The first option for determining the user responsible for originating a given IRP is perhaps the most obvious, if you happen to be a top-level driver. Top-level drivers are simply those drivers that are at the top of a device stack, and that are directly called by system calls (through the kernel). Filesystems can be top-level drivers, whereas network card drivers never are.
Why is this distinction relevant? Well, there are a couple of features that allow you to make some assumptions if you know you’re going to be top-level (sometimes). The first such assumption is that you will be in the context of the caller of the system call. Given that, you could simply get the process via IoGetCurrentProcess(), and from there, figure out who owns it using some IFSKit-supplied magic.
There are two problems with this design. First, the owner of the thread that’s making the request might not be the owner of the process at all. The thread could be impersonating another user. So, you have to query the thread before the process – not too difficult. However, the real flaw here is that we might not be in the original thread context at all.
Although most commonly seen in filesystems and their related filter drivers, technically any filter driver can “post” an IRP off to a system worker thread or to a driver-created thread designed to process IRPs at a later time. The reasons for doing this are many and varied, but the point is that once these requests are posted off to another thread, you’re not in the same thread context any more, let alone in the same process context. Therefore, your results will be wrong.
How common of a scenario this is can be hard to say. It would be trivial to write a driver that just attaches itself to any given device object in the system and then passes through all of its IRPs from a worker thread. Filesystem filter drivers seem to do this sort of thing often. Does this mean that you can *never* assume you’re going to be a “top-level” driver, because any idiot could legally layer on top of your device object? Things that make you go “Hmmm….”
Next up: a refinement, and another problem.