Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

On-Access, Transparent, Per-File Data Encryption:

OSR's File Encryption Solution Framework (FESF) provides all the infrastructure you need to build a transparent file encryption product REALLY FAST.

Super flexible policy determination and customization, all done in user-mode. Extensive starter/sample code provided.

Proven, robust, flexible. In use in multiple commercial products.

Currently available on Windows. FESF for Linux will ship in 2018.

For more info: https://www.osr.com/fesf

Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 7  
05 Sep 17 13:36
Mauro Leggieri
xxxxxx@mauroleggieri.com
Join Date: 02 Jun 2016
Posts To This List: 33
Impersonation

Hi, In my minifilter's PreCreate routine, I have to call FltCreateFileEx. The thread that originated the request may be impersonating and I need FltCreateFileEx to use the same token. On my experience (may be my tests to be wrong), I had to (re?-)impersonate using SeCreateClientSecurityFromSubjectContext but it fails if thread token is identification. Can anyone tell me if impersonation is lost in the inner call to FltCreateFile? Regards, Mauro.
  Message 2 of 7  
06 Sep 17 03:41
rod widdowson
xxxxxx@steadingsoftware.com
Join Date: 11 Sep 2006
Posts To This List: 831
Impersonation

> Can anyone tell me if impersonation is lost in the inner call to > FltCreateFile? Not sure that I can confirm or deny, but I always make sure that the SecurityDescriptor is set in InitializeObjectAttributes and that seems to do the thing.
  Message 3 of 7  
06 Sep 17 09:07
Mauro Leggieri
xxxxxx@mauroleggieri.com
Join Date: 02 Jun 2016
Posts To This List: 33
Impersonation

Hi Rod, Yes, the SD is set properly but based on my experience I have to call to SeCreateClientSecurityFromSubjectContext. But having problems when thread is using an identification token because the call to SeCreateClientSecurityFromSubjectContext fails (as expected). No idea if there exists another approach.
  Message 4 of 7  
12 Sep 17 10:38
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 942
List Moderator
Impersonation

What behavior are you seeing that makes you think you need to impersonate? Also, are you setting the IO_FORCE_ACCESS_CHECK bit in your FltCreateFile call? -scott OSR @OSRDrivers wrote in message news:102978@ntfsd... Hi Rod, Yes, the SD is set properly but based on my experience I have to call to SeCreateClientSecurityFromSubjectContext. But having problems when thread is using an identification token because the call to SeCreateClientSecurityFromSubjectContext fails (as expected). No idea if there exists another approach.
  Message 5 of 7  
18 Sep 17 14:25
Mauro Leggieri
xxxxxx@mauroleggieri.com
Join Date: 02 Jun 2016
Posts To This List: 33
Impersonation

Hi Scott, sorry for the late answer (little illness) I'm not using the IO_FORCE_ACCESS_CHECK flag. Basically I'm redirecting a folder to another location. Sometimes I see a worker thread that is not impersonating but the Data->Iopb->Parameters.Create.SecurityContext has the Client and Primary tokens. Other times I see a thread impersonating and SecurityContext with same info. In any case I need to pass that info to my FltCreateFileEx so I use SeCreateClientSecurityFromSubjectContext but fails, as expected, if the client token is an identification one. Want to know if there exist some alternative. Kind regards, Mauro.
  Message 6 of 7  
19 Sep 17 09:35
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 942
List Moderator
Impersonation

If you're not setting IO_FORCE_ACCESS_CHECK then the request is being treated as a kernel mode call, so the security context doesn't really matter. However, two other questions: 1. What's the RequestorMode of the request that's coming in with a SecurityContext->ClientToken != NULL? 2. What's the call stack for the thread? You said it's a worker thread. Did someone post an IRP_MJ_CREATE to this thread so that it could be handled asynchronously? Or is the create originating from this thread? -scott OSR @OSRDrivers "%%merge inmail_.HdrFrom_%%" wrote in message news:103027@ntfsd... Hi Scott, sorry for the late answer (little illness) I'm not using the IO_FORCE_ACCESS_CHECK flag. Basically I'm redirecting a folder to another location. Sometimes I see a worker thread that is not impersonating but the Data->Iopb->Parameters.Create.SecurityContext has the Client and Primary tokens. Other times I see a thread impersonating and SecurityContext with same info. In any case I need to pass that info to my FltCreateFileEx so I use SeCreateClientSecurityFromSubjectContext but fails, as expected, if the client token is an identification one. Want to know if there exist some alternative. Kind regards, Mauro.
  Message 7 of 7  
19 Sep 17 13:21
Mauro Leggieri
xxxxxx@mauroleggieri.com
Join Date: 02 Jun 2016
Posts To This List: 33
Impersonation

Hi Scott, I could track the problem deeper and it is not related to filtering but this: http://www.osronline.com/showthread.cfm?link=285998 Thank you, Mauro.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 03:08.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license