Retrieve SecurityId, the one in $STANDARD_INFORMATION

Hi, It would be nice if someone could help me retrieve the securityId of a file. I am looking to determine the old and new value during an IRP_MJ_SETSECURITY call. I am able to collect all unique security descriptors by reading $Secure. I could not find any FLT functions to call into to determine the SecurityId during both Preop and Postop.

Regards,
Kamaal.

You can query the security descriptor using FltQuerySecurityObject:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/fltkernel/nf-fltkernel-fltquerysecurityobject

I believe the SecurityId value is an internal NTFS thing so I can’t imagine a way to query it.

-scott
OSR

That kinda sad. I had troubles sending the whole security descriptor using FltSendMessage as the size can get quite large.

Thanks Scott.

You can get the NTFS SecurityId using FSCTL_QUERY_FILE_LAYOUT, demonstrated by ‘fsutil volume filelayout’. Search MSDN for documentation. It might not be as performant as querying the whole security descriptor.

Craig

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, June 5, 2018 8:13 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Retrieve SecurityId, the one in $STANDARD_INFORMATION

That kinda sad. I had troubles sending the whole security descriptor using FltSendMessage as the size can get quite large.

Thanks Scott.


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:>