IRP中有没有当前操作用户名的信息？如何取得？

请高手指教！
FileMon里当前操作的用户名信息是如何取得的
IRP里面有吗~请告诉我具体的变量名
多谢援助菜鸟啦

The approach that I\'ve always taken to this is to capture the SID of the
caller during the IRP_MJ_CREATE handling.

Here is the code that we routinely use.  It does not use the ACCESS_TOKEN in
the IRP and it can be called successfully in the IRP_MJ_CREATE entry path
because you\'re a highest level driver (and hence guaranteed to be called at
IRQL_PASSIVE_LEVEL) and you are called with correct security context.

    //
    // Demonstrate how to retrieve the SID for the caller.  Typically, this
information is
    // sent to the user application for further processing.  We\'ve included
it here
    // simply to demonstrate how to retrieve this information.
    //
    // The approach we use is to first try and open the thread token.  If
that fails, we
    // open the process token (which always works) and then use the token
handle (in either
    // case) to query the SID information for the token.
    //

    code = ZwOpenThreadToken(NtCurrentThread(), TOKEN_READ, TRUE, &handle);
    
    if (code == STATUS_NO_TOKEN) {

        //
        // Since we don\'t have a thread level token we\'ll use the process
        // level token.  This is the common case (in fact) since the only
        // time a thread has a token is when it is impersonating.
        //

        code = ZwOpenProcessToken(NtCurrentProcess(), TOKEN_READ, &handle);

    }


    ASSERT(NT_SUCCESS(code));

    //
    //  Retrieve the user information from the token.  Note that this can be
used to query
    //  twice (once to get the size of the needed buffer.)  For this example
we\'ve allocated
    //  a buffer that should always be large enough.
    //

    code = ZwQueryInformationToken(handle, TokenUser, buffer,
sizeof(buffer), &tokenInfoLength);

    //
    // This call should always work.
    //

    ASSERT(NT_SUCCESS(code));

    //
    // For this example, we print out the SID contents.  If you wanted to
pass it to the user
    // mode caller, you\'d copy it into their buffer (wherever you\'d like!)
    //
    
    DbgPrint((\"*** BEGIN SID Dump ***\"));
    
    DbgPrint(\"Caller\'s SID (Revision %u, SubAuthorityCount %u):\\n\",
         sid->Revision,
         sid->SubAuthorityCount);
    
    DbgPrint(\"\\tIdentifierAuthority = %u-%u-%u-%u-%u-%u\\n\",
         sid->IdentifierAuthority.Value[0],
         sid->IdentifierAuthority.Value[1],
         sid->IdentifierAuthority.Value[2],
         sid->IdentifierAuthority.Value[3],
         sid->IdentifierAuthority.Value[4],
         sid->IdentifierAuthority.Value[5]);

    if (sid->SubAuthorityCount) {
        DbgPrint(\"\\tSubAuthority =\");

        for (index = 0; index SubAuthorityCount;index++) {
        
            if (index) {
                DbgPrint(\"-\");
            }
        
            DbgPrint(\"%u\", sid->SubAuthority[index]);

        }
    
        DbgPrint(\"\\n\");

    }
        
    DbgPrint((\"*** END SID Dump ***\"));

这个方法很好