EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Accessing Windows user information

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#10306
Posted: 06/05/2009 01:54:26
by Daniel Wehrle (Priority Standard support level)
Joined: 08/08/2008
Posts: 32

Is there any chance to get the information which user is accessing a file? I like to protocol the access to the file system. So it would be nice getting this information.
#10307
Posted: 06/05/2009 02:13:22
by Eugene Mayevski (EldoS Corp.)

Use GetOriginatorToken method from within the callback, then retrieve information from the token using Windows API functions. This has been discussed several times in the forum as well as in documentation, please do the search on the site for "GetOriginator".


Sincerely yours
Eugene Mayevski
#10308
Posted: 06/05/2009 03:17:29
by Volodymyr Zinin (EldoS Corp.)

It isn't possible at all to monitor any user activity. More strictly you can monitor what processes (users) open and close files/directories by means of the GetOriginatorToken, GetOriginatorProcessName, and GetOriginatorProcessId calls.
But it isn't possible in some cases to determine what a process performs read/write on a file. For instance if several processes open a file concurrently, map it as a memory mapped file section and perform concurrent write on it, then the GetOriginatorXXX calls from the subsequent OnWrite callback return that it is the System process (with pid=4) does the work. This is because the data is written not to the file directly, but to the memory mapped file section (which is placed in the physical memory) and only later the modified data is flushed by the "modified page writer thread" (that belongs to the system memory manager component). Also some kernel mode components, such as antivirus that use file system filter drivers, can intercept file openings made by users and then themselves perform I/O on the files using these user contexts.

Reply

Statistics

Topic viewed 1842 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!