Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

sysinternals filemon and fundelete examples

41 views
Skip to first unread message

Tom DeMay

unread,
Jun 1, 2000, 3:00:00 AM6/1/00
to
first off. Has anyone ever sent an e-mail to www.sysinternals.com and
received a reply? rhetorical question....


I have a requirement to log some specific file i/o activity. Part of that
requirement is to log the process, process id, user account name, action,
blah blah blah.

I looked at the filemon example for filter file i/o device drivers and the
fundelete example to get the user account name.

I've got everything working, however, when I access the file from a remote
computer it gives me the system process. I recognize the fact that I won't
be able to get the true process because the process is not running on the
machine. But the problem is that the fundelete example uses the process
information to get the SID of the user of that process, which in this case
is always going to be "system".

Any ideas on another approach I can take to get the user account name for
that user that is accessing the file!?!?!?!?!?

I can't imagine this is a difficult task. I would think that information
would be needed all the time from file i/o filter device drivers.

Lynn McGuire

unread,
Jun 1, 2000, 3:00:00 AM6/1/00
to
> first off. Has anyone ever sent an e-mail to www.sysinternals.com and
> received a reply? rhetorical question....


Yes.

Lynn McGuire


Dejan Maksimovic

unread,
Jun 1, 2000, 3:00:00 AM6/1/00
to
> first off. Has anyone ever sent an e-mail to www.sysinternals.com and
> received a reply? rhetorical question....

Always! However, WinTernals (their commercial big brother) never answered
a bug report.

> I have a requirement to log some specific file i/o activity. Part of that
> requirement is to log the process, process id, user account name, action,
> blah blah blah.

You can do the rest, but blah blah blah is certainly no possible-;)

> I looked at the filemon example for filter file i/o device drivers and the
> fundelete example to get the user account name.

Interesting, I never noticed that FUndelete has user ID.

> I've got everything working, however, when I access the file from a remote
> computer it gives me the system process. I recognize the fact that I won't
> be able to get the true process because the process is not running on the
> machine. But the problem is that the fundelete example uses the process
> information to get the SID of the user of that process, which in this case
> is always going to be "system".

Of course it is. It's the SYSTEM that accesses the network itself, so it
is the chain end.

> Any ideas on another approach I can take to get the user account name for
> that user that is accessing the file!?!?!?!?!?

Sorry, no.

> I can't imagine this is a difficult task. I would think that information
> would be needed all the time from file i/o filter device drivers.

I wouldn't. Having created commercial/shareware components for this, I
know it's not easy.

--
Best wishes, Dejan Maksimovic, CP Alfa Co. alfa...@ptt.yu
Web http://www.alfaunits.co.yu
Member of ASP, since April 13th 2000.
ICQ# : 56570367
Tel. +381-18-363247
Fax : 1-435-4070614
Enterprise file&system components for Delphi, BCB, MSVC++, MSVB etc.
Alfa File Monitor - The only Delphi/BCB real-time file event notification
component.
http://www.alfaunits.co.yu/eafm.htm
Alfa Units http://www.alfaunits.co.yu/eau.htm
The best in directory, over 2GB file, and registry handling.

Tom DeMay

unread,
Jun 12, 2000, 3:00:00 AM6/12/00
to
Ah!!!

Now I think I'm on to something.

This is basically what fundelete does....
Token = PsReferencePrimaryToken(PsGetCurrentProcess()) ;
ObOpenObjectByPointer( Token, 0, NULL, TOKEN_QUERY, NULL, KernelMode,
&tokenHandle );
ZwQueryInformationToken( tokenHandle, TokenUser, NULL, 0, &requiredLength );
ZwQueryInformationToken( tokenHandle, TokenUser, tokenInfoBuffer,
requiredLength, &requiredLength );
ntStatus = RtlConvertSidToUnicodeString( &sidString,
tokenInfoBuffer->User.Sid, FALSE );

I've taken this code and in usermode converted the ANSI SID String to an
account name for the purpose of the log.

>fundelete should be using the subject security context from the create IRP.
>that's
>what is truly the user that is opening the file.

I'm totally new to this. I don't suppose you can give me any clues on how to
get a SID from the subject security context from the created IRP?

Richard Ward wrote in message <8h7kev$pb4$1...@q.seanet.com>...
>
>"Tom DeMay" <TheT...@att.net> wrote in message
>news:O4tjOu9y$GA.197@cppssbbsa04...


>> first off. Has anyone ever sent an e-mail to www.sysinternals.com and
>> received a reply? rhetorical question....
>

>always.


>
>> I've got everything working, however, when I access the file from a
remote
>> computer it gives me the system process. I recognize the fact that I
won't
>> be able to get the true process because the process is not running on the
>> machine. But the problem is that the fundelete example uses the process
>> information to get the SID of the user of that process, which in this
case
>> is always going to be "system".
>

>fundelete should be using the subject security context from the create IRP.
>that's
>what is truly the user that is opening the file. NTFS can execute the
>create on a
>worker thread in system context, so using the process token is problematic.
>And you should just use the SID in the binary form, not convert it to a
>string. If
>you keep it binary, then you can convert it to text in user mode, and be
>safe from
>account renames, etc. That's how the audit log works.
>
>
>
>

0 new messages