Lars:
You may be reaching the point of diminishing returns.
If you’re only talking about conditions during startup, why fool with it?
Why not just go ahead and try it and post the thread if it fails (or don’t
try it and just *always* post the thread)?
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lars Karlsson
Sent: Thursday, August 11, 2005 10:20 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] ZwSetSecurityObject - Impersonation and credentials
Hi Ken,
Thanks for the advice. This works in most cases, yes. But it doesn’t
solve the problem on XP SP2 during start up and the load of the
registry hives and creation of the registry hives log files.
In this case I’m in the following thread when I need to create the
file and set the administrator as owner:
THREAD 89cf25f0 Cid 0004.027c Teb: 00000000 Win32Thread: 00000000
RUNNING on processor 1
IRP List:
89d1ae48: (0006,01b4) Flags: 00000830 Mdl: 00000000
Not impersonating
DeviceMap e10021a0
Owning Process 8a480830 Image: System
Wait Start TickCount 646 Ticks: 2 (0:00:00:00.031)
Context Switch Count 38
UserTime 00:00:00.0000
KernelTime 00:00:00.0046
Start Address nt!CmpLoadHiveThread (0x8094e1ac)
Stack Init ba57b000 Current ba57a174 Base ba57b000 Limit ba578000 Call
0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
The call stack before my driver is:
fltMgr!FltpPerformPreCallbacks+0x2d4 (FPO: [Non-Fpo])
fltMgr!FltpPassThroughInternal+0x32 (FPO: [Non-Fpo])
fltMgr!FltpPassThrough+0x1df (FPO: [Non-Fpo])
fltMgr!FltpFsControl+0xbb (FPO: [Non-Fpo])
nt!IopfCallDriver+0x31 (FPO: [0,0,0])
nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo])
nt!IopXxxControlFile+0x5c5 (FPO: [Non-Fpo])
nt!NtFsControlFile+0x2a (FPO: [Non-Fpo])
nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ ba57aab4)
nt!ZwFsControlFile+0x11 (FPO: [10,0,0])
nt!CmpOpenHiveFiles+0x1c9 (FPO: [Non-Fpo])
nt!CmpInitHiveFromFile+0x12a (FPO: [Non-Fpo])
nt!CmpLoadHiveThread+0x19f (FPO: [Non-Fpo])
nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
nt!KiThreadStartup+0x16
In this thread, the IoIsSystemThread() returns TRUE and
ZwSetSecurityObject still fails with STATUS_INVALID_OWNER. Posting to
a worker thread solves this error.
Is there a way to tell it will fail in this case as well?
// Lars
On Thu, 11 Aug 2005 09:11:37 -0400, “Ken Cross”
wrote:
>You might use IoIsSystemThread() to determine if you have sufficient
>credentials.
>
>Ken
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Lars Karlsson
>Sent: Thursday, August 11, 2005 9:01 AM
>To: Windows File Systems Devs Interest List
>Subject: [ntfsd] ZwSetSecurityObject - Impersonation and credentials
>
>Hi,
>
>I’m having a problem in my mini filter when setting the administrator
>as owner using ZwSetSecurityObject on a file (locally) created in the
>same thread by my mini filter.
>
>I have set all necessary privileges (SE_BACKUP_PRIVILEGE,
>SE_RESTORE_PRIVILEGE, SE_TAKE_OWNERSHIP_PRIVILEGE) and all necessary
>flags set in FltCreateFile.
>
>Sometimes (very seldom), this fails with STATUS_INVALID_OWNER (even
>though the owner is perfectly correct). However, if I post to a system
>worker queue and reissue the call, it goes through with no error.
>
>I’ve been told that the reason for this is that I’m in an
>impersonation thread that doesn’t have sufficient credentials.
>
>Further I’ve been told that even with restore privilege, calling from
>kernel mode, it still depends upon the impersonation token in the
>thread context.
>
>Is there a way for me to figure out when I need to post the
>ZwSetSecurityObject to a system worker? Of course, I can check if it
>returns with STATUS_INVALID_OWNER and post in case of error, but it
>would be very for me if I can figure out that I’m in a thread without
>the sufficient credentials and post before the error has occured.
>
>// Lars
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@comcast.net
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com