Hello,
I am trying to retrieve the SID in a few IRP’s, and not in every IRP it works…
It works in the IRP_MJ_CREATE, IRP_MJ_SET_INFORMATION, but it doesn’t work in the
IRP_MJ_WRITE. What can be the reason I can’t retrieve the SID in the Write IRP?
I retrieve it this way:
PISID sid;
HANDLE handle;
ULONG tokenInfoLength;
LONG length;
NTSTATUS NtStatus;
sid = (PISID)&buffer[sizeof(TOKEN_USER)];
NtStatus = ZwOpenThreadTokenEx(NtCurrentThread(), TOKEN_READ, TRUE, OBJ_KERNEL_HANDLE, &handle);
if(NtStatus == STATUS_NO_TOKEN)
{
NtStatus = ZwOpenProcessTokenEx(NtCurrentProcess(), TOKEN_READ, OBJ_KERNEL_HANDLE, &handle);
}
NtStatus = ZwQueryInformationToken(handle, TokenUser, buffer, sizeof(buffer), &tokenInfoLength);
Thanks in advance!
The only IRP you can trust for user information is IRP_MJ_CREATE. Things
like write can be in arbitrary thread context, and even if the call works
you can get the wrong SID. Get the data on the create, and save it away
associated with the FILE_OBJECT.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntfsd…
> Hello,
>
> I am trying to retrieve the SID in a few IRP’s, and not in every IRP it
> works…
> It works in the IRP_MJ_CREATE, IRP_MJ_SET_INFORMATION, but it doesn’t work
> in the
> IRP_MJ_WRITE. What can be the reason I can’t retrieve the SID in the Write
> IRP?
> I retrieve it this way:
>
> PISID sid;
> HANDLE handle;
> ULONG tokenInfoLength;
> LONG length;
> NTSTATUS NtStatus;
>
> sid = (PISID)&buffer[sizeof(TOKEN_USER)];
> NtStatus = ZwOpenThreadTokenEx(NtCurrentThread(), TOKEN_READ, TRUE,
> OBJ_KERNEL_HANDLE, &handle);
> if(NtStatus == STATUS_NO_TOKEN)
> {
> NtStatus = ZwOpenProcessTokenEx(NtCurrentProcess(), TOKEN_READ,
> OBJ_KERNEL_HANDLE, &handle);
> }
>
> NtStatus = ZwQueryInformationToken(handle, TokenUser, buffer,
> sizeof(buffer), &tokenInfoLength);
>
> Thanks in advance!
>
You can only do this in MJ_CREATE, and the associate the access decisions
you have done with a file object.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> Hello,
>
> I am trying to retrieve the SID in a few IRP’s, and not in every IRP it
works…
> It works in the IRP_MJ_CREATE, IRP_MJ_SET_INFORMATION, but it doesn’t work in
the
> IRP_MJ_WRITE. What can be the reason I can’t retrieve the SID in the Write
IRP?
> I retrieve it this way:
>
> PISID sid;
> HANDLE handle;
> ULONG tokenInfoLength;
> LONG length;
> NTSTATUS NtStatus;
>
> sid = (PISID)&buffer[sizeof(TOKEN_USER)];
> NtStatus = ZwOpenThreadTokenEx(NtCurrentThread(), TOKEN_READ, TRUE,
OBJ_KERNEL_HANDLE, &handle);
> if(NtStatus == STATUS_NO_TOKEN)
> {
> NtStatus = ZwOpenProcessTokenEx(NtCurrentProcess(), TOKEN_READ,
OBJ_KERNEL_HANDLE, &handle);
> }
>
> NtStatus = ZwQueryInformationToken(handle, TokenUser, buffer, sizeof(buffer),
&tokenInfoLength);
>
> Thanks in advance!
>
And even in MJ_CREATE, the current thread’s token must not be used, but
Parameters.Create.SecurityContext must be used instead.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
“Don Burn” wrote in message news:xxxxx@ntfsd…
> The only IRP you can trust for user information is IRP_MJ_CREATE. Things
> like write can be in arbitrary thread context, and even if the call works
> you can get the wrong SID. Get the data on the create, and save it away
> associated with the FILE_OBJECT.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
>
>
> wrote in message news:xxxxx@ntfsd…
> > Hello,
> >
> > I am trying to retrieve the SID in a few IRP’s, and not in every IRP it
> > works…
> > It works in the IRP_MJ_CREATE, IRP_MJ_SET_INFORMATION, but it doesn’t work
> > in the
> > IRP_MJ_WRITE. What can be the reason I can’t retrieve the SID in the Write
> > IRP?
> > I retrieve it this way:
> >
> > PISID sid;
> > HANDLE handle;
> > ULONG tokenInfoLength;
> > LONG length;
> > NTSTATUS NtStatus;
> >
> > sid = (PISID)&buffer[sizeof(TOKEN_USER)];
> > NtStatus = ZwOpenThreadTokenEx(NtCurrentThread(), TOKEN_READ, TRUE,
> > OBJ_KERNEL_HANDLE, &handle);
> > if(NtStatus == STATUS_NO_TOKEN)
> > {
> > NtStatus = ZwOpenProcessTokenEx(NtCurrentProcess(), TOKEN_READ,
> > OBJ_KERNEL_HANDLE, &handle);
> > }
> >
> > NtStatus = ZwQueryInformationToken(handle, TokenUser, buffer,
> > sizeof(buffer), &tokenInfoLength);
> >
> > Thanks in advance!
> >
>
>
>
One question: Why do you try to get SID other than IRP_MJ_CREATE?