CallbackFilter

Instant control over file and folder operations in Windows and .NET applications

CallbackFilter.GetOriginatorToken method

Filter:

Pascal    C++ (Lib)    C++ (VCL)    C++ (.NET)    C#    VB.NET   

CallbackFilter     See also    

Overview

Returns the security token of the process that initiated the operation

Declaration

[Pascal]
    function GetOriginatorToken : THandle;

[C++ (Lib)]
    HANDLE GetOriginatorToken(void);

[C++ (VCL)]
    unsigned __fastcall GetOriginatorToken(void);

[C++ (.NET)]
    IntPtr GetOriginatorToken(void);

[C#]
    IntPtr GetOriginatorToken();

[VB.NET]
    Function GetOriginatorToken() As IntPtr

Return values

Handle to the token if the function succeeded or INVALID_HANDLE_VALUE if the function failed.

Description

Use GetOriginatorToken to get the security token of the process that originated the operation. You can use the security token to retrieve various security-related information using GetTokenInformation() function of Windows API.

Call this method only from the callback / event handlers.

Do not call this method from handlers for OnReadFile*, OnWriteFile* and other callbacks that work with opened files, as that callbacks can be initiated by the system components (cache manager, memory manager etc.). Instead do the following:

  1. Call GetOriginatorToken from OnCreateFile or OnOpenFile event handlers / callbacks and obtain various security information using this token;
  2. Store obtained information somewhere and store the reference to this information in the UserContext;
  3. When you need to check the originator information in some file-related callback, access the stored information via UserContext

NOTE: you must call CloseHandle() function of Windows API to close the obtained token handle.

Network access
If you monitor the disk being shared, you might want to get security information (account name etc.) of the user, who accesses the disk across network. Disks can be shared in several modes in Windows:

  • First is authenticated mode. In this case the network redirector (the process that receives remote disk requests and directs them to the disk driver) is impersonated to the account of the caller user and GetOriginatorToken method will return account information of that caller.
  • Next is guest mode. In this mode GetOriginatorToken returns information of GUEST account.
  • Third mode is administrative shares (those that exist by default and are named C$, D$ etc.). For such shares GetOriginatorToken returns information of LOCAL_SYSTEM account.

See also

GetOriginatorProcessName    

Back to top