STATUS_LOGON_FAILURE returned in FltCreateFile of network file

NTDEV
1

Hi everyone,

is my first time posting on the list. I am developping a file system
filter driver and i have found a problem when within the pre-create of
a network file i try to perform a FltCreateFile of another network
file in the same directory of the first one. The problem definition
is: given a network file f1.txt located in \192.168.1.2\testdir, i
perform the creation of a network file f2.txt located in the same
place via FltCreateFile getting as return status STATUS_LOGON_FAILURE.

The code is:

? ? ? ?// Initialize object attributes
? ? ? ?InitializeObjectAttributes(&objectAttributes,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?&streamContext->AuxiliarFileName,
/* \Device\LanmanRedirector\192.168.1.2\testdir\f2.txt */
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?OBJ_KERNEL_HANDLE,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?NULL,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?NULL);

? ? ? ?// Open/Create file
? ? ? ?status = FltCreateFile(
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FilterHandle,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Data->Iopb->TargetInstance,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?AuxiliarFileHandle,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_READ_DATA,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?&objectAttributes,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?&ioStatus,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(PLARGE_INTEGER) NULL,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_ATTRIBUTE_NORMAL,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_SHARE_READ | FILE_SHARE_WRITE |
FILE_SHARE_DELETE,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_OPEN_IF,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FILE_COMPLETE_IF_OPLOCKED | FILE_WRITE_THROUGH ,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?NULL,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?0L,
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?IO_IGNORE_SHARE_ACCESS_CHECK);

Problem seems to be that filter code is executed in System thread
context, so user process network session privileges are not passed to
System thread context, is it like that? I have tried to solve the
problem using impersonation, but the problem is not solved and the
status returned is the same: STATUS_LOGON_FAILURE.
The code used to impersonation is the following

SECURITY_QUALITY_OF_SERVICE ClientSecurityQos;

? ? ? ?ClientSecurityQos.Length = sizeof(ClientSecurityQos);
? ? ? ?ClientSecurityQos.ImpersonationLevel = SecurityDelegation;
? ? ? ?ClientSecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
? ? ? ?ClientSecurityQos.EffectiveOnly = TRUE;

? ? ? ? ? ? ? ?status = SeCreateClientSecurity(
? ? ? ? ? ? ? ? ? ? ? ?Data->Thread,
? ? ? ? ? ? ? ? ? ? ? ?&ClientSecurityQos,
? ? ? ? ? ? ? ? ? ? ? ?FALSE,
? ? ? ? ? ? ? ? ? ? ? ?&ClientContext
? ? ? ? ? ? ? ? );

? ? ? ? ? ? ? ?// ?Apply impersonation
? ? ? ? ? ? ? ?status = SeImpersonateClientEx(
? ? ? ? ? ? ? ? ? ? ? ?&ClientContext,
? ? ? ? ? ? ? ? ? ? ? ?NULL
? ? ? ? ? ? ? ?);

// trigger FltCreateFile

I don’t really know what i am doing wrong.

Other solution is to open a new session (from System) with the network
in order to get the privileges, but i didn’t find documentation about
how to login from a file system filter.

I would appreciate any help to solve this problem.

Thanks.
Fran

2

Do not post to both ntfsd and ntdev. Read the rules for participating in
the OSR newsgroups.

“Fran Baena” wrote in message news:xxxxx@ntdev…
> Hi everyone,
>
> is my first time posting on the list. I am developping a file system
> filter driver and i have found a problem when within the pre-create of
> a network file i try to perform a FltCreateFile of another network
> file in the same directory of the first one. The problem definition
> is: given a network file f1.txt located in \192.168.1.2\testdir, i
> perform the creation of a network file f2.txt located in the same
> place via FltCreateFile getting as return status STATUS_LOGON_FAILURE.
>
> The code is:
>
> // Initialize object attributes
> InitializeObjectAttributes(&objectAttributes,
> &streamContext->AuxiliarFileName,
> /* \Device\LanmanRedirector\192.168.1.2\testdir\f2.txt */
> OBJ_KERNEL_HANDLE,
> NULL,
> NULL);
>
> // Open/Create file
> status = FltCreateFile(
> FilterHandle,
> Data->Iopb->TargetInstance,
> AuxiliarFileHandle,
> FILE_READ_DATA,
> &objectAttributes,
> &ioStatus,
> (PLARGE_INTEGER) NULL,
> FILE_ATTRIBUTE_NORMAL,
> FILE_SHARE_READ | FILE_SHARE_WRITE |
> FILE_SHARE_DELETE,
> FILE_OPEN_IF,
> FILE_COMPLETE_IF_OPLOCKED |
> FILE_WRITE_THROUGH ,
> NULL,
> 0L,
> IO_IGNORE_SHARE_ACCESS_CHECK);
>
>
> Problem seems to be that filter code is executed in System thread
> context, so user process network session privileges are not passed to
> System thread context, is it like that? I have tried to solve the
> problem using impersonation, but the problem is not solved and the
> status returned is the same: STATUS_LOGON_FAILURE.
> The code used to impersonation is the following
>
> SECURITY_QUALITY_OF_SERVICE ClientSecurityQos;
>
> ClientSecurityQos.Length = sizeof(ClientSecurityQos);
> ClientSecurityQos.ImpersonationLevel = SecurityDelegation;
> ClientSecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
> ClientSecurityQos.EffectiveOnly = TRUE;
>
> status = SeCreateClientSecurity(
> Data->Thread,
> &ClientSecurityQos,
> FALSE,
> &ClientContext
> );
>
>
> // Apply impersonation
> status = SeImpersonateClientEx(
> &ClientContext,
> NULL
> );
>
>
> // trigger FltCreateFile
>
> I don’t really know what i am doing wrong.
>
> Other solution is to open a new session (from System) with the network
> in order to get the privileges, but i didn’t find documentation about
> how to login from a file system filter.
>
> I would appreciate any help to solve this problem.
>
> Thanks.
> Fran
>

3

I’m sorry, i didn’t reach to that point. It’ll never occurr again.

Fran

2010/4/22 David Craig :
> Do not post to both ntfsd and ntdev. ?Read the rules for participating in
> the OSR newsgroups.
>
> “Fran Baena” wrote in message news:xxxxx@ntdev…
>>
>> Hi everyone,
>>
>> is my first time posting on the list. I am developping a file system
>> filter driver and i have found a problem when within the pre-create of
>> a network file i try to perform a FltCreateFile of another network
>> file in the same directory of the first one. The problem definition
>> is: given a network file f1.txt located in \192.168.1.2\testdir, i
>> perform the creation of a network file f2.txt located in the same
>> place via FltCreateFile getting as return status STATUS_LOGON_FAILURE.
>>
>> The code is:
>>
>> ? ? ? // Initialize object attributes
>> ? ? ? InitializeObjectAttributes(&objectAttributes,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? &streamContext->AuxiliarFileName,
>> /* \Device\LanmanRedirector\192.168.1.2\testdir\f2.txt */
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? OBJ_KERNEL_HANDLE,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? NULL,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? NULL);
>>
>> ? ? ? // Open/Create file
>> ? ? ? status = FltCreateFile(
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? FilterHandle,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Data->Iopb->TargetInstance,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? AuxiliarFileHandle,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? FILE_READ_DATA,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? &objectAttributes,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? &ioStatus,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (PLARGE_INTEGER) NULL,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? FILE_ATTRIBUTE_NORMAL,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? FILE_SHARE_READ | FILE_SHARE_WRITE |
>> FILE_SHARE_DELETE,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? FILE_OPEN_IF,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? FILE_COMPLETE_IF_OPLOCKED |
>> FILE_WRITE_THROUGH ,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? NULL,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0L,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? IO_IGNORE_SHARE_ACCESS_CHECK);
>>
>>
>> Problem seems to be that filter code is executed in System thread
>> context, so user process network session privileges are not passed to
>> System thread context, is it like that? I have tried to solve the
>> problem using impersonation, but the problem is not solved and the
>> status returned is the same: STATUS_LOGON_FAILURE.
>> The code used to impersonation is the following
>>
>> SECURITY_QUALITY_OF_SERVICE ClientSecurityQos;
>>
>> ? ? ? ClientSecurityQos.Length = sizeof(ClientSecurityQos);
>> ? ? ? ClientSecurityQos.ImpersonationLevel = SecurityDelegation;
>> ? ? ? ClientSecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
>> ? ? ? ClientSecurityQos.EffectiveOnly = TRUE;
>>
>> ? ? ? ? ? ? ? status = SeCreateClientSecurity(
>> ? ? ? ? ? ? ? ? ? ? ? Data->Thread,
>> ? ? ? ? ? ? ? ? ? ? ? &ClientSecurityQos,
>> ? ? ? ? ? ? ? ? ? ? ? FALSE,
>> ? ? ? ? ? ? ? ? ? ? ? &ClientContext
>> ? ? ? ? ? ? ? ?);
>>
>>
>> ? ? ? ? ? ? ? // ?Apply impersonation
>> ? ? ? ? ? ? ? status = SeImpersonateClientEx(
>> ? ? ? ? ? ? ? ? ? ? ? &ClientContext,
>> ? ? ? ? ? ? ? ? ? ? ? NULL
>> ? ? ? ? ? ? ? );
>>
>>
>> // trigger FltCreateFile
>>
>> I don’t really know what i am doing wrong.
>>
>> Other solution is to open a new session (from System) with the network
>> in order to get the privileges, but i didn’t find documentation about
>> how to login from a file system filter.
>>
>> I would appreciate any help to solve this problem.
>>
>> Thanks.
>> Fran
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

4

Hi,

How could i check if the pre-create is in the process or system context?

If i disable the creation of the f2.txt network file in the
pre-create, the creation of f1.txt finish successfully. I first log in
the network ubication before i perform the create, so the process
context stores the security information needed to access the secured
object, f1.txt.
Is it somehow related that f2.txt does not exist in the network location?

I try to perform an impersonation using _FLT_IO_PARAMETER_BLOCK and
FltCreateFile returned the same error: STATUS_LOGON_FAILURE.
The new code for the impersonation is the following:

ClientSecurityQos.Length = sizeof(ClientSecurityQos);
ClientSecurityQos.ImpersonationLevel = SecurityDelegation;
ClientSecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
ClientSecurityQos.EffectiveOnly = TRUE;

// 1. Initialize the Object Security Descriptor
status = SeCreateClientSecurityFromSubjectContext(
&Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext,
&ClientSecurityQos,
FALSE,
&ClientContext
);

// 2. Apply impersonation
status = SeImpersonateClientEx(
&ClientContext,
NULL
);

And i also complete new object attributes with:

objectAttributes.SecurityQualityOfService =
Data->Iopb->Parameters.Create.SecurityContext->SecurityQos;

with no effect.

Thank you.
Fran