb2d3b32)
Stack Init fb1d6000 Current fb1d57c4 Base fb1d6000 Limit fb1d3000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
fb1d5884 faee2eca fb1d589c e10001f8 e10001f8 mydrv!GetCurrentSid+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\systools.cpp @ 168]
fb1d58ac faee2eca fb1d58c8 f5b6ee70 ff5fe7e0 mydrv!JMan::GetCurrentProc+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d58d8 faee2a5a 810f6698 ffb1a4b0 ff5e4d00 mydrv!Jman::GetCurrentProc+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d5960 804e3d77 810f6698 f5b6ee70 806ee2e8 mydrv!Create+0x4a (FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\filter.cpp @ 98]
fb1d5970 8066a2c5 f5b6ee80 f5b6ee70 ff5e4df8 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
fb1d5994 80570f9c 81218c18 81186aa4 fb1d5b3c nt!IovCallDriver+0xa0 (FPO: [Non-Fpo])
fb1d5a74 8056386c 81218c30 00000000 81186a00 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
fb1d5afc 80567c63 00000000 fb1d5b3c 00000040 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
fb1d5b50 80571477 00000000 00000000 00000000 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
fb1d5bcc 80571546 fb1d5cc4 00000020 fb1d5c94 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
fb1d5c28 8057160e fb1d5cc4 00000020 fb1d5c94 nt!IoCreateFile+0x8e (FPO: [Non-Fpo])
fb1d5c68 fb2f2e81 fb1d5cc4 00000020 fb1d5c94 nt!NtOpenFile+0x27 (FPO: [Non-Fpo])
fb1d5cb8 fb2e1852 e1262850 fb1d5cdc ffb6b2c0 srv!SrvRefreshShareRootHandle+0x57 (FPO: [Non-Fpo])
fb1d5d14 fb2d530c e1262850 fb2cff34 ffb6d0f8 srv!SrvReferenceShareForTreeConnect+0x5c (FPO: [Non-Fpo])
fb1d5d7c fb2c2ef6 ffb6d100 ffb736a0 fb2d3be8 srv!SrvSmbTreeConnectAndX+0x3ee (FPO: [Non-Fpo])
fb1d5d88 fb2d3be8 00000000 ffb7b020 00000000 srv!SrvProcessSmb+0xb7 (FPO: [0,0,0])
fb1d5dac 8057dfed ffb6d0f8 00000000 00000000 srv!WorkerThread+0x11e (FPO: [Non-Fpo])
fb1d5ddc 804fa477 fb2d3b32 ffb736a0 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

kd> !token -n
Thread is not impersonating. Using process token…
_EPROCESS 8125eda0, _ETHREAD ffb7b020, _TOKEN e10001f8
TS Session ID: 0
User: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Groups:
00 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - Default Enabled Owner
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Privs:
[…]
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: *SYSTEM* TokenFlags: 0x89 ( Token in use )
Token ID: 3ea ParentToken ID: 0
Modified ID: (0, 3eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

kd> !process 8125eda0
PROCESS 8125eda0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1000af8 HandleCount: 304.
Image: System
[…]

kd> dt -r ffb7b020 _ETHREAD
+0x000 Tcb :
+0x000 Header :
+0x000 Type : 0x6 ‘’
+0x001 Absolute : 0 ‘’
+0x002 Size : 0x70 ‘p’
+0x003 Inserted : 0 ‘’
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [0xffb7b028 - 0xffb7b028]
+0x010 MutantListHead : [0xffb7b030 - 0xffb7b030]
+0x000 Flink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x004 Blink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x018 InitialStack : 0xfb1d6000
+0x01c StackLimit : 0xfb1d3000
[…]
+0x20c ImpersonationInfo : 0xe19aa3e8
+0x000 Token : 0xe1279190
+0x004 CopyOnOpen : 0 ‘’
+0x005 EffectiveOnly : 0 ‘’
+0x008 ImpersonationLevel : 2 ( SecurityImpersonation )
[…]
+0x0c8 Token :
+0x000 Object : 0xe10001fb
+0x000 RefCnt : 0y011
+0x000 Value : 0xe10001fb
[…]

kd> !token -n 0xe1279190
_TOKEN e1279190
TS Session ID: 0
User: S-1-5-21-602162358-2077806209-839522115-1005 (no name mapped)
Groups:
00 S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes - Mandatory Default Enabled
03 S-1-5-2 (Well Known Group: NT AUTHORITY\NETWORK)
Attributes - Mandatory Default Enabled
04 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Privs:
00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
01 0x000000013 SeShutdownPrivilege Attributes - Enabled Default
02 0x000000019 SeUndockPrivilege Attributes - Enabled Default
Authentication ID: (0,9f5e2)
Impersonation Level: Impersonation
TokenType: Impersonation
Source: NtLmSsp TokenFlags: 0x1
Token ID: 9f5e9 ParentToken ID: 0
Modified ID: (0, 9f5eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

OSR_Community_User · December 6, 2004, 2:23pm

After a bit of disassembly, here is some new information I can provide on my
problem.

When the system need to know if a thread is impersonating, before looking
in the ImpersonationInfo structure to get the ImpersonationLevel, it looks
if ActiveImpersonationInfo is set to TRUE… which is probably a good thing.

In my case, this is set to FALSE.

So, my new question is…

When filtering network file access (SAMBA, srv.sys), does anyone know how to
get the user on behalf the call is done? SeCaptureSubjectContext/SeQuerySubjectContextToken
and PsReferenceImpersonationToken both failed to return the impersonation token
because ActiveImpersonationInfo is set to FALSE.

Thank you

Nicolas

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sylvain, Nicolas
Sent: December 3, 2004 3:58 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Security context of a system process’ impersonating
thread

Hi

I’m developing a file system filter driver and I need to know on behalf of
which user is the call is done. Everything works fine, except that I can’t get
the impersonating user of a kernel thread in the system process.

In the following windbg output I did a !token to get the active thread token.
We can see : “Thread is not impersonating”. But if I look by myself in the
_ETHREAD structure, I can see that ImpersonationLevel is set to 2, so there is
an impersonation. (And the token referred in the ImpersonationInfo is really
the token of the user that the thread is supposed to impersonate)

It is a bug or I miss something?

Let me know I you want the complete output of windbg.

Thank you

Nicolas Sylvain

kd> !thread
THREAD ffb7b020 Cid 0004.0688 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
IRP List:
f5b6ee70: (0006,0190) Flags: 40000884 Mdl: 00000000
Not impersonating
DeviceMap e1004940
Owning Process 8125eda0
Wait Start TickCount 199218 Elapsed Ticks: 0
Context Switch Count 300
UserTime 00:00:00.0000
KernelTime 00:00:05.0515
Start Address srv!WorkerThread (0xfb2d3b32)
Stack Init fb1d6000 Current fb1d57c4 Base fb1d6000 Limit fb1d3000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
fb1d5884 faee2eca fb1d589c e10001f8 e10001f8 mydrv!GetCurrentSid+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\systools.cpp @ 168]
fb1d58ac faee2eca fb1d58c8 f5b6ee70 ff5fe7e0 mydrv!JMan::GetCurrentProc+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d58d8 faee2a5a 810f6698 ffb1a4b0 ff5e4d00 mydrv!Jman::GetCurrentProc+0x5a (FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d5960 804e3d77 810f6698 f5b6ee70 806ee2e8 mydrv!Create+0x4a (FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\filter.cpp @ 98]
fb1d5970 8066a2c5 f5b6ee80 f5b6ee70 ff5e4df8 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
fb1d5994 80570f9c 81218c18 81186aa4 fb1d5b3c nt!IovCallDriver+0xa0 (FPO: [Non-Fpo])
fb1d5a74 8056386c 81218c30 00000000 81186a00 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
fb1d5afc 80567c63 00000000 fb1d5b3c 00000040 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
fb1d5b50 80571477 00000000 00000000 00000000 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
fb1d5bcc 80571546 fb1d5cc4 00000020 fb1d5c94 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
fb1d5c28 8057160e fb1d5cc4 00000020 fb1d5c94 nt!IoCreateFile+0x8e (FPO: [Non-Fpo])
fb1d5c68 fb2f2e81 fb1d5cc4 00000020 fb1d5c94 nt!NtOpenFile+0x27 (FPO: [Non-Fpo])
fb1d5cb8 fb2e1852 e1262850 fb1d5cdc ffb6b2c0 srv!SrvRefreshShareRootHandle+0x57 (FPO: [Non-Fpo])
fb1d5d14 fb2d530c e1262850 fb2cff34 ffb6d0f8 srv!SrvReferenceShareForTreeConnect+0x5c (FPO: [Non-Fpo])
fb1d5d7c fb2c2ef6 ffb6d100 ffb736a0 fb2d3be8 srv!SrvSmbTreeConnectAndX+0x3ee (FPO: [Non-Fpo])
fb1d5d88 fb2d3be8 00000000 ffb7b020 00000000 srv!SrvProcessSmb+0xb7 (FPO: [0,0,0])
fb1d5dac 8057dfed ffb6d0f8 00000000 00000000 srv!WorkerThread+0x11e (FPO: [Non-Fpo])
fb1d5ddc 804fa477 fb2d3b32 ffb736a0 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

kd> !token -n
Thread is not impersonating. Using process token…
_EPROCESS 8125eda0, _ETHREAD ffb7b020, _TOKEN e10001f8
TS Session ID: 0
User: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Groups:
00 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - Default Enabled Owner
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Privs:
[…]
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: *SYSTEM* TokenFlags: 0x89 ( Token in use )
Token ID: 3ea ParentToken ID: 0
Modified ID: (0, 3eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

kd> !process 8125eda0
PROCESS 8125eda0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1000af8 HandleCount: 304.
Image: System
[…]

kd> dt -r ffb7b020 _ETHREAD
+0x000 Tcb :
+0x000 Header :
+0x000 Type : 0x6 ‘’
+0x001 Absolute : 0 ‘’
+0x002 Size : 0x70 ‘p’
+0x003 Inserted : 0 ‘’
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [0xffb7b028 - 0xffb7b028]
+0x010 MutantListHead : [0xffb7b030 - 0xffb7b030]
+0x000 Flink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x004 Blink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x018 InitialStack : 0xfb1d6000
+0x01c StackLimit : 0xfb1d3000
[…]
+0x20c ImpersonationInfo : 0xe19aa3e8
+0x000 Token : 0xe1279190
+0x004 CopyOnOpen : 0 ‘’
+0x005 EffectiveOnly : 0 ‘’
+0x008 ImpersonationLevel : 2 ( SecurityImpersonation )
[…]
+0x0c8 Token :
+0x000 Object : 0xe10001fb
+0x000 RefCnt : 0y011
+0x000 Value : 0xe10001fb
[…]

kd> !token -n 0xe1279190
_TOKEN e1279190
TS Session ID: 0
User: S-1-5-21-602162358-2077806209-839522115-1005 (no name mapped)
Groups:
00 S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes - Mandatory Default Enabled
03 S-1-5-2 (Well Known Group: NT AUTHORITY\NETWORK)
Attributes - Mandatory Default Enabled
04 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Privs:
00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
01 0x000000013 SeShutdownPrivilege Attributes - Enabled Default
02 0x000000019 SeUndockPrivilege Attributes - Enabled Default
Authentication ID: (0,9f5e2)
Impersonation Level: Impersonation
TokenType: Impersonation
Source: NtLmSsp TokenFlags: 0x1
Token ID: 9f5e9 ParentToken ID: 0
Modified ID: (0, 9f5eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · December 6, 2004, 3:13pm

This is the expression which will solve your problem.

( SecurityContext->AccessState->SubjectSecurityContext.ClientToken != NULL )
?
SecurityContext->AccessState->SubjectSecurityContext.ClientToken :
SecurityContext->AccessState->SubjectSecurityContext.PrimaryToken

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Sylvain, Nicolas”
To: “Windows File Systems Devs Interest List”
Sent: Monday, December 06, 2004 10:19 PM
Subject: RE: [ntfsd] Security context of a system process’ impersonating thread

After a bit of disassembly, here is some new information I can provide on my
problem.

When the system need to know if a thread is impersonating, before looking
in the ImpersonationInfo structure to get the ImpersonationLevel, it looks
if ActiveImpersonationInfo is set to TRUE… which is probably a good thing.

In my case, this is set to FALSE.

So, my new question is…

When filtering network file access (SAMBA, srv.sys), does anyone know how to
get the user on behalf the call is done?
SeCaptureSubjectContext/SeQuerySubjectContextToken
and PsReferenceImpersonationToken both failed to return the impersonation token
because ActiveImpersonationInfo is set to FALSE.

Thank you

Nicolas

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sylvain, Nicolas
Sent: December 3, 2004 3:58 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Security context of a system process’ impersonating
thread

Hi

I’m developing a file system filter driver and I need to know on behalf of
which user is the call is done. Everything works fine, except that I can’t get
the impersonating user of a kernel thread in the system process.

In the following windbg output I did a !token to get the active thread token.
We can see : “Thread is not impersonating”. But if I look by myself in the
_ETHREAD structure, I can see that ImpersonationLevel is set to 2, so there is
an impersonation. (And the token referred in the ImpersonationInfo is really
the token of the user that the thread is supposed to impersonate)

It is a bug or I miss something?

Let me know I you want the complete output of windbg.

Thank you

Nicolas Sylvain

-----------------------
kd> !thread
THREAD ffb7b020 Cid 0004.0688 Teb: 00000000 Win32Thread: 00000000 RUNNING on
processor 0
IRP List:
f5b6ee70: (0006,0190) Flags: 40000884 Mdl: 00000000
Not impersonating
DeviceMap e1004940
Owning Process 8125eda0
Wait Start TickCount 199218 Elapsed Ticks: 0
Context Switch Count 300
UserTime 00:00:00.0000
KernelTime 00:00:05.0515
Start Address srv!WorkerThread (0xfb2d3b32)
Stack Init fb1d6000 Current fb1d57c4 Base fb1d6000 Limit fb1d3000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
fb1d5884 faee2eca fb1d589c e10001f8 e10001f8 mydrv!GetCurrentSid+0x34 (FPO:
[Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\systools.cpp @ 168]
fb1d58ac faee2eca fb1d58c8 f5b6ee70 ff5fe7e0 mydrv!JMan::GetCurrentProc+0x5a
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d58d8 faee2a5a 810f6698 ffb1a4b0 ff5e4d00 mydrv!Jman::GetCurrentProc+0x5a
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d5960 804e3d77 810f6698 f5b6ee70 806ee2e8 mydrv!Create+0x4a (FPO: [Non-Fpo])
(CONV: stdcall) [c:\work\mydrv\mydrv\filter.cpp @ 98]
fb1d5970 8066a2c5 f5b6ee80 f5b6ee70 ff5e4df8 nt!IopfCallDriver+0x31 (FPO:
[0,0,0])
fb1d5994 80570f9c 81218c18 81186aa4 fb1d5b3c nt!IovCallDriver+0xa0 (FPO:
[Non-Fpo])
fb1d5a74 8056386c 81218c30 00000000 81186a00 nt!IopParseDevice+0xa58 (FPO:
[Non-Fpo])
fb1d5afc 80567c63 00000000 fb1d5b3c 00000040 nt!ObpLookupObjectName+0x56a (FPO:
[Non-Fpo])
fb1d5b50 80571477 00000000 00000000 00000000 nt!ObOpenObjectByName+0xeb (FPO:
[Non-Fpo])
fb1d5bcc 80571546 fb1d5cc4 00000020 fb1d5c94 nt!IopCreateFile+0x407 (FPO:
[Non-Fpo])
fb1d5c28 8057160e fb1d5cc4 00000020 fb1d5c94 nt!IoCreateFile+0x8e (FPO:
[Non-Fpo])
fb1d5c68 fb2f2e81 fb1d5cc4 00000020 fb1d5c94 nt!NtOpenFile+0x27 (FPO:
[Non-Fpo])
fb1d5cb8 fb2e1852 e1262850 fb1d5cdc ffb6b2c0 srv!SrvRefreshShareRootHandle+0x57
(FPO: [Non-Fpo])
fb1d5d14 fb2d530c e1262850 fb2cff34 ffb6d0f8
srv!SrvReferenceShareForTreeConnect+0x5c (FPO: [Non-Fpo])
fb1d5d7c fb2c2ef6 ffb6d100 ffb736a0 fb2d3be8 srv!SrvSmbTreeConnectAndX+0x3ee
(FPO: [Non-Fpo])
fb1d5d88 fb2d3be8 00000000 ffb7b020 00000000 srv!SrvProcessSmb+0xb7 (FPO:
[0,0,0])
fb1d5dac 8057dfed ffb6d0f8 00000000 00000000 srv!WorkerThread+0x11e (FPO:
[Non-Fpo])
fb1d5ddc 804fa477 fb2d3b32 ffb736a0 00000000 nt!PspSystemThreadStartup+0x34
(FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

kd> !token -n
Thread is not impersonating. Using process token…
_EPROCESS 8125eda0, _ETHREAD ffb7b020, _TOKEN e10001f8
TS Session ID: 0
User: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Groups:
00 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - Default Enabled Owner
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Privs:
[…]
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: SYSTEM TokenFlags: 0x89 ( Token in use )
Token ID: 3ea ParentToken ID: 0
Modified ID: (0, 3eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

kd> !process 8125eda0
PROCESS 8125eda0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1000af8 HandleCount: 304.
Image: System
[…]

kd> dt -r ffb7b020 _ETHREAD
+0x000 Tcb :
+0x000 Header :
+0x000 Type : 0x6 ‘’
+0x001 Absolute : 0 ‘’
+0x002 Size : 0x70 ‘p’
+0x003 Inserted : 0 ‘’
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [0xffb7b028 - 0xffb7b028]
+0x010 MutantListHead : [0xffb7b030 - 0xffb7b030]
+0x000 Flink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x004 Blink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x018 InitialStack : 0xfb1d6000
+0x01c StackLimit : 0xfb1d3000
[…]
+0x20c ImpersonationInfo : 0xe19aa3e8
+0x000 Token : 0xe1279190
+0x004 CopyOnOpen : 0 ‘’
+0x005 EffectiveOnly : 0 ‘’
+0x008 ImpersonationLevel : 2 ( SecurityImpersonation )
[…]
+0x0c8 Token :
+0x000 Object : 0xe10001fb
+0x000 RefCnt : 0y011
+0x000 Value : 0xe10001fb
[…]

kd> !token -n 0xe1279190
_TOKEN e1279190
TS Session ID: 0
User: S-1-5-21-602162358-2077806209-839522115-1005 (no name mapped)
Groups:
00 S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes - Mandatory Default Enabled
03 S-1-5-2 (Well Known Group: NT AUTHORITY\NETWORK)
Attributes - Mandatory Default Enabled
04 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Privs:
00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
01 0x000000013 SeShutdownPrivilege Attributes - Enabled Default
02 0x000000019 SeUndockPrivilege Attributes - Enabled Default
Authentication ID: (0,9f5e2)
Impersonation Level: Impersonation
TokenType: Impersonation
Source: NtLmSsp TokenFlags: 0x1
Token ID: 9f5e9 ParentToken ID: 0
Modified ID: (0, 9f5eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · December 6, 2004, 3:26pm

It look like the call you see is not performed on behalf of any particular
user. svr preforms some internal verification related to the shared
directory.

Alexei.

-----Original Message-----
From: Sylvain, Nicolas [mailto:xxxxx@eonmediainc.com]
Sent: Monday, December 06, 2004 11:20 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Security context of a system process’ impersonating
thread

After a bit of disassembly, here is some new information I can provide on
my
problem.

When the system need to know if a thread is impersonating, before looking
in the ImpersonationInfo structure to get the ImpersonationLevel, it looks
if ActiveImpersonationInfo is set to TRUE… which is probably a good thing.

In my case, this is set to FALSE.

So, my new question is…

When filtering network file access (SAMBA, srv.sys), does anyone know how
to
get the user on behalf the call is done?
SeCaptureSubjectContext/SeQuerySubjectContextToken
and PsReferenceImpersonationToken both failed to return the impersonation
token
because ActiveImpersonationInfo is set to FALSE.

Thank you

Nicolas

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sylvain, Nicolas
Sent: December 3, 2004 3:58 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Security context of a system process’ impersonating
thread

Hi

I’m developing a file system filter driver and I need to know on behalf of
which user is the call is done. Everything works fine, except that I can’t
get
the impersonating user of a kernel thread in the system process.

In the following windbg output I did a !token to get the active thread
token.
We can see : “Thread is not impersonating”. But if I look by myself in the
_ETHREAD structure, I can see that ImpersonationLevel is set to 2, so there
is
an impersonation. (And the token referred in the ImpersonationInfo is really
the token of the user that the thread is supposed to impersonate)

It is a bug or I miss something?

Let me know I you want the complete output of windbg.

Thank you

Nicolas Sylvain

kd> !thread
THREAD ffb7b020 Cid 0004.0688 Teb: 00000000 Win32Thread: 00000000 RUNNING
on processor 0
IRP List:
f5b6ee70: (0006,0190) Flags: 40000884 Mdl: 00000000
Not impersonating
DeviceMap e1004940
Owning Process 8125eda0
Wait Start TickCount 199218 Elapsed Ticks: 0
Context Switch Count 300
UserTime 00:00:00.0000
KernelTime 00:00:05.0515
Start Address srv!WorkerThread (0xfb2d3b32)
Stack Init fb1d6000 Current fb1d57c4 Base fb1d6000 Limit fb1d3000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
fb1d5884 faee2eca fb1d589c e10001f8 e10001f8 mydrv!GetCurrentSid+0x34 (FPO:
[Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\systools.cpp @ 168]
fb1d58ac faee2eca fb1d58c8 f5b6ee70 ff5fe7e0 mydrv!JMan::GetCurrentProc+0x5a
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d58d8 faee2a5a 810f6698 ffb1a4b0 ff5e4d00 mydrv!Jman::GetCurrentProc+0x5a
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d5960 804e3d77 810f6698 f5b6ee70 806ee2e8 mydrv!Create+0x4a (FPO:
[Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\filter.cpp @ 98]
fb1d5970 8066a2c5 f5b6ee80 f5b6ee70 ff5e4df8 nt!IopfCallDriver+0x31 (FPO:
[0,0,0])
fb1d5994 80570f9c 81218c18 81186aa4 fb1d5b3c nt!IovCallDriver+0xa0 (FPO:
[Non-Fpo])
fb1d5a74 8056386c 81218c30 00000000 81186a00 nt!IopParseDevice+0xa58 (FPO:
[Non-Fpo])
fb1d5afc 80567c63 00000000 fb1d5b3c 00000040 nt!ObpLookupObjectName+0x56a
(FPO: [Non-Fpo])
fb1d5b50 80571477 00000000 00000000 00000000 nt!ObOpenObjectByName+0xeb (FPO:
[Non-Fpo])
fb1d5bcc 80571546 fb1d5cc4 00000020 fb1d5c94 nt!IopCreateFile+0x407 (FPO:
[Non-Fpo])
fb1d5c28 8057160e fb1d5cc4 00000020 fb1d5c94 nt!IoCreateFile+0x8e (FPO:
[Non-Fpo])
fb1d5c68 fb2f2e81 fb1d5cc4 00000020 fb1d5c94 nt!NtOpenFile+0x27 (FPO:
[Non-Fpo])
fb1d5cb8 fb2e1852 e1262850 fb1d5cdc ffb6b2c0
srv!SrvRefreshShareRootHandle+0x57 (FPO: [Non-Fpo])
fb1d5d14 fb2d530c e1262850 fb2cff34 ffb6d0f8
srv!SrvReferenceShareForTreeConnect+0x5c (FPO: [Non-Fpo])
fb1d5d7c fb2c2ef6 ffb6d100 ffb736a0 fb2d3be8 srv!SrvSmbTreeConnectAndX+0x3ee
(FPO: [Non-Fpo])
fb1d5d88 fb2d3be8 00000000 ffb7b020 00000000 srv!SrvProcessSmb+0xb7 (FPO:
[0,0,0])
fb1d5dac 8057dfed ffb6d0f8 00000000 00000000 srv!WorkerThread+0x11e (FPO:
[Non-Fpo])
fb1d5ddc 804fa477 fb2d3b32 ffb736a0 00000000 nt!PspSystemThreadStartup+0x34
(FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

kd> !token -n
Thread is not impersonating. Using process token…
_EPROCESS 8125eda0, _ETHREAD ffb7b020, _TOKEN e10001f8
TS Session ID: 0
User: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Groups:
00 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - Default Enabled Owner
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Privs:
[…]
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: *SYSTEM* TokenFlags: 0x89 ( Token in use )
Token ID: 3ea ParentToken ID: 0
Modified ID: (0, 3eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

kd> !process 8125eda0
PROCESS 8125eda0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1000af8 HandleCount: 304.
Image: System
[…]

kd> dt -r ffb7b020 _ETHREAD
+0x000 Tcb :
+0x000 Header :
+0x000 Type : 0x6 ‘’
+0x001 Absolute : 0 ‘’
+0x002 Size : 0x70 ‘p’
+0x003 Inserted : 0 ‘’
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [0xffb7b028 - 0xffb7b028]
+0x010 MutantListHead : [0xffb7b030 - 0xffb7b030]
+0x000 Flink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x004 Blink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x018 InitialStack : 0xfb1d6000
+0x01c StackLimit : 0xfb1d3000
[…]
+0x20c ImpersonationInfo : 0xe19aa3e8
+0x000 Token : 0xe1279190
+0x004 CopyOnOpen : 0 ‘’
+0x005 EffectiveOnly : 0 ‘’
+0x008 ImpersonationLevel : 2 ( SecurityImpersonation )
[…]
+0x0c8 Token :
+0x000 Object : 0xe10001fb
+0x000 RefCnt : 0y011
+0x000 Value : 0xe10001fb
[…]

kd> !token -n 0xe1279190
_TOKEN e1279190
TS Session ID: 0
User: S-1-5-21-602162358-2077806209-839522115-1005 (no name mapped)
Groups:
00 S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes - Mandatory Default Enabled
03 S-1-5-2 (Well Known Group: NT AUTHORITY\NETWORK)
Attributes - Mandatory Default Enabled
04 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Privs:
00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled
Default
01 0x000000013 SeShutdownPrivilege Attributes - Enabled
Default
02 0x000000019 SeUndockPrivilege Attributes - Enabled
Default
Authentication ID: (0,9f5e2)
Impersonation Level: Impersonation
TokenType: Impersonation
Source: NtLmSsp TokenFlags: 0x1
Token ID: 9f5e9 ParentToken ID: 0
Modified ID: (0, 9f5eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · December 6, 2004, 3:42pm

Yes, sometimes SRV really accesses the share root from LocalSystem context.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Alexei Jelvis”
To: “Windows File Systems Devs Interest List”
Sent: Monday, December 06, 2004 11:23 PM
Subject: RE: [ntfsd] Security context of a system process’ impersonating thread

It look like the call you see is not performed on behalf of any particular
user. svr preforms some internal verification related to the shared
directory.

Alexei.

-----Original Message-----
From: Sylvain, Nicolas [mailto:xxxxx@eonmediainc.com]
Sent: Monday, December 06, 2004 11:20 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Security context of a system process’ impersonating
thread

After a bit of disassembly, here is some new information I can provide on
my
problem.

When the system need to know if a thread is impersonating, before looking
in the ImpersonationInfo structure to get the ImpersonationLevel, it looks
if ActiveImpersonationInfo is set to TRUE… which is probably a good thing.

In my case, this is set to FALSE.

So, my new question is…

When filtering network file access (SAMBA, srv.sys), does anyone know how
to
get the user on behalf the call is done?
SeCaptureSubjectContext/SeQuerySubjectContextToken
and PsReferenceImpersonationToken both failed to return the impersonation
token
because ActiveImpersonationInfo is set to FALSE.

Thank you

Nicolas

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sylvain, Nicolas
Sent: December 3, 2004 3:58 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Security context of a system process’ impersonating
thread

Hi

I’m developing a file system filter driver and I need to know on behalf of
which user is the call is done. Everything works fine, except that I can’t
get
the impersonating user of a kernel thread in the system process.

In the following windbg output I did a !token to get the active thread
token.
We can see : “Thread is not impersonating”. But if I look by myself in the
_ETHREAD structure, I can see that ImpersonationLevel is set to 2, so there
is
an impersonation. (And the token referred in the ImpersonationInfo is really
the token of the user that the thread is supposed to impersonate)

It is a bug or I miss something?

Let me know I you want the complete output of windbg.

Thank you

Nicolas Sylvain

-----------------------
kd> !thread
THREAD ffb7b020 Cid 0004.0688 Teb: 00000000 Win32Thread: 00000000 RUNNING
on processor 0
IRP List:
f5b6ee70: (0006,0190) Flags: 40000884 Mdl: 00000000
Not impersonating
DeviceMap e1004940
Owning Process 8125eda0
Wait Start TickCount 199218 Elapsed Ticks: 0
Context Switch Count 300
UserTime 00:00:00.0000
KernelTime 00:00:05.0515
Start Address srv!WorkerThread (0xfb2d3b32)
Stack Init fb1d6000 Current fb1d57c4 Base fb1d6000 Limit fb1d3000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
fb1d5884 faee2eca fb1d589c e10001f8 e10001f8 mydrv!GetCurrentSid+0x34 (FPO:
[Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\systools.cpp @ 168]
fb1d58ac faee2eca fb1d58c8 f5b6ee70 ff5fe7e0 mydrv!JMan::GetCurrentProc+0x5a
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d58d8 faee2a5a 810f6698 ffb1a4b0 ff5e4d00 mydrv!Jman::GetCurrentProc+0x5a
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d5960 804e3d77 810f6698 f5b6ee70 806ee2e8 mydrv!Create+0x4a (FPO:
[Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\filter.cpp @ 98]
fb1d5970 8066a2c5 f5b6ee80 f5b6ee70 ff5e4df8 nt!IopfCallDriver+0x31 (FPO:
[0,0,0])
fb1d5994 80570f9c 81218c18 81186aa4 fb1d5b3c nt!IovCallDriver+0xa0 (FPO:
[Non-Fpo])
fb1d5a74 8056386c 81218c30 00000000 81186a00 nt!IopParseDevice+0xa58 (FPO:
[Non-Fpo])
fb1d5afc 80567c63 00000000 fb1d5b3c 00000040 nt!ObpLookupObjectName+0x56a
(FPO: [Non-Fpo])
fb1d5b50 80571477 00000000 00000000 00000000 nt!ObOpenObjectByName+0xeb (FPO:
[Non-Fpo])
fb1d5bcc 80571546 fb1d5cc4 00000020 fb1d5c94 nt!IopCreateFile+0x407 (FPO:
[Non-Fpo])
fb1d5c28 8057160e fb1d5cc4 00000020 fb1d5c94 nt!IoCreateFile+0x8e (FPO:
[Non-Fpo])
fb1d5c68 fb2f2e81 fb1d5cc4 00000020 fb1d5c94 nt!NtOpenFile+0x27 (FPO:
[Non-Fpo])
fb1d5cb8 fb2e1852 e1262850 fb1d5cdc ffb6b2c0
srv!SrvRefreshShareRootHandle+0x57 (FPO: [Non-Fpo])
fb1d5d14 fb2d530c e1262850 fb2cff34 ffb6d0f8
srv!SrvReferenceShareForTreeConnect+0x5c (FPO: [Non-Fpo])
fb1d5d7c fb2c2ef6 ffb6d100 ffb736a0 fb2d3be8 srv!SrvSmbTreeConnectAndX+0x3ee
(FPO: [Non-Fpo])
fb1d5d88 fb2d3be8 00000000 ffb7b020 00000000 srv!SrvProcessSmb+0xb7 (FPO:
[0,0,0])
fb1d5dac 8057dfed ffb6d0f8 00000000 00000000 srv!WorkerThread+0x11e (FPO:
[Non-Fpo])
fb1d5ddc 804fa477 fb2d3b32 ffb736a0 00000000 nt!PspSystemThreadStartup+0x34
(FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

kd> !token -n
Thread is not impersonating. Using process token…
_EPROCESS 8125eda0, _ETHREAD ffb7b020, _TOKEN e10001f8
TS Session ID: 0
User: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Groups:
00 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - Default Enabled Owner
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Privs:
[…]
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: SYSTEM TokenFlags: 0x89 ( Token in use )
Token ID: 3ea ParentToken ID: 0
Modified ID: (0, 3eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

kd> !process 8125eda0
PROCESS 8125eda0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1000af8 HandleCount: 304.
Image: System
[…]

kd> dt -r ffb7b020 _ETHREAD
+0x000 Tcb :
+0x000 Header :
+0x000 Type : 0x6 ‘’
+0x001 Absolute : 0 ‘’
+0x002 Size : 0x70 ‘p’
+0x003 Inserted : 0 ‘’
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [0xffb7b028 - 0xffb7b028]
+0x010 MutantListHead : [0xffb7b030 - 0xffb7b030]
+0x000 Flink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x004 Blink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x018 InitialStack : 0xfb1d6000
+0x01c StackLimit : 0xfb1d3000
[…]
+0x20c ImpersonationInfo : 0xe19aa3e8
+0x000 Token : 0xe1279190
+0x004 CopyOnOpen : 0 ‘’
+0x005 EffectiveOnly : 0 ‘’
+0x008 ImpersonationLevel : 2 ( SecurityImpersonation )
[…]
+0x0c8 Token :
+0x000 Object : 0xe10001fb
+0x000 RefCnt : 0y011
+0x000 Value : 0xe10001fb
[…]

kd> !token -n 0xe1279190
_TOKEN e1279190
TS Session ID: 0
User: S-1-5-21-602162358-2077806209-839522115-1005 (no name mapped)
Groups:
00 S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes - Mandatory Default Enabled
03 S-1-5-2 (Well Known Group: NT AUTHORITY\NETWORK)
Attributes - Mandatory Default Enabled
04 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Privs:
00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled
Default
01 0x000000013 SeShutdownPrivilege Attributes - Enabled
Default
02 0x000000019 SeUndockPrivilege Attributes - Enabled
Default
Authentication ID: (0,9f5e2)
Impersonation Level: Impersonation
TokenType: Impersonation
Source: NtLmSsp TokenFlags: 0x1
Token ID: 9f5e9 ParentToken ID: 0
Modified ID: (0, 9f5eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · December 7, 2004, 9:16am

Thank you Alexei and Maxim, you’re right. Some calls are impersonated and some calls are not. Filtering only those who are impersonated works perfectly.

Nicolas

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: December 6, 2004 3:41 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Security context of a system process’ impersonating
thread

Yes, sometimes SRV really accesses the share root from LocalSystem context.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Alexei Jelvis”
To: “Windows File Systems Devs Interest List”
Sent: Monday, December 06, 2004 11:23 PM
Subject: RE: [ntfsd] Security context of a system process’ impersonating thread

It look like the call you see is not performed on behalf of any particular
user. svr preforms some internal verification related to the shared
directory.

Alexei.

-----Original Message-----
From: Sylvain, Nicolas [mailto:xxxxx@eonmediainc.com]
Sent: Monday, December 06, 2004 11:20 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Security context of a system process’ impersonating
thread

After a bit of disassembly, here is some new information I can provide on
my
problem.

When the system need to know if a thread is impersonating, before looking
in the ImpersonationInfo structure to get the ImpersonationLevel, it looks
if ActiveImpersonationInfo is set to TRUE… which is probably a good thing.

In my case, this is set to FALSE.

So, my new question is…

When filtering network file access (SAMBA, srv.sys), does anyone know how
to
get the user on behalf the call is done?
SeCaptureSubjectContext/SeQuerySubjectContextToken
and PsReferenceImpersonationToken both failed to return the impersonation
token
because ActiveImpersonationInfo is set to FALSE.

Thank you

Nicolas

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sylvain, Nicolas
Sent: December 3, 2004 3:58 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Security context of a system process’ impersonating
thread

Hi

I’m developing a file system filter driver and I need to know on behalf of
which user is the call is done. Everything works fine, except that I can’t
get
the impersonating user of a kernel thread in the system process.

In the following windbg output I did a !token to get the active thread
token.
We can see : “Thread is not impersonating”. But if I look by myself in the
_ETHREAD structure, I can see that ImpersonationLevel is set to 2, so there
is
an impersonation. (And the token referred in the ImpersonationInfo is really
the token of the user that the thread is supposed to impersonate)

It is a bug or I miss something?

Let me know I you want the complete output of windbg.

Thank you

Nicolas Sylvain

-----------------------
kd> !thread
THREAD ffb7b020 Cid 0004.0688 Teb: 00000000 Win32Thread: 00000000 RUNNING
on processor 0
IRP List:
f5b6ee70: (0006,0190) Flags: 40000884 Mdl: 00000000
Not impersonating
DeviceMap e1004940
Owning Process 8125eda0
Wait Start TickCount 199218 Elapsed Ticks: 0
Context Switch Count 300
UserTime 00:00:00.0000
KernelTime 00:00:05.0515
Start Address srv!WorkerThread (0xfb2d3b32)
Stack Init fb1d6000 Current fb1d57c4 Base fb1d6000 Limit fb1d3000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
fb1d5884 faee2eca fb1d589c e10001f8 e10001f8 mydrv!GetCurrentSid+0x34 (FPO:
[Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\systools.cpp @ 168]
fb1d58ac faee2eca fb1d58c8 f5b6ee70 ff5fe7e0 mydrv!JMan::GetCurrentProc+0x5a
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d58d8 faee2a5a 810f6698 ffb1a4b0 ff5e4d00 mydrv!Jman::GetCurrentProc+0x5a
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\drvproc.h @ 344]
fb1d5960 804e3d77 810f6698 f5b6ee70 806ee2e8 mydrv!Create+0x4a (FPO:
[Non-Fpo]) (CONV: stdcall) [c:\work\mydrv\mydrv\filter.cpp @ 98]
fb1d5970 8066a2c5 f5b6ee80 f5b6ee70 ff5e4df8 nt!IopfCallDriver+0x31 (FPO:
[0,0,0])
fb1d5994 80570f9c 81218c18 81186aa4 fb1d5b3c nt!IovCallDriver+0xa0 (FPO:
[Non-Fpo])
fb1d5a74 8056386c 81218c30 00000000 81186a00 nt!IopParseDevice+0xa58 (FPO:
[Non-Fpo])
fb1d5afc 80567c63 00000000 fb1d5b3c 00000040 nt!ObpLookupObjectName+0x56a
(FPO: [Non-Fpo])
fb1d5b50 80571477 00000000 00000000 00000000 nt!ObOpenObjectByName+0xeb (FPO:
[Non-Fpo])
fb1d5bcc 80571546 fb1d5cc4 00000020 fb1d5c94 nt!IopCreateFile+0x407 (FPO:
[Non-Fpo])
fb1d5c28 8057160e fb1d5cc4 00000020 fb1d5c94 nt!IoCreateFile+0x8e (FPO:
[Non-Fpo])
fb1d5c68 fb2f2e81 fb1d5cc4 00000020 fb1d5c94 nt!NtOpenFile+0x27 (FPO:
[Non-Fpo])
fb1d5cb8 fb2e1852 e1262850 fb1d5cdc ffb6b2c0
srv!SrvRefreshShareRootHandle+0x57 (FPO: [Non-Fpo])
fb1d5d14 fb2d530c e1262850 fb2cff34 ffb6d0f8
srv!SrvReferenceShareForTreeConnect+0x5c (FPO: [Non-Fpo])
fb1d5d7c fb2c2ef6 ffb6d100 ffb736a0 fb2d3be8 srv!SrvSmbTreeConnectAndX+0x3ee
(FPO: [Non-Fpo])
fb1d5d88 fb2d3be8 00000000 ffb7b020 00000000 srv!SrvProcessSmb+0xb7 (FPO:
[0,0,0])
fb1d5dac 8057dfed ffb6d0f8 00000000 00000000 srv!WorkerThread+0x11e (FPO:
[Non-Fpo])
fb1d5ddc 804fa477 fb2d3b32 ffb736a0 00000000 nt!PspSystemThreadStartup+0x34
(FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

kd> !token -n
Thread is not impersonating. Using process token…
_EPROCESS 8125eda0, _ETHREAD ffb7b020, _TOKEN e10001f8
TS Session ID: 0
User: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Groups:
00 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - Default Enabled Owner
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
Privs:
[…]
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: SYSTEM TokenFlags: 0x89 ( Token in use )
Token ID: 3ea ParentToken ID: 0
Modified ID: (0, 3eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

kd> !process 8125eda0
PROCESS 8125eda0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid:
0000
DirBase: 00039000 ObjectTable: e1000af8 HandleCount: 304.
Image: System
[…]

kd> dt -r ffb7b020 _ETHREAD
+0x000 Tcb :
+0x000 Header :
+0x000 Type : 0x6 ‘’
+0x001 Absolute : 0 ‘’
+0x002 Size : 0x70 ‘p’
+0x003 Inserted : 0 ‘’
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [0xffb7b028 - 0xffb7b028]
+0x010 MutantListHead : [0xffb7b030 - 0xffb7b030]
+0x000 Flink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x004 Blink : 0xffb7b030 [0xffb7b030 - 0xffb7b030]
+0x018 InitialStack : 0xfb1d6000
+0x01c StackLimit : 0xfb1d3000
[…]
+0x20c ImpersonationInfo : 0xe19aa3e8
+0x000 Token : 0xe1279190
+0x004 CopyOnOpen : 0 ‘’
+0x005 EffectiveOnly : 0 ‘’
+0x008 ImpersonationLevel : 2 ( SecurityImpersonation )
[…]
+0x0c8 Token :
+0x000 Object : 0xe10001fb
+0x000 RefCnt : 0y011
+0x000 Value : 0xe10001fb
[…]

kd> !token -n 0xe1279190
_TOKEN e1279190
TS Session ID: 0
User: S-1-5-21-602162358-2077806209-839522115-1005 (no name mapped)
Groups:
00 S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes - Mandatory Default Enabled
03 S-1-5-2 (Well Known Group: NT AUTHORITY\NETWORK)
Attributes - Mandatory Default Enabled
04 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-21-602162358-2077806209-839522115-513 (no name mapped)
Privs:
00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled
Default
01 0x000000013 SeShutdownPrivilege Attributes - Enabled
Default
02 0x000000019 SeUndockPrivilege Attributes - Enabled
Default
Authentication ID: (0,9f5e2)
Impersonation Level: Impersonation
TokenType: Impersonation
Source: NtLmSsp TokenFlags: 0x1
Token ID: 9f5e9 ParentToken ID: 0
Modified ID: (0, 9f5eb)
RestrictedSidCount: 0 RestrictedSids: 00000000

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@eonmediainc.com
To unsubscribe send a blank email to xxxxx@lists.osr.com