Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 9 April 2018

Writing WDF Drivers I: Core Concepts, Manchester, NH, 7 May 2018

Kernel Debugging & Crash Analysis for Windows, Dulles (Sterling), VA, 21 May 2018


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 3  
29 Jan 18 04:45
Mark Sharpe
xxxxxx@gmail.com
Join Date: 29 Jan 2018
Posts To This List: 2
UNC Path - requestor process

Hello list, I am working on a minifilter which logs who (process) opened a given file. I noticed that if open the file using unc path e.g. \\localhost\c$\monitoredDir\monitoredFile.ext the requestor process is system, I'm not monitoring FILE_DEVICE_NETWORK_FILE_SYSTEM file objects. I understand this is because of how redirection works (as this could be network path): PRE Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] - app.exe (not monitored file object, fo1) PRE Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext] - system (monitored file object, fo2) POST Create [\device\harddiskvolume1\localhost\monitoredDir\monitoredFile.ext] - system (monitored file object) POST Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] - app.exe (not monitored file object) I need to find a reliable way to get real requestor process of monitored file object. I was trying to connect those 2 file objects (fo1, fo2) to get real requestor process of fo2, but it looks like they are independent, which makes sense. I focused on local fs file objects as it is easier to determine whether they are interesting or not, based on their paths. I could probably compare paths of fo1 and fo2 somewhere between 1st PRE create and 1st POST create but I am not sure if that is a good idea. Is there a way to get the real requestor of fo2? Or I should change my thinking and try to determine whether fo1 path is local and interesting to me? I would be very grateful for any help, Mark
  Message 2 of 3  
29 Jan 18 14:58
Gabriel Bercea
xxxxxx@gmail.com
Join Date: 03 Mar 2008
Posts To This List: 313
UNC Path - requestor process

You need to think about it one step further. What if you had a share on the OS your minifilter is installed and some computer on the network accesses the share. There is no way to tell which "process" on the computer on the network is requiring access. All you can hope for is to associate the FO_REMOTE_ORIGIN flag in the FileObject as to know that the file has been opened over the network. You could alternatively try to look at the syste-defined ECPs[1] and see if any of the ones there help you in any way although I doubt it. [1] https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/system-defined-ecps Cheers, Gabriel www.kasardia.com On Mon, Jan 29, 2018 at 10:46 AM, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote: > Hello list, > > I am working on a minifilter which logs who (process) opened a given file. > I noticed that if open the file using unc path e.g. > \\localhost\c$\monitoredDir\monitoredFile.ext the requestor process is > system, I'm not monitoring FILE_DEVICE_NETWORK_FILE_SYSTEM file objects. > > I understand this is because of how redirection works (as this could be > network path): > PRE Create [\device\mup\localhost\c$\monitoredDir\monitoredFile.ext] - <...excess quoted lines suppressed...> -- Bercea. G. --
  Message 3 of 3  
30 Jan 18 05:11
Mark Sharpe
xxxxxx@gmail.com
Join Date: 29 Jan 2018
Posts To This List: 2
UNC Path - requestor process

Thank you Gabriel, Good point, I was focusing on local files accessed "remote-way" but that case will make it even harder to link together the mentioned file objects. I will try with your suggestions and update if it helps. Best Regards, Mark 2018-01-29 20:56 GMT+01:00 Gabriel Bercea <xxxxx@gmail.com> < xxxxx@lists.osr.com>: > You need to think about it one step further. > What if you had a share on the OS your minifilter is installed and some > computer on the network accesses the share. There is no way to tell which > "process" on the computer on the network is requiring access. > All you can hope for is to associate the FO_REMOTE_ORIGIN flag in the > FileObject as to know that the file has been opened over the network. > You could alternatively try to look at the syste-defined ECPs[1] and see > if any of the ones there help you in any way although I doubt it. > > [1] https://docs.microsoft.com/en-us/windows-hardware/drivers/ <...excess quoted lines suppressed...> --
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 02:14.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license