0

Question

I am monitoring a directory using ReadDirectoryChangesExW. I have this code working fine and was wondering if anyone knows of a method to determine what user on windows could be associated with a given file system change (in the form of FILE_NOTIFY_EXTENDED_INFORMATION).

Approaches

My initial research has been based on querying a fileid to determine the last user who touched the file--but I could not find much on MSDN. Admittedly I could just be failing to find the relevant info I need in the sea of information that is MSDN.

I have also researched iterating sessions and determining an active session. My problem is what about the possibility of multiple sessions being open? I feel like assuming only one active session would be a bad assumption, but maybe it holds even with RDP?

The other issue I have is Disconnected Sessions having no real information associated with them. I have two sessions on my dev machine, my user account (sessions id 1) which I expect and a session ID 0 which has no userName associated with it and shows up WTS_STATE::Disconnected

I found another question where someone had similar output with their session 0:

    session=0, stationName = Services
    WTSQuerySessionInformationW - session 0 - WTSInitialProgram failed - error=87 - The parameter is incorrect.

    WTSQuerySessionInformationW - session 0 - WTSApplicationName failed - error=87 - The parameter is incorrect.

    WTSQuerySessionInformationW - session 0 - WTSWorkingDirectory returned ""
    WTSQuerySessionInformationW - session 0 - WTSOEMId returned ""
    WTSQuerySessionInformationW - session 0 - WTSSessionId returned ""
    WTSQuerySessionInformationW - session 0 - WTSUserName returned ""
    WTSQuerySessionInformationW - session 0 - WTSWinStationName returned "Services"
    WTSQuerySessionInformationW - session 0 - WTSDomainName returned ""
    WTSQuerySessionInformationW - session 0 - WTSConnectState returned "♦"
    WTSQuerySessionInformationW - session 0 - WTSClientBuildNumber returned ""
    WTSQuerySessionInformationW - session 0 - WTSClientName returned ""
    WTSQuerySessionInformationW - session 0 - WTSClientDirectory returned ""
    WTSQuerySessionInformationW - session 0 - WTSClientProductId returned ""
    WTSQuerySessionInformationW - session 0 - WTSClientHardwareId returned ""
    WTSQuerySessionInformationW - session 0 - WTSClientAddress returned ""
    WTSQuerySessionInformationW - session 0 - WTSClientDisplay returned ""
    WTSQuerySessionInformationW - session 0 - WTSClientProtocolType returned ""
    GetShellProcessNameFromUserPolicy - Error: Unable to open policy key - returned [2]
    GetShellProcessName succeseded - explorer.exe

Is there any reason why I would be getting this sort of output for session 0?

Dean Knight
  • 660
  • 6
  • 17
  • `ReadDirectoryChangesExW` simply does not provide the information you are looking for. You might need to use the [Change Journal](https://learn.microsoft.com/en-us/windows/win32/fileio/change-journals) instead. – Remy Lebeau Aug 01 '23 at 18:57
  • @RemyLebeau Even with a fileID, nothing can be queried to understand what user has touched what? I know this information can be logged from an infosec/IT perspective in windows, so there has got to be something C++-side allowing that to happen. I would think there is somewhere that information from ReadDirectoryChangesExW would be useful for cross-checking. Perhaps change journals are the best I am going to do. The problem is, [I have not had much luck with change journals so far either](https://stackoverflow.com/questions/76771974/iterating-change-journal-resulting-in-blank-filenames). – Dean Knight Aug 01 '23 at 19:21
  • the fileID identifies the file itself, not the user who touches the file. The Change Journal does have a security ID on the file, not sure if that is useful. You might have to resort to other system logs to get the user info. You are not going to get it from `ReadDirectoryChangesExW` – Remy Lebeau Aug 01 '23 at 19:34

1 Answers1

0

As far as I'm concerned, you couldn't determin who modified a file via winapi directly. In any case, the help of the host operating system is required. Windows and NTFS allow you to audit a particular directory and log the accesses in the Security event log for the host machine.

For more details, I suggest you could refer to: https://stackoverflow.com/a/8406836

Jeaninez - MSFT
  • 3,210
  • 1
  • 5
  • 20
  • @Dean Knight Have you got any updates about this issue? Could you please check my answer? – Jeaninez - MSFT Aug 10 '23 at 06:09
  • Yeah I suppose the answer just is "It is not possible without NTFS". I have resorted to iterating through who is logged in and using that to help determine who (or even a small set of possible people) are making the file changes. – Dean Knight Aug 15 '23 at 13:23