你可以将线程句柄传给Ring3，Ring3里面自然有很多办法可以得到owner

还是在ring3得到？

 Q35 How do I retrieve the \"user name\" for the user performing a given operation?
  User names, per se, are not a concept of the core OS. Rather, users are tracked internally as \"security identifiers\" or SIDs. It is possible to extract the SID of the current thread. If a \"user name\" is needed, a user mode service can be used to convert from the SID to the corresponding text user name. This is done using the Win32 function LookupAccountSid, which is documented in the Platform SDK. The SID of the calling thread can be extracted from its token. This is done by first attempting to open the thread token (ZwOpenThreadTokenEx or NtOpenThreadToken or NtOpenThreadTokenEx). If this fails because the thread has no token, the filter should open the process token (ZwOpenProcessTokenEx or NtOpenProcessToken or NtOpenProcessTokenEx). In either case, the filter will have a handle for a token. The SID can be retrieved from the given token using NtQueryInformationToken or ZwQueryInformationToken. The filter should specify TokenUser as the TOKEN_INFORMATION_CLASS value. The call will return a buffer that contains the TOKEN_USER structure. This structure contains the SID of the token. Note, however, that obtaining the SID of the current caller is often not precisely what a filter is trying to accomplish. Instead, often the filter wishes to know the SID of the requesting thread. For local calls, this will typically be the same. For remote calls, however, the CIFS server routinely utilizes impersonation during IRP_MJ_CREATE and for some IRP_MJ_SET_INFORMATION operations. Otherwise, the CIFS server uses the local system\'s credentials. To handle this case, a filter must store away the credential information of the original caller. In the case of IRP_MJ_CREATE the original caller\'s token is specified as part of the IO_SECURITY_CONTEXT parameter. The ACCESS_STATE structure in turn contains the SECURITY_SUBJECT_CONTEXT and the filter can retrieve a pointer to the token using SeQuerySubjectContextToken. The SID can then be retrieved from the token using SeQueryInformationToken.

this is from OCR. use this should work. good luck.

only thing maybe need care.
you should deal this in create phase. not read/write phase. if you want to use it in read/write, cache create phase user info youself.

this is from OCR. use this should work. good luck.

only thing maybe need care.
you should deal this in create phase. not read/write phase. if you want to use it in read/write, cache create phase user info youself.

 

Thans for your answer at first, I have some questions on it.
1. What\'s a user mode service? Can I consider it as a user mode application ? Is it application ?
2. Did you try like this in the past ? if so, can you tell me some technologies on it ?

thanks.

1. What\'s a user mode service? Can I consider it as a user mode application ? Is it application ?

can not explain in several words.
you need see msdn -> platfrom sdk -> base services->service.

full documented.

2. Did you try like this in the past ? if so, can you tell me some technologies on it ?

i only does some. not all of your request.
I detect ontime access is from net or just from local account. i need not know accurate user name.

get username from sid, it should not be difficult in ring3.

in read/write phase, because sometimes IRP is not dealing in original context, so , there is no meaning for Dealing in read/write phase . in Create phase , IRP_MJ_CREATE, system always make sure it\'s in original context, then you can get username. cache it(just use filemon hash is ok), use in read/write phase.

     Thanks, I have seen the service, and I have had a mind of the service.
     I will try what you told me, and if any problems later, please don\'t hesitata to tell me. thanks for a second time.

good

在www.sysinternals.com下可以下载tokenmon源程序，它可以得到当前活动进程（线程）的拥有者如用户名和登录ID（logonid），有了
登录ID就可以得到相应的主机名。 在WIN2000下我的办法是配置安全审核策略，远程用户登录到本机时系统会产生相应的日志文件。调用API函数可以打开日志文件取出登录ID所对应的主机名。但这种办法我感觉不好，各位大哥可否有更好的方法通过登录ID（logonid）找到对应的主机名。

[编辑 -  8/21/02 by  devil_jie]

[编辑 -  8/21/02 by  devil_jie]

我想是的!

收获不小，有没有相关的代码贴一点？
谢谢大侠们 :)