EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Sharing CBFS Virtual Disk and user names

Posted: 01/14/2008 10:56:31
by Tomas Emresz (Basic support level)
Joined: 01/14/2008
Posts: 2

is it possible to identify User (By Username), which is currently launched some events, but in access from network ? I have small virtual drive, and this drive is shared to network. If user access to this drive locally, then i can get username by GetOriginatorToken, but when this user is accessing from network, i get only NT AUTHORITY/SYSTEM. Is there any example, how to get COMPUTER/USERNAME or etp ?

Posted: 01/14/2008 14:31:45
by Volodymyr Zinin (Team)


Currently it isn't possible. We will check up the possibility and answer you shortly.
Posted: 01/15/2008 07:27:57
by Volodymyr Zinin (Team)

We have corrected the code. And now it seems to work well.
But a correct token is returned only for create/open request. All other requests can be in context of the system process (it's result of the operating system implementation). So the right way is to check security rights for a file in the create/open callbacks.

We are going to create the new build today. Please wait a little.

BTW: I have tried the following code:

HANDLE hToken = CbFsGetOriginatorToken(Vcb);

UCHAR TokenUserBuf[255];
DWORD ReturnedLength;

b = GetTokenInformation( hToken,
&ReturnedLength );
LastError = GetLastError();

if (b) {

DWORD UserNameLen = sizeof(UserName)/sizeof(WCHAR);
WCHAR ReferencedDomainName[100];
DWORD ReferencedDomainNameLen = sizeof(ReferencedDomainName)/sizeof(WCHAR);

TokenUser = (PTOKEN_USER)TokenUserBuf;

b = LookupAccountSidW( NULL,
&SidNameUse );

LastError = GetLastError();


Posted: 01/15/2008 13:23:16
by Tomas Emresz (Basic support level)
Joined: 01/14/2008
Posts: 2

createFile now working good, but, EnumerateDiretory, DeleteFile doesn't. Is it possible to do this Events ?
Posted: 01/16/2008 01:54:28
by Volodymyr Zinin (Team)


When the Create/Open events are called then it means that somebody creates/opens a file or a directory (i.e. it obtains a handler to this item). If you returns error (for example ERROR_ACCESS_DENIED due to some security restrictions) then the file/directory won't be opened (the originator of the request will obtain the same error code).
The real originator of the request (i.e. its access token) can be obtained only in the create/open events. During processing them you can save a necessary information from the token in the UserContext and use it in the further events (these events can be called in context of the system process). But the best way is to process all security processing completely in the create/open callbacks.

BTW: For obtaining all the create/open events you must set to true the CallbackFileSystem.CallAllOpenCloseCallbacks flag.
Posted: 04/21/2011 04:14:12
by Jochen Lay (Basic support level)
Joined: 04/21/2011
Posts: 5

I'm currently working on logging access to a network share into a database table... Each callback in my application creates a thread wich does the database inserting.

Everything is working fine for create, rename/move, but I cannot figure out, how I can log the real originator on a deletetion of a file / directory... Can anybody point me in the right direction how i can handle this in the open callback? (with a little code snippet?) would be very great...

thank you in advance


P.S.: I'm working with the actual version of CBFS and Delphi XE
Posted: 04/21/2011 04:34:03
by Eugene Mayevski (Team)

So did you use GetOriginatorToken method of CallbackFileSystem class? The sample code is above.

Sincerely yours
Eugene Mayevski
Posted: 04/21/2011 04:42:52
by Jochen Lay (Basic support level)
Joined: 04/21/2011
Posts: 5

yes, I did and I'm getting the correct originator token of the user when creating or renamening/moving a file. on deletion I get the SYSTEM user (as Tomas Emresz described above).

What I'm trying now is to get the originator token in the corresponding "open" callback, but before each deletion there are three open callbacks fired and I don't know the relation to the delete callback afterwards. I think of multiple user working on that share (then lot's of open events are fired, maybe for the same file). How can I know, which OriginatorToken I should use in the delete callback?

Best regards Jochen
Posted: 04/21/2011 05:22:00
by Volodymyr Zinin (Team)

Try to get the originator in the OnCanFileBeDeleted callback. It's always called during the deletion.
Posted: 04/21/2011 09:09:20
by Jochen Lay (Basic support level)
Joined: 04/21/2011
Posts: 5

Yes, that's working...
thanks a lot for the quick help,
best regards Jochen



Topic viewed 3817 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!