CallbackFilter.GetOriginatorToken method


Pascal    C++ (Lib)    C++ (VCL)    C++ (.NET)    C#    VB.NET   

CallbackFilter     See also    


Returns the security token of the process that initiated the operation


    function GetOriginatorToken : THandle;

[C++ (Lib)]
    HANDLE GetOriginatorToken(void);

[C++ (VCL)]
    unsigned __fastcall GetOriginatorToken(void);

[C++ (.NET)]
    IntPtr GetOriginatorToken(void);

    IntPtr GetOriginatorToken();

    Function GetOriginatorToken() As IntPtr

Return values

Handle to the token if the function succeeded or INVALID_HANDLE_VALUE if the function failed.


Use GetOriginatorToken to get the security token of the process that originated the operation. You can use the security token to retrieve various security-related information using GetTokenInformation() function of Windows API.

Call this method only from the callback / event handlers.

Do not call this method from handlers for OnReadFile*, OnWriteFile* and other callbacks that work with opened files, as that callbacks can be initiated by the system components (cache manager, memory manager etc.). Instead do the following:

  1. Call GetOriginatorToken from OnPostCreateFileC and OnPostOpenFileC event handlers / callbacks and obtain various security information using this token;
  2. Store the obtained information somewhere and store the reference to this information in the UserContext parameter;
  3. When you need to check the originator information in some file-related callback, access the stored information via UserContext
It makes sense to collect all information that you expect to need, when the file is created, and close the security token.

NOTE: you must call CloseHandle() function of Windows API to close the obtained token handle.

Network access
If you monitor the disk being shared, you might want to get security information (account name etc.) of the user, who accesses the disk across network. Disks can be shared in several modes in Windows:

  • First is authenticated mode. In this case the network redirector (the process that receives remote disk requests and directs them to the disk driver) is impersonated to the account of the caller user and GetOriginatorToken method will return account information of that caller.
  • Next is guest mode. In this mode GetOriginatorToken returns information of GUEST account.
  • Third mode is administrative shares (those that exist by default and are named C$, D$ etc.). For such shares GetOriginatorToken returns information of LOCAL_SYSTEM account.

See also