I have run into a dilemma (probably caused by my own stupidity), and was
wondering if anyone else out there has seen similar behavior and knows how
to prevent it.
The problem is that calling CreateFile() from a user mode app to obtain a
handle to a kernel mode driver works great on NT4 and Win 2K when logged on
as an administrator, but fails with ERROR_ACCESS_DENIED when logged on as a
Domain User.
I am assuming that the information stored in the driver’s Security registry
key (a pointer to an ACL or a SD??) is preventing the application from
being able to call CreateFile() to get a handle to the driver. One thought
was to add an access allowed ACE to the file (symbolic link) of the driver,
but this approach (as outlined in KB #Q102012) won’t work as
SetFileSecurity() fails in the same manner when not logged on as an admin.
My questions is then, if my assumption about the access rights specified in
the Security key is correct, can the access rights contained in this key be
specified during driver installation, if the installer is an administrator?
Or is there any way around this error (programatically) by a user-mode app
when the logged on user isn’t an administrator?
Thanks in advance,
Ed
Deviceobjects on NT4.0 are created with Read/Write permission. That created
a big security hole as malicious user can directly access the device. On
Win2k, deviceobjects are just given Read permission. I think this is
preventing non-admin users from accessing the device. Check out
http://www.sysinternals.com/devsec.htm for more information.
-Eliyas
-----Original Message-----
From: xxxxx@midcore.com [mailto:xxxxx@midcore.com]
Sent: Friday, June 16, 2000 4:12 AM
To: NT Developers Interest List
Subject: [ntdev] CreateFile() - ERROR_ACCESS_DENIED
I have run into a dilemma (probably caused by my own stupidity), and was
wondering if anyone else out there has seen similar behavior and knows how
to prevent it.
The problem is that calling CreateFile() from a user mode app to obtain a
handle to a kernel mode driver works great on NT4 and Win 2K when logged on
as an administrator, but fails with ERROR_ACCESS_DENIED when logged on as a
Domain User.
I am assuming that the information stored in the driver’s Security registry
key (a pointer to an ACL or a SD??) is preventing the application from
being able to call CreateFile() to get a handle to the driver. One thought
was to add an access allowed ACE to the file (symbolic link) of the driver,
but this approach (as outlined in KB #Q102012) won’t work as
SetFileSecurity() fails in the same manner when not logged on as an admin.
My questions is then, if my assumption about the access rights specified in
the Security key is correct, can the access rights contained in this key be
specified during driver installation, if the installer is an administrator?
Or is there any way around this error (programatically) by a user-mode app
when the logged on user isn’t an administrator?
Thanks in advance,
Ed
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
Thank you for the response; that is just what I needed. I confirmed that
this was the problem using the winobj sample they (SysInternals) have
available on their site.
As an aside, I noticed that on SP6a, only Read access is granted except to
the system itself and Administrators.
If anyone knows if driver access permissions can be specified during
installation, I’d love to hear how!
Thanks again -
Ed
Deviceobjects on NT4.0 are created with Read/Write permission. That
created
a big security hole as malicious user can directly access the device. On
Win2k, deviceobjects are just given Read permission. I think this is
preventing non-admin users from accessing the device. Check out
http://www.sysinternals.com/devsec.htm for more information.
-Eliyas
-----Original Message-----
From: xxxxx@midcore.com [mailto:xxxxx@midcore.com]
Sent: Friday, June 16, 2000 4:12 AM
To: NT Developers Interest List
Subject: [ntdev] CreateFile() - ERROR_ACCESS_DENIED
I have run into a dilemma (probably caused by my own stupidity), and was
wondering if anyone else out there has seen similar behavior and knows how
to prevent it.
The problem is that calling CreateFile() from a user mode app to obtain a
handle to a kernel mode driver works great on NT4 and Win 2K when logged
on
as an administrator, but fails with ERROR_ACCESS_DENIED when logged on as
a
Domain User.
I am assuming that the information stored in the driver’s Security
registry
key (a pointer to an ACL or a SD??) is preventing the application from
being able to call CreateFile() to get a handle to the driver. One thought
was to add an access allowed ACE to the file (symbolic link) of the
driver,
but this approach (as outlined in KB #Q102012) won’t work as
SetFileSecurity() fails in the same manner when not logged on as an admin.
My questions is then, if my assumption about the access rights specified
in
the Security key is correct, can the access rights contained in this key
be
specified during driver installation, if the installer is an
administrator?
Or is there any way around this error (programatically) by a user-mode app
when the logged on user isn’t an administrator?
Thanks in advance,
Ed
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
You are currently subscribed to ntdev as: xxxxx@midcore.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)