user SID map to READ/WRITE operation?


I’d like to get your help again.

I try to monitor the read/write operation on one specifice file. My basic
idea is:

  1. In IRP_MJ_CREATE handling routine, I recover the file name and the user
    SID from the IRP parameters, if the file name is the same as the target file
    name, then I store the file object address AND the user SID in my table.

  2. In IRP_MJ_READ / IRP_MJ_WRITE handling routine, I compare the file object
    of current IRP with the file object stored in the table in step 1. if this
    file object can be found in the table, then the user who issued the
    read/write operation can be found by its user SID stored in the table.

I understand that different process will get different file object even
though they have the access to the same file. But, still, I am puzzled by
the following problem:

  1. It seemed that when one user click on the file icon(or have the actual
    read operation), many file object were created, I guess, one is truely
    belongs to the user, the others are the system process.
    When another user did the same thing, maybe the system process would be
    shared by the two users?

  2. In abovementioned step2, I use “IrpSp->fileobject == table[i].fileobject”
    to compare the fileobject, is it right?

  3. As we know, we can’t get user SID or owner SID in IRP_MJ_READ /
    IRP_MJ_WRITE, we had to get it from IRP_MJ_CREATE. if my idea is wrong, how
    could I map the user SID to its operation (read/write)

These questions puzzled me for a long time, your help is highly appreciated!