Can file system driver filters filter operations based on user id?

Question

follow up to: Windows Filesystem Minifilter Drivers: can I monitor and prevent FS operations using them?

I'm looking for a method to filter access to certain file system resources. This includes removable media and non-ntfs file systems - so standard ACL won't work.

from what I read, a files system driver filter might be helpful - but I didn't find a way to get the user id of the initiating user. Is this possible?

other recommendations \ references to existing tools are also welcome.

Answer 1

I am not sure what does "user id" mean. But this might be useful:

1. When handling IRP_MJ_CREATE look at IrpSp->Parameters.Create.SecurityContext->AccessState.
2. ACCESS_STATE contains SecurityDescriptor and SubjectSecurityContext.
3. From SubjectSecurityContext you can retrieve PACCESS_TOKEN if you need it (call SeLockSubjectContext and SeQuerySubjectContextToken).

Have a nice day!