ZwSetSecurityObject returns STATUS_INVALID_OWNER

NTFSD
1

NTFSD Folk:

I’m having a problem trying to set the owner of a file in my mini-filter.

In the driver post-cleanup routine, I copy the file , which works fine. But
I want to set the ownership of the copy to the same as the original file
(using ZwSetSecurityObject).

I’m getting STATUS_INVALID_OWNER, which means “The SID provided for the
owner of the target security descriptor is not one the caller is authorized
to assign as the owner of an object”.

It’s running in the system thread context via FltQueueDeferredIoWorkItem,
and the SID that it’s trying to set is correct and valid. The copy was
created using FltCreateFile.

I couldn’t find a good way to get into the user context of the calling
thread (KeStackAttachProcess has all sorts of dire warnings), and apparently
the system thread doesn’t have sufficient privileges to set the owner (???).

Doesn’t the system thread have SE_TAKE_OWNERSHIP_NAME? Or is there a good
way to switch to the user context (like FLT_PREOP_SYNCHRONIZE from the
pre-cleanup routine)?

I’m hoping I just did something stupid…

Thanks,
Ken

2

Ken Cross wrote:

In the driver post-cleanup routine, I copy the file , which works fine. But
I want to set the ownership of the copy to the same as the original file
(using ZwSetSecurityObject).

I’m getting STATUS_INVALID_OWNER
>

Just a clarifying question: This is a LOCAL file, yes? Not one located
on a remote system accessed across the network?

Who does the system report as owner of the copy of the file?

Peter
OSR

3

Yes, it’s a local file. The owner of the file is S-1-5-32-544
(Administrators built-in group). I’m guessing that that’s the default owner
for a system thread, which doesn’t really have a SID (I don’t think?).

FWIW, this is on XP SP2.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
(OSR)
Sent: Thursday, December 30, 2004 11:03 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Ken Cross wrote:

In the driver post-cleanup routine, I copy the file , which works fine.
But
I want to set the ownership of the copy to the same as the original file
(using ZwSetSecurityObject).

I’m getting STATUS_INVALID_OWNER
>

Just a clarifying question: This is a LOCAL file, yes? Not one located
on a remote system accessed across the network?

Who does the system report as owner of the copy of the file?

Peter
OSR

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

Ken,

In minifilters create operations are always synchronized by default.
This means your post-create routine is always called in the context of
the originating thread and is always guaranteed to be at passive level.
This means you don’t need to queue the request to a worker routine
unless you are trying to do this asynchronously.

Have you tried temporarily granting yourself
SE_TAKE_OWNERSHIP_PRIVILEGE. I have not verified this but it is
possible that system threads don’t have this privilege enabled by
default.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, December 30, 2004 8:50 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Yes, it’s a local file. The owner of the file is S-1-5-32-544
(Administrators built-in group). I’m guessing that that’s the default
owner
for a system thread, which doesn’t really have a SID (I don’t think?).

FWIW, this is on XP SP2.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
(OSR)
Sent: Thursday, December 30, 2004 11:03 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Ken Cross wrote:

In the driver post-cleanup routine, I copy the file , which works
fine.
But
I want to set the ownership of the copy to the same as the original
file
(using ZwSetSecurityObject).

I’m getting STATUS_INVALID_OWNER
>

Just a clarifying question: This is a LOCAL file, yes? Not one located
on a remote system accessed across the network?

Who does the system report as owner of the copy of the file?

Peter
OSR

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

5

Neal:

The problem is that I’m running in “the driver post-cleanup routine”, not
post-create. Basically, I’m making a copy of the file the user just closed.
That’s where it’s encountering the problem, and why I need a worker routine
(to run at PASSIVE_LEVEL), hence not in the user context.

I still haven’t figured out how to fix this, either. Is there a way to give
system threads SE_TAKE_OWNERSHIP_NAME? Or is there a good way to switch to
the user context from post-cleanup?

Thanks,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Neal Christiansen
Sent: Sunday, January 09, 2005 4:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Ken,

In minifilters create operations are always synchronized by default.
This means your post-create routine is always called in the context of
the originating thread and is always guaranteed to be at passive level.
This means you don’t need to queue the request to a worker routine
unless you are trying to do this asynchronously.

Have you tried temporarily granting yourself
SE_TAKE_OWNERSHIP_PRIVILEGE. I have not verified this but it is
possible that system threads don’t have this privilege enabled by
default.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, December 30, 2004 8:50 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Yes, it’s a local file. The owner of the file is S-1-5-32-544
(Administrators built-in group). I’m guessing that that’s the default
owner
for a system thread, which doesn’t really have a SID (I don’t think?).

FWIW, this is on XP SP2.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
(OSR)
Sent: Thursday, December 30, 2004 11:03 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Ken Cross wrote:

In the driver post-cleanup routine, I copy the file , which works
fine.
But
I want to set the ownership of the copy to the same as the original
file
(using ZwSetSecurityObject).

I’m getting STATUS_INVALID_OWNER
>

Just a clarifying question: This is a LOCAL file, yes? Not one located
on a remote system accessed across the network?

Who does the system report as owner of the copy of the file?

Peter
OSR

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

6

Did you try to impersonate client’s SECURITY_CLINET_CONTEXT in system worker
thread (SeImpersonateClientEx)?
WBR Primoz

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Sunday, January 09, 2005 3:04 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Neal:

The problem is that I’m running in “the driver post-cleanup routine”, not
post-create. Basically, I’m making a copy of the file the user just closed.
That’s where it’s encountering the problem, and why I need a worker routine
(to run at PASSIVE_LEVEL), hence not in the user context.

I still haven’t figured out how to fix this, either. Is there a way to give
system threads SE_TAKE_OWNERSHIP_NAME? Or is there a good way to switch to
the user context from post-cleanup?

Thanks,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Neal Christiansen
Sent: Sunday, January 09, 2005 4:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Ken,

In minifilters create operations are always synchronized by default.
This means your post-create routine is always called in the context of
the originating thread and is always guaranteed to be at passive level.
This means you don’t need to queue the request to a worker routine
unless you are trying to do this asynchronously.

Have you tried temporarily granting yourself
SE_TAKE_OWNERSHIP_PRIVILEGE. I have not verified this but it is
possible that system threads don’t have this privilege enabled by
default.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, December 30, 2004 8:50 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Yes, it’s a local file. The owner of the file is S-1-5-32-544
(Administrators built-in group). I’m guessing that that’s the default
owner
for a system thread, which doesn’t really have a SID (I don’t think?).

FWIW, this is on XP SP2.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
(OSR)
Sent: Thursday, December 30, 2004 11:03 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Ken Cross wrote:

In the driver post-cleanup routine, I copy the file , which works
fine.
But
I want to set the ownership of the copy to the same as the original
file
(using ZwSetSecurityObject).

I’m getting STATUS_INVALID_OWNER
>

Just a clarifying question: This is a LOCAL file, yes? Not one located
on a remote system accessed across the network?

Who does the system report as owner of the copy of the file?

Peter
OSR

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@hermes.si
To unsubscribe send a blank email to xxxxx@lists.osr.com

7

Good suggestion – that might work. It gets messy when the user is remote,
though (we’d be impersonating NtLmSsp in that case, so will probably require
special handling).

ZwSetSecurityObject would be much more straightforward (if it worked),
but…

Thanks,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Primoz Beltram
Sent: Monday, January 10, 2005 2:30 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Did you try to impersonate client’s SECURITY_CLIENT_CONTEXT in system worker
thread (SeImpersonateClientEx)?
WBR Primoz

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Sunday, January 09, 2005 3:04 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Neal:

The problem is that I’m running in “the driver post-cleanup routine”, not
post-create. Basically, I’m making a copy of the file the user just closed.
That’s where it’s encountering the problem, and why I need a worker routine
(to run at PASSIVE_LEVEL), hence not in the user context.

I still haven’t figured out how to fix this, either. Is there a way to give
system threads SE_TAKE_OWNERSHIP_NAME? Or is there a good way to switch to
the user context from post-cleanup?

Thanks,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Neal Christiansen
Sent: Sunday, January 09, 2005 4:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Ken,

In minifilters create operations are always synchronized by default.
This means your post-create routine is always called in the context of
the originating thread and is always guaranteed to be at passive level.
This means you don’t need to queue the request to a worker routine
unless you are trying to do this asynchronously.

Have you tried temporarily granting yourself
SE_TAKE_OWNERSHIP_PRIVILEGE. I have not verified this but it is
possible that system threads don’t have this privilege enabled by
default.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, December 30, 2004 8:50 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Yes, it’s a local file. The owner of the file is S-1-5-32-544
(Administrators built-in group). I’m guessing that that’s the default
owner
for a system thread, which doesn’t really have a SID (I don’t think?).

FWIW, this is on XP SP2.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
(OSR)
Sent: Thursday, December 30, 2004 11:03 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] ZwSetSecurityObject returns STATUS_INVALID_OWNER

Ken Cross wrote:

In the driver post-cleanup routine, I copy the file , which works
fine.
But
I want to set the ownership of the copy to the same as the original
file
(using ZwSetSecurityObject).

I’m getting STATUS_INVALID_OWNER
>

Just a clarifying question: This is a LOCAL file, yes? Not one located
on a remote system accessed across the network?

Who does the system report as owner of the copy of the file?

Peter
OSR

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@hermes.si
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com