EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CBFS_SYMLINK_LOCAL exposed to other user sessions

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
Posted: 10/20/2015 04:49:46
by Tomasz L (Priority Standard support level)
Joined: 03/25/2015
Posts: 3

David Ruzicka wrote:
Maybe better is SecurityIdentifier of the authorized user [...] for user authentication - you can identify user in Open/Create callback through GetOriginatorToken() regardless session.

That was a great advice, thanks! I managed to get (from the token) the logon session, but filtering by user SID (Security Identifier, which I also got from the token) is a better idea, because then you are checking actually who the Windows user is, which seems more appropriate.

After obtaining the token (for our process by OpenProcessToken with query access; for checking caller by CBFS GetOriginatorToken) one has to call GetTokenInformation:

  • for logon session, you need to get "TokenStatistics" information, and from returned TOKEN_STATISTICS the AuthenticationId member is the 64-bit integer (split into two words) containing the logon session id.
  • for user SID, you need to get "TokenUser" information, which fills variable size structure TOKEN_USER. To process the SID dynamic structure use Security Identifier functions: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571.aspx



Topic viewed 8792 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!