Hello,
I am trying to allow access to my KMDF driver to any authenticated user.
To do so I added the following code to my EvtDriverDeviceAdd handler:
DECLARE_CONST_UNICODE_STRING(sddlString, L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;AU)(A;;GA;;;BG)");
…
status = WdfDeviceInitAssignSDDLString(DeviceInit, &sddlString);
if (NT_SUCCESS(status))
{
status = RtlUnicodeStringToAnsiString(&ansiStrName, &sddlString, TRUE);
TraceEvents(TRACE_LEVEL_INFORMATION, DBG_PNP, “Assigned SDDL string: %s”, ansiStrName.Buffer);
if(ansiStrName.Length != 0)
RtlFreeAnsiString(&ansiStrName);
}
else
{
TraceEvents(TRACE_LEVEL_ERROR, DBG_PNP, “WdfDeviceInitAssignSDDLString failed %!STATUS!”, status);
return status;
}
TraceView application shows that the WdfDeviceInitAssignSDDLString call was successful but WinObj application still shows that only SYSTEMS and Administrators have permissions to access the device.
I call WdfDeviceInitAssignSDDLString between WdfDeviceInitAssignName and WdfDeviceCreate if it matters.
I do not have HKR,DeviceCharacteristics and HKR,Security entries in the driver’s inf file.
The driver is test signed and running on Win7 64-bit and there is no problem to get access to it from Administrator’s account.
I am wondering If I missed or do not understand something.
Thanks.
Are you naming your FDo? Are you looking at the pdo or FDo in winobj? The best way to do this is via the inf as it removes ambiguity and applies the security to each device object in the stack.
Get Outlook for Android
From: xxxxx@lists.osr.com on behalf of boris.shikhalev@l-3com.com <boris.shikhalev>
Sent: Monday, December 5, 2016 3:03:45 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] WdfDeviceInitAssignSDDLString does appear to do anything
Hello,
I am trying to allow access to my KMDF driver to any authenticated user.
To do so I added the following code to my EvtDriverDeviceAdd handler:
DECLARE_CONST_UNICODE_STRING(sddlString, L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;AU)(A;;GA;;;BG)");
…
status = WdfDeviceInitAssignSDDLString(DeviceInit, &sddlString);
if (NT_SUCCESS(status))
{
status = RtlUnicodeStringToAnsiString(&ansiStrName, &sddlString, TRUE);
TraceEvents(TRACE_LEVEL_INFORMATION, DBG_PNP, “Assigned SDDL string: %s”, ansiStrName.Buffer);
if(ansiStrName.Length != 0)
RtlFreeAnsiString(&ansiStrName);
}
else
{
TraceEvents(TRACE_LEVEL_ERROR, DBG_PNP, “WdfDeviceInitAssignSDDLString failed %!STATUS!”, status);
return status;
}
TraceView application shows that the WdfDeviceInitAssignSDDLString call was successful but WinObj application still shows that only SYSTEMS and Administrators have permissions to access the device.
I call WdfDeviceInitAssignSDDLString between WdfDeviceInitAssignName and WdfDeviceCreate if it matters.
I do not have HKR,DeviceCharacteristics and HKR,Security entries in the driver’s inf file.
The driver is test signed and running on Win7 64-bit and there is no problem to get access to it from Administrator’s account.
I am wondering If I missed or do not understand something.
Thanks.
—
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></boris.shikhalev>
Yes, I named my FDO and looked at the FDO in WinObj.I tried to set class wide permissions through the inf file
[ClassInstall32]
Addreg=TaClassReg
[TaClassReg]
HKR,0,%TaClassName%
HKR,Icon,-5
HKR,DeviceCharacteristics,0x10001,0x100
HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;AU)(A;;GA;;;BG)”
but it did not change anything. I see
‘HKLM\SYSTEM\CCS\Control\Class{class GUID}\Properties\Security’ value that appears after installation of the driver but it is binary and I do not know how to decode it.
I uninstalled the driver and then manually deleted class’ entry in the registry. Everything works as expected after re-installation of the driver.
Thanks!