SID in a driver is not like it appears in the registry

Zorba_Kov · March 3, 2008, 6:23am

Hello,

I am writing a legacy filter driver, and in my driver I retrieve the SID of the user performing an operation. I do it in the Create IRP. When I print the sid, I get this output in DebugView:

SID (Revision 108, SubAuthorityCount 20):
PsclUtilsGetSid: IdentifierAuthority = 17-248-32-196-137-249
PsclUtilsGetSid: SubAuthority = index 0 value 3785799280
PsclUtilsGetSid: SubAuthority = index 1 value 0
PsclUtilsGetSid: SubAuthority = index 2 value 3783678608
PsclUtilsGetSid: SubAuthority = index 3 value 4186575584
PsclUtilsGetSid: SubAuthority = index 4 value 4186575352
PsclUtilsGetSid: SubAuthority = index 5 value 7864404
PsclUtilsGetSid: SubAuthority = index 6 value 0
PsclUtilsGetSid: SubAuthority = index 7 value 1
PsclUtilsGetSid: SubAuthority = index 8 value 9048800
PsclUtilsGetSid: SubAuthority = index 9 value 4161869060
PsclUtilsGetSid: SubAuthority = index 10 value 4186577036
PsclUtilsGetSid: SubAuthority = index 11 value 0
PsclUtilsGetSid: SubAuthority = index 12 value 2171557368
PsclUtilsGetSid: SubAuthority = index 13 value 4
PsclUtilsGetSid: SubAuthority = index 14 value 4161869080
PsclUtilsGetSid: SubAuthority = index 15 value 4186577036
PsclUtilsGetSid: SubAuthority = index 16 value 0
PsclUtilsGetSid: SubAuthority = index 17 value 4161869044
PsclUtilsGetSid: SubAuthority = index 18 value 2153050784
PsclUtilsGetSid: SubAuthority = index 19 value 2152974525

And when I check for the SID in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList) it looks like this: S-1-5-21-1343024091-1292428093-839522115-500.

Why are they different?

Thanks!

OSR_Community_User · March 3, 2008, 11:42am

How about some source code? I don’t know what a the range of the
revision level of an SID should be, but I kind of doubt 128 is a member,
so I’m thinking that you have corrupted something, but until you post
your code, it’s going to be very difficult to say.

Also, is this related to your other post today? If so, we’re going to
need to know which one to address first, as they may affect each other.

Good luck,

mm

xxxxx@gmail.com wrote:

Hello,

I am writing a legacy filter driver, and in my driver I retrieve the SID of the user performing an operation. I do it in the Create IRP. When I print the sid, I get this output in DebugView:

SID (Revision 108, SubAuthorityCount 20):
PsclUtilsGetSid: IdentifierAuthority = 17-248-32-196-137-249
PsclUtilsGetSid: SubAuthority = index 0 value 3785799280
PsclUtilsGetSid: SubAuthority = index 1 value 0
PsclUtilsGetSid: SubAuthority = index 2 value 3783678608
PsclUtilsGetSid: SubAuthority = index 3 value 4186575584
PsclUtilsGetSid: SubAuthority = index 4 value 4186575352
PsclUtilsGetSid: SubAuthority = index 5 value 7864404
PsclUtilsGetSid: SubAuthority = index 6 value 0
PsclUtilsGetSid: SubAuthority = index 7 value 1
PsclUtilsGetSid: SubAuthority = index 8 value 9048800
PsclUtilsGetSid: SubAuthority = index 9 value 4161869060
PsclUtilsGetSid: SubAuthority = index 10 value 4186577036
PsclUtilsGetSid: SubAuthority = index 11 value 0
PsclUtilsGetSid: SubAuthority = index 12 value 2171557368
PsclUtilsGetSid: SubAuthority = index 13 value 4
PsclUtilsGetSid: SubAuthority = index 14 value 4161869080
PsclUtilsGetSid: SubAuthority = index 15 value 4186577036
PsclUtilsGetSid: SubAuthority = index 16 value 0
PsclUtilsGetSid: SubAuthority = index 17 value 4161869044
PsclUtilsGetSid: SubAuthority = index 18 value 2153050784
PsclUtilsGetSid: SubAuthority = index 19 value 2152974525

And when I check for the SID in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList) it looks like this: S-1-5-21-1343024091-1292428093-839522115-500.

Why are they different?

Thanks!

Zorba_Kov · March 3, 2008, 3:04pm

I get the SID as explained here: http://www.osronline.com/article.cfm?id=50
And what I get in DebugView is what I wrote previously…

OSR_Community_User · March 3, 2008, 3:15pm

What I was try suggest iss that if you make it easy for people to read
about your problem, you’re more likely to get help. This is all my
opinion, and my opinion only, so far as I know, but what you posted
originally, doesn’t mean anything out of context. The link below
requires that I sign in to osronline, which isn’t the end of the world
you’re now asking people to reread an entire thread, just so they can
help you, and the source code has no doubt changed since that thread.

Alternatively, you could just post the source code.

mm

xxxxx@gmail.com wrote:

I get the SID as explained here: http://www.osronline.com/article.cfm?id=50
And what I get in DebugView is what I wrote previously…

Zorba_Kov · March 3, 2008, 3:28pm

You are right. My source code looks like this:

UCHAR buffer[256];
PISID sid;
HANDLE handle;
ULONG tokenInfoLength;
LONG length;

sid = (PISID)&buffer[sizeof(TOKEN_USER)];

NtStatus = ZwOpenThreadTokenEx(NtCurrentThread(), TOKEN_READ, TRUE, OBJ_KERNEL_HANDLE, &handle);
if(NtStatus == STATUS_NO_TOKEN)
{
NtStatus = ZwOpenThreadTokenEx(NtCurrentProcess(), TOKEN_READ, TRUE, OBJ_KERNEL_HANDLE, &handle);
}

NtStatus = ZwQueryInformationToken(handle, TokenUser, buffer, sizeof(buffer), &tokenInfoLength);
length = tokenInfoLength - sizeof(TOKEN_USER);

DbgPrint(“SID (Revision %u, SubAuthorityCount %u):\n”, sid->Revision, sid->SubAuthorityCount);
DbgPrint(“PsclUtilsGetSid:\tIdentifierAuthority = %u-%u-%u-%u-%u-%u\n”,
sid->IdentifierAuthority.Value[0],
sid->IdentifierAuthority.Value[1],
sid->IdentifierAuthority.Value[2],
sid->IdentifierAuthority.Value[3],
sid->IdentifierAuthority.Value[4],
sid->IdentifierAuthority.Value[5]);
if (sid->SubAuthorityCount) {
ULONG index;
for (index = 0; index < sid->SubAuthorityCount;index++)
{
DbgPrint(“PsclUtilsGetSid:\tSubAuthority = index %d value %u\n”, index, sid->SubAuthority[index]);
}
}

Thank you!

Zorba_Kov · March 3, 2008, 3:43pm

I don’t know why, but now I get this output:

SID (Revision 1, SubAuthorityCount 0):
PsclUtilsGetSid: IdentifierAuthority = 0-0-6-0-0-0

Now the revision is like it should be, but I don’t understand how can be 0 subauthorities? And what is this IdentifierAuthority?

Bronislav_Gabrhelik · March 3, 2008, 4:51pm

You don’t care about status, so are you surprised when you dump garbage?

if(NtStatus == STATUS_NO_TOKEN)
{
NtStatus = ZwOpenThreadTokenEx(NtCurrentProcess(), TOKEN_READ, TRUE,
OBJ_KERNEL_HANDLE, &handle);
}

I guess this block should pick up token associated with process in case there is not thread associated token. You call the same API the second time when the first call fails.

-bg

Bronislav_Gabrhelik · March 3, 2008, 4:54pm

ZwOpenThreadTokenEx(NtCurrentProcess(), -> ZwOpenProcessTokenEx(NtCurrentProcess(),

Mark_S_Edwards · March 3, 2008, 5:00pm

At 08:27 PM 3/3/2008, xxxxx@gmail.com wrote:

You are right. My source code looks like this:

UCHAR buffer[256];
PISID sid;
HANDLE handle;
ULONG tokenInfoLength;
LONG length;

sid = (PISID)&buffer[sizeof(TOKEN_USER)];
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Try fixing this.

As it stands, you’re printing residual garbage from the stack.

As someone else pointed out, a file system filter is not a good
project to learn C.

NtStatus = ZwOpenThreadTokenEx(NtCurrentThread(), TOKEN_READ, TRUE,
OBJ_KERNEL_HANDLE, &handle);
if(NtStatus == STATUS_NO_TOKEN)
{
NtStatus = ZwOpenThreadTokenEx(NtCurrentProcess(),
TOKEN_READ, TRUE, OBJ_KERNEL_HANDLE, &handle);
}

NtStatus = ZwQueryInformationToken(handle, TokenUser, buffer,
sizeof(buffer), &tokenInfoLength);
length = tokenInfoLength - sizeof(TOKEN_USER);

DbgPrint(“SID (Revision %u, SubAuthorityCount %u):\n”,
sid->Revision, sid->SubAuthorityCount);
DbgPrint(“PsclUtilsGetSid:\tIdentifierAuthority = %u-%u-%u-%u-%u-%u\n”,
sid->IdentifierAuthority.Value[0],
sid->IdentifierAuthority.Value[1],
sid->IdentifierAuthority.Value[2],
sid->IdentifierAuthority.Value[3],
sid->IdentifierAuthority.Value[4],
sid->IdentifierAuthority.Value[5]);
if (sid->SubAuthorityCount) {
ULONG index;
for (index = 0; index < sid->SubAuthorityCount;index++)
{
DbgPrint(“PsclUtilsGetSid:\tSubAuthority = index %d
value %u\n”, index, sid->SubAuthority[index]);
}
}

Thank you!

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@muttsnuts.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Zorba_Kov · March 4, 2008, 8:45am

You were right. My mistake was in the ZwOpenThreadTokenEx function. Thank you very much!

Now when I have the correct SID, is it possible to convert it to a SID String inside the driver? (I order

To send it to user mode as a string)

Thanks!

OSR_Community_User · March 4, 2008, 9:44am

Here’s the routine I wrote to convert a SID to a string. (Note that SID_MAX_SUB_AUTHORITIES = 15).

PWCHAR
SidToString( PISID pSid )
//
// Convert a SID to an ascii string. The resulting string must be freed.
//
{
const ULONG iBytes = ( SID_MAX_SUB_AUTHORITIES * 10 + 2 + 10 + 10 + 4 ) * sizeof(WCHAR); // 372
WCHAR subauth[16];
PWCHAR pSidOut;
ULONG ia;
int i;

//
// Allocate the string.
//
pSidOut = ExAllocatePoolWithTag( NonPagedPool, iBytes, ‘1sKF’ );
if( NULL == pSidOut )
return NULL;

//
// BIG NOTE: this function only does SIDS where the identauth is not >= 2^32
// in a range of 2^48.
//
ia = (pSid->IdentifierAuthority.Value[5]) +
(pSid->IdentifierAuthority.Value[4] << 8 ) +
(pSid->IdentifierAuthority.Value[3] << 16) +
(pSid->IdentifierAuthority.Value[2] << 24);

RtlStringCbPrintfW( pSidOut, iBytes, L"S-%u-%lu", (unsigned int)pSid->Revision, ia );

for (i = 0; i < pSid->SubAuthorityCount; i++)
{
RtlStringCbPrintfW( subauth, sizeof(subauth), L"-%lu", (unsigned long)pSid->SubAuthority[i]);
RtlStringCbCatW( pSidOut, iBytes, subauth );
}

return pSidOut;
}

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, March 04, 2008 8:44 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] SID in a driver is not like it appears in the registry

You were right. My mistake was in the ZwOpenThreadTokenEx function. Thank you very much!

Now when I have the correct SID, is it possible to convert it to a SID String inside the driver? (I order

To send it to user mode as a string)

Thanks!

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · March 4, 2008, 9:56am

Ken Cross wrote:

and if you use Ken’s code, don’t forget to change that pool tag.

Here’s the routine I wrote to convert a SID to a string. (Note that SID_MAX_SUB_AUTHORITIES = 15).

PWCHAR
SidToString( PISID pSid )
//
// Convert a SID to an ascii string. The resulting string must be freed.
//
{
const ULONG iBytes = ( SID_MAX_SUB_AUTHORITIES * 10 + 2 + 10 + 10 + 4 ) * sizeof(WCHAR); // 372
WCHAR subauth[16];
PWCHAR pSidOut;
ULONG ia;
int i;

//
// Allocate the string.
//
pSidOut = ExAllocatePoolWithTag( NonPagedPool, iBytes, ‘1sKF’ );
if( NULL == pSidOut )
return NULL;

//
// BIG NOTE: this function only does SIDS where the identauth is not >= 2^32
// in a range of 2^48.
//
ia = (pSid->IdentifierAuthority.Value[5]) +
(pSid->IdentifierAuthority.Value[4] << 8 ) +
(pSid->IdentifierAuthority.Value[3] << 16) +
(pSid->IdentifierAuthority.Value[2] << 24);

RtlStringCbPrintfW( pSidOut, iBytes, L"S-%u-%lu", (unsigned int)pSid->Revision, ia );

for (i = 0; i < pSid->SubAuthorityCount; i++)
{
RtlStringCbPrintfW( subauth, sizeof(subauth), L"-%lu", (unsigned long)pSid->SubAuthority[i]);
RtlStringCbCatW( pSidOut, iBytes, subauth );
}

return pSidOut;
}

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, March 04, 2008 8:44 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] SID in a driver is not like it appears in the registry

You were right. My mistake was in the ZwOpenThreadTokenEx function. Thank you very much!

Now when I have the correct SID, is it possible to convert it to a SID String inside the driver? (I order

To send it to user mode as a string)

Thanks!

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: matt-martin@tx.rr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Zorba_Kov · March 4, 2008, 4:19pm

I am trying to use this function but I get a blue screen at the line of:
RtlStringCbPrintfW(pSidOut, iBytes, L"S-%u-%lu", (unsigned int)sid->Revision, ia);

What can be the reason?

Lyndon_J_Clarke-2 · March 4, 2008, 5:54pm

Running at dispatch level are we

wrote in message news:xxxxx@ntfsd…
>I am trying to use this function but I get a blue screen at the line of:
> RtlStringCbPrintfW(pSidOut, iBytes, L"S-%u-%lu", (unsigned
> int)sid->Revision, ia);
>
> What can be the reason?
>

Zorba_Kov · March 5, 2008, 1:32am

Can you explain yourself? Is it related to the pool tag?

Thank you!

Mark_S_Edwards · March 5, 2008, 2:54am

At 06:33 AM 3/5/2008, xxxxx@gmail.com wrote:

Can you explain yourself? Is it related to the pool tag?

Thank you!

Sorry, but if you don’t understand something as basic a term as
DISPATCH_LEVEL then you should do a lot of homework because I think
you’ve now pretty much reached your credit (and credibility)
limit. And the other thing you really need to learn to do is how to
run a remote debugger.

OSR_Community_User · March 5, 2008, 6:33am

xxxxx@gmail.com wrote:

Can you explain yourself? Is it related to the pool tag?

Nope, I mentioned that you change the pool tag because that is a tag
that Ken is using in
his drivers. You should use something unique - this will make it easier
to debug your memory
errors when you use your own tag plus I don’t think Ken needs errors in
your drivers appearing
to some people as if it was his driver’s error.

Simply stating your driver blue screened the system isn’t enough for
anyone to help you. There
are a million reasons a system can blue screen. If you have a question
about a blue screen, you
need to load the correct symbols and then post the output of windbg’s
“!analyze -v”. Without
this information, it’s kinda like asking a mechanic what is wrong with
your car and only telling
him, “my car broke down” and not letting him have a look under the hood.

Regarding Lyndon’s comments about DISPATCH_LEVEL, when you received the
blue screen
was the stop code IRQL_NOT_LESS_OR_EQUAL? If so, this would validate his
assumption
for the most part.

Hope your having fun,

Matt