EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Obtain real user for shared folder access

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#17078
Posted: 07/20/2011 00:55:23
by Andrew  (Standard support level)
Joined: 07/20/2011
Posts: 4

Just started evaluating the product. The question is how to find out the real user name that accesses a shared folder in the following scenario:

1. CallbackFilter is installed on local computer
2. This computer has a shared folder e.g. \\COMP\C$
3. CallbackFilter monitors the entire C drive
4. A user from another computer reads files in \\COMP\C$

CallbackFilter intercepts these operations normally, however calling GetTokenInformation(TOKEN_INFORMATION_CLASS = TokenUser) following by LookupAccountSid always returns SYSTEM as the user name.

Is there any way to retrieve the original user name?

TIA.
#17081
Posted: 07/20/2011 03:05:43
by Eugene Mayevski (EldoS Corp.)

When exactly are you calling this method? Try calling it only in OnCreate and OnOpen callbacks. However, if the user is logged in as GUEST, you will get GUEST no matter what credentials the user used when connecting.


Sincerely yours
Eugene Mayevski
#17082
Posted: 07/20/2011 03:48:41
by Andrew  (Standard support level)
Joined: 07/20/2011
Posts: 4

I tried to modify the FileMon example by altering event handlers as follows:

Code
procedure TfrmMain.cbfFilterOpenFileC(Sender: TObject; FileName: TCBString;
  var DesiredAccess: Cardinal; var FileAttributes, ShareMode: Word;
  var Options: Cardinal; var CreateDisposition: Word;
  var ProcessRequest: Boolean);
begin
  AddToLog(Format('OpenFileC %s by %s', [FileName, GetUserName]));
end;

procedure TfrmMain.cbfFilterOpenFileN(Sender: TObject;
  FileName: TCBString; DesiredAccess: Cardinal; FileAttributes: WORD;
  ShareMode: Word; Options: Cardinal; CreateDisposition: Word);
begin
  AddToLog(Format('OpenFileN %s by %s', [FileName, GetUserName]));
end;

procedure TfrmMain.cbfFilterCreateFileC(Sender: TObject; FileName: TCBString;
  var DesiredAccess: Cardinal; var FileAttributes, ShareMode: Word;
  var Options: Cardinal; var CreateDisposition: Word;
  var ProcessRequest: Boolean);
begin
  AddToLog(Format('CreateFileC %s by %s', [FileName, GetUserName]));
end;

procedure TfrmMain.cbfFilterCreateFileN(Sender: TObject;
  FileName: TCBString; DesiredAccess: Cardinal; FileAttributes,
  ShareMode: Word; Options: Cardinal; CreateDisposition: Word);
begin
   AddToLog(Format('CreateFileN %s by %s', [FileName, GetUserName]));
end;


where GetUserName is implemented as

Code
function TfrmMain.GetUserName: string;
var
  Token: THandle;
  UserInfo: PTokenUser;
  DomainName, UserName: array[0..$FF] of char;
  UserSize: DWORD;
  DomainSize: DWORD;
  Len, Dummy: DWORD;
begin
  Token := cbfFilter.GetOriginatorToken;
  if not GetTokenInformation(Token, TokenUser, nil, 0, Len) then
   begin
    GetMem(UserInfo, Len);
    try
     if GetTokenInformation(Token, TokenUser, UserInfo, Len, Len) then
      begin
       FillChar(UserName, SizeOf(UserName), 0);
       UserSize := SizeOf(UserName);
       FillChar(DomainName, SizeOf(DomainName), 0);
       DomainSize := SizeOf(DomainName);
       if LookupAccountSid(nil, UserInfo^.User.Sid, @UserName, UserSize,
       @DomainName, DomainSize, Dummy) then Result := UserName;
      end;
    finally
     FreeMem(UserInfo);
    end;
   end;
end;


For some reasons the *****C events are not fired, but the *****N events are.

Access from another machine to \\SERVER\Z
Code
OpenFileN Z:\temp\CACHEDIR.TAG by SYSTEM
OpenFileN Z:\temp\CACHEDIR.TAG by SYSTEM
CloseFileN Z:\temp\CACHEDIR.TAG
OpenFileN Z:\temp\CACHEDIR.TAG by SYSTEM
CloseFileN Z:\temp\CACHEDIR.TAG
OpenFileN Z:\temp\CACHEDIR.TAG by SYSTEM


Local access to Z:\
Code
OpenFileN Z:\temp\CACHEDIR.TAG by Administrator
CloseFileN Z:\temp\CACHEDIR.TAG
OpenFileN Z:\temp\CACHEDIR.TAG by Administrator
CloseFileN Z:\temp\CACHEDIR.TAG
CloseFileN Z:\temp
CloseFileN Z:\temp\CACHEDIR.TAG


So the user name shown is SYSTEM while the user is not Guest and is logged as TEST (see attachment). The server on which CallbackFilter is running is Windows 7, the client accessing the shared folder is Windows XP.

Any ideas?


#17083
Posted: 07/20/2011 04:04:35
by Vladimir Cherniga (EldoS Corp.)

Did you modify the AddFilterCallbackRule() call in order to enable *****C callbacks ?
#17084
Posted: 07/20/2011 05:41:51
by Andrew  (Standard support level)
Joined: 07/20/2011
Posts: 4

Not what modifications you are referring to, please clarify. The component has assigned OpenFileC and OpenFileN callbacks. The AddFilterCallbackRule() is as follows:
Code
  cbfFilter.AddFilterCallbackRule(edtPath.Text,
    fltReadNotify or
    fltWriteNotify or
    fltCreateNotify or
    fltRenameNotify or
    fltSetSizesNotify or
    fltDeleteNotify or
    fltSetBasicInfoNotify or
    fltEnumerateDirectoryNotify or
    fltOpenNotify or
    fltCloseNotify or
    fltSetSecurityNotify
  );


******C callbacks don't seem to be fired.


#17086
Posted: 07/20/2011 06:16:28
by Vladimir Cherniga (EldoS Corp.)

You should add fltCreateCallback or fltOpenCallback flags to the cbfFilter.AddFilterCallbackRule in order to *****C callbacks start working.
#17087
Posted: 07/20/2011 06:26:16
by Andrew  (Standard support level)
Joined: 07/20/2011
Posts: 4

Oh, I must have been blind. Thank you very much for help, it's all now working properly and user names are correctly reported for network access as well. We'll be considering purchasing this SDK soon.
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 2315 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!