Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 4  
10 Jun 18 12:05
ben tsang
xxxxxx@hotmail.com
Join Date: 17 Mar 2008
Posts To This List: 51
REMOTE IP FROM ECP

Hi All, I am trying to get the IP address from the ECP with GUID "GUID_ECP_SRV_OPEN" in POST CREATE, when I got "SecurityImpersonation == Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContex t.ImpersonationLevel" and system process Id, I assume the file was accessed from SRV, then I go to check the ECP, I can get the ip address sometime, but most of the time it will fail with error code "STATUS_NOT_FOUND" with the function "FltFindExtraCreateParameter". I am only testing with SMB. Anyone knows why I can't get the ip address all the time? Thanks Ben
  Message 2 of 4  
11 Jun 18 04:03
rod widdowson
xxxxxx@steadingsoftware.com
Join Date: 11 Sep 2006
Posts To This List: 856
REMOTE IP FROM ECP

I am trying to get the IP address from the ECP with GUID "GUID_ECP_SRV_OPEN" in POST CREATE, > when I got "SecurityImpersonation == > Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContex t.ImpersonationLevel" > and system process Id, I assume the file was accessed from SRV That's a dangerous assumption. Anybody is allowed to impersonate. Also last time I checked SRV didn't always impersonate. > then I go to check the ECP, I can get the ip address sometime, but most of > the time it will fail with error > code "STATUS_NOT_FOUND" with the function "FltFindExtraCreateParameter". Obvious question - if you break in that situation, is SRV on the stack? > Anyone knows why I can't get the ip address all the time? Is this on the same machine? Anecdotally a registry setting is (used to be?) needed http://www.osronline.com/showThread.cfm?link=212938
  Message 3 of 4  
11 Jun 18 11:02
ben tsang
xxxxxx@hotmail.com
Join Date: 17 Mar 2008
Posts To This List: 51
REMOTE IP FROM ECP

Thanks Rod, What is the best way to check if it is accessed from remote computer? when it was failed with function "FltFindExtraCreateParameter", the SRV is on my stack as below. I also set the registry key as you mentioned. 02 ffffae80`af0e3830 fffff803`1f86abcf MyFilter!PostCreate+0x128 03 ffffae80`af0e3890 fffff803`1f815cd4 FLTMGR!FltvPostOperation+0xaf 04 ffffae80`af0e3920 fffff803`1f815683 FLTMGR!FltpPerformPostCallbacks+0x2f4 05 ffffae80`af0e39f0 fffff803`1f81726a FLTMGR!FltpPassThroughCompletionWorker+0x73 06 ffffae80`af0e3a60 fffff803`1f84bbcd FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1ba 07 ffffae80`af0e3ad0 fffff801`47f5c4aa FLTMGR!FltpCreate+0x2dd 08 ffffae80`af0e3b80 fffff801`48629d29 nt!IopfCallDriver+0x56 09 ffffae80`af0e3bc0 fffff801`47fd45b9 nt!IovCallDriver+0x275 0a ffffae80`af0e3c00 fffff801`482efbe3 nt!IofCallDriver+0x185859 0b ffffae80`af0e3c40 fffff801`483a0007 nt!IopParseDevice+0x773 0c ffffae80`af0e3e10 fffff801`482dc2ab nt!IopParseFile+0xc7 0d ffffae80`af0e3e80 fffff801`482edd1f nt!ObpLookupObjectName+0x73b 0e ffffae80`af0e4060 fffff801`48353805 nt!ObOpenObjectByNameEx+0x1df 0f ffffae80`af0e41a0 fffff801`48355c7a nt!IopCreateFile+0x3f5 10 ffffae80`af0e4240 fffff803`2270919c nt!IoCreateFile+0x8a 11 ffffae80`af0e42d0 fffff803`2270091a srv2!Smb2IsAccessAllowedEx+0xf8 12 ffffae80`af0e43b0 fffff803`226efafa srv2!Smb2CheckAbeError+0x112 13 ffffae80`af0e4450 fffff803`226dabbf srv2!Smb2CreateFile+0x1452a 14 ffffae80`af0e4c90 fffff803`226df58c srv2!Smb2ExecuteCreateReal+0x18f 15 ffffae80`af0e4e00 fffff803`226de1f6 srv2!Smb2ExecuteCreate+0x3c 16 ffffae80`af0e4e40 fffff803`226dda0a srv2!Smb2ExecuteProviderCallback+0x66 17 ffffae80`af0e4ea0 fffff803`226dcb88 srv2!Srv2CallProviders+0x9a 18 ffffae80`af0e4ee0 fffff801`47fa1167 srv2!RfspThreadPoolNodeWorkerProcessWorkItems+0x218
  Message 4 of 4  
13 Jun 18 04:15
rod widdowson
xxxxxx@steadingsoftware.com
Join Date: 11 Sep 2006
Posts To This List: 856
REMOTE IP FROM ECP

Hi Ben, > What is the best way to check if it is accessed from remote computer? > when it was failed with function "FltFindExtraCreateParameter", the SRV > is on my stack as below. That's exactly what I would do. I don't suppose there are an MSDevs listening right now? I should note that I put in a documentation comment into github about the registry setting being missed on at [1] Rod [1] https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/ns-nt ifs-_srv_open_ecp_context
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 23:24.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license