SID of a remote user.

Hi,

I am trying to find the SID of a remote user.

I am using the filespy example, and looking in User mode at the reported
thread ID of shared files that where accessed by a remote user. When trying
to get the thread’s Token via the OpenThreadToken( htr, TOKEN_QUERY, FALSE,
&ht ) call it fails constantly with error 1008 (ERROR_NO_TOKEN) which
implies that the thread does not impersonate.

I will appreciate any help in solving the problem.

Thanks,
Rani.

Rani:

The procedure I use that works fine is:

  1. Call PsReferenceImpersonationToken() If null, then the thread is not
    impersonating.

  2. If the thread is the system process, then call SeQueryInformationToken()
    for TokenSource.

  3. If the TokenSource is “NtLmSsp”, then this is a remote user (per the IFS
    FAQ from osronline.com).

  4. Call SeQueryInformationToken() for TokenUser.

  5. Get a copy of the SID for your own use (RtlLengthSid(),
    ExAllocatePoolWithTag(), RtlCopySid() – be sure to de-allocate it when
    you’re done with it).

  6. Call PsDereferenceImpersonationToken() when you’re done with the token.

You must be in the correct user context, too. I only call this during the
pre-Create and pre-SetInformation callbacks in my minifilter driver.

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ran M. Bittmann
Sent: Sunday, February 27, 2005 7:28 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] SID of a remote user.

Hi,

I am trying to find the SID of a remote user.

I am using the filespy example, and looking in User mode at the reported
thread ID of shared files that where accessed by a remote user. When trying
to get the thread’s Token via the OpenThreadToken( htr, TOKEN_QUERY, FALSE,
&ht ) call it fails constantly with error 1008 (ERROR_NO_TOKEN) which
implies that the thread does not impersonate.

I will appreciate any help in solving the problem.

Thanks,
Rani.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com