Access unter win7 with user rights to an pnp driver fails

Hello everybody,

i have a problem with accessing my plug and play virtual smartcard
reader driver under
windows7 64bit with no user (standard) rights (no administrator).

With administrator rights everything works fine.

I have already set the SDDL rights in the EvtDeviceAdd callback method.

status = WdfDeviceInitAssignSDDLString(DeviceInit,
&SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX);
if (!NT_SUCCESS(status))
{
KdPrint(( “WdfDeviceInitAssignSDDLString failed\n” ));
}

//
// Create a framework device object.This call will in turn create
// a WDM device object, attach to the lower stack, and set the
// appropriate flags and attributes.
//
status = WdfDeviceCreate(&DeviceInit, &attributes, &device);
if (!NT_SUCCESS(status)) {
SmartcardLogError(
WdfDriverWdmGetDriverObject(WdfGetDriver()),
VCR_INSUFFICIENT_RESOURCES,
NULL,
0
);
return status;
}

I thought this should be enough to get the access in user mode, but it
doesn´t work.

I tried also to set the security registry entrys in the INF file, but
this doesn´t work too.

Then i tried to change my driver as non plug and play driver like in the
ioctl kmdf example (nonpnp),
and then my access problems disappeared (with the same SDDL rights string),
but then i got other problems.

//
//
// In order to create a control device, we first need to allocate a
// WDFDEVICE_INIT structure and set all properties.
//
pInit = WdfControlDeviceInitAllocate(
hDriver,
&SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX
);

if (pInit == NULL) {
status = STATUS_INSUFFICIENT_RESOURCES;
return status;
}

//
// Call NonPnpDeviceAdd to create a deviceobject to represent our
// software device.
//
status = EvtDeviceAdd(hDriver, pInit);

With the non pnp version of my driver i got an error in the following
method:

//
// Tell the Framework that this device will need an interface
//
status = WdfDeviceCreateDeviceInterface(
device,
&SmartCardReaderGuid,
NULL // ReferenceString
);

with status 0xC0000010.

So finally i changed back to my pnp version, but then a had the access
right problems again.

Some more information:

  • create file can called from 2 different places (from the scmLib (smart
    card library) and from my user program)
    the problem i have to access with my user program, but only in user mode.

  • access to the driver is made by my user programm with
    //Create IOCTL communications channel to driver
    m_hDevice = CreateFile(DEVICE_NAME,
    GENERIC_READ|GENERIC_WRITE,
    FILE_SHARE_READ|FILE_SHARE_WRITE,
    NULL, OPEN_EXISTING,
    FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,
    NULL);

which failed with no administrator rights.

Hopefully someone has some hint what might be wrong. If you need more
information about my driver, please let
me know.

regards,

Michael

  1. Do you actually need GENERIC_READ *and* GENERIC_WRITE? It depends on how your IOCTL codes are defined.
  2. FILE_SHARE arguments don’t matter for a device.
  3. FILE_ATTRIBUTE_NORMAL is only used for a filesystem file.

Do you have the security descriptor specified in your INF or in the registry for the devnode?
Dis you assign a name to your device, or asked for autogenerated name?

  • i need read and write access for some IOCTL´s
  • as i told in my last post, i tried to specify the security descriptor
    in the INF file with no success
  • yes, i assign a name bevore assigning the security descriptor
    status = WdfDeviceInitAssignName(DeviceInit, &ntDeviceName);

Am 06.09.2012 21:31, schrieb xxxxx@broadcom.com:

  1. Do you actually need GENERIC_READ *and* GENERIC_WRITE? It depends on how your IOCTL codes are defined.
  2. FILE_SHARE arguments don’t matter for a device.
  3. FILE_ATTRIBUTE_NORMAL is only used for a filesystem file.

Do you have the security descriptor specified in your INF or in the registry for the devnode?
Dis you assign a name to your device, or asked for autogenerated name?


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


E-Mail ist virenfrei.
Von AVG uberpruft - www.avg.de
Version: 2012.0.2197 / Virendatenbank: 2437/5252 - Ausgabedatum: 06.09.2012

Is your device the top of the stack, or there is an upper filter?

Yes, it´s top of stack, no upper filter.

Am 06.09.2012 22:37, schrieb xxxxx@broadcom.com:

Is your device the top of the stack, or there is an upper filter?


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


E-Mail ist virenfrei.
Von AVG uberpruft - www.avg.de
Version: 2012.0.2197 / Virendatenbank: 2437/5252 - Ausgabedatum: 06.09.2012