Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


CreateFile() - ERROR_ACCESS_DENIED

OSR_Community_UserOSR_Community_User Member Posts: 110,217
I have run into a dilemma (probably caused by my own stupidity), and was
wondering if anyone else out there has seen similar behavior and knows how
to prevent it.

The problem is that calling CreateFile() from a user mode app to obtain a
handle to a kernel mode driver works great on NT4 and Win 2K when logged on
as an administrator, but fails with ERROR_ACCESS_DENIED when logged on as a
Domain User.

I am assuming that the information stored in the driver's Security registry
key (a pointer to an ACL or a SD??) is preventing the application from
being able to call CreateFile() to get a handle to the driver. One thought
was to add an access allowed ACE to the file (symbolic link) of the driver,
but this approach (as outlined in KB #Q102012) won't work as
SetFileSecurity() fails in the same manner when not logged on as an admin.
My questions is then, if my assumption about the access rights specified in
the Security key is correct, can the access rights contained in this key be
specified during driver installation, if the installer is an administrator?
Or is there any way around this error (programatically) by a user-mode app
when the logged on user isn't an administrator?

Thanks in advance,

Ed

Comments

  • Eliyas_YakubEliyas_Yakub Member Posts: 229
    Deviceobjects on NT4.0 are created with Read/Write permission. That created
    a big security hole as malicious user can directly access the device. On
    Win2k, deviceobjects are just given Read permission. I think this is
    preventing non-admin users from accessing the device. Check out
    http://www.sysinternals.com/devsec.htm for more information.

    -Eliyas


    -----Original Message-----
    From: [email protected] [mailto:[email protected]]
    Sent: Friday, June 16, 2000 4:12 AM
    To: NT Developers Interest List
    Subject: [ntdev] CreateFile() - ERROR_ACCESS_DENIED


    I have run into a dilemma (probably caused by my own stupidity), and was
    wondering if anyone else out there has seen similar behavior and knows how
    to prevent it.

    The problem is that calling CreateFile() from a user mode app to obtain a
    handle to a kernel mode driver works great on NT4 and Win 2K when logged on
    as an administrator, but fails with ERROR_ACCESS_DENIED when logged on as a
    Domain User.

    I am assuming that the information stored in the driver's Security registry
    key (a pointer to an ACL or a SD??) is preventing the application from
    being able to call CreateFile() to get a handle to the driver. One thought
    was to add an access allowed ACE to the file (symbolic link) of the driver,
    but this approach (as outlined in KB #Q102012) won't work as
    SetFileSecurity() fails in the same manner when not logged on as an admin.
    My questions is then, if my assumption about the access rights specified in
    the Security key is correct, can the access rights contained in this key be
    specified during driver installation, if the installer is an administrator?
    Or is there any way around this error (programatically) by a user-mode app
    when the logged on user isn't an administrator?

    Thanks in advance,

    Ed

    ---
    You are currently subscribed to ntdev as: [email protected]
    To unsubscribe send a blank email to $subst('Email.Unsub')
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Thank you for the response; that is just what I needed. I confirmed that
    this was the problem using the winobj sample they (SysInternals) have
    available on their site.

    As an aside, I noticed that on SP6a, only Read access is granted except to
    the system itself and Administrators.

    If anyone knows if driver access permissions can be specified during
    installation, I'd love to hear how!

    Thanks again -

    Ed

    > Deviceobjects on NT4.0 are created with Read/Write permission. That
    created
    > a big security hole as malicious user can directly access the device. On
    > Win2k, deviceobjects are just given Read permission. I think this is
    > preventing non-admin users from accessing the device. Check out
    > http://www.sysinternals.com/devsec.htm for more information.
    >
    > -Eliyas
    >
    >
    > -----Original Message-----
    > From: [email protected] [mailto:[email protected]]
    > Sent: Friday, June 16, 2000 4:12 AM
    > To: NT Developers Interest List
    > Subject: [ntdev] CreateFile() - ERROR_ACCESS_DENIED
    >
    >
    > I have run into a dilemma (probably caused by my own stupidity), and was
    > wondering if anyone else out there has seen similar behavior and knows how
    > to prevent it.
    >
    > The problem is that calling CreateFile() from a user mode app to obtain a
    > handle to a kernel mode driver works great on NT4 and Win 2K when logged
    on
    > as an administrator, but fails with ERROR_ACCESS_DENIED when logged on as
    a
    > Domain User.
    >
    > I am assuming that the information stored in the driver's Security
    registry
    > key (a pointer to an ACL or a SD??) is preventing the application from
    > being able to call CreateFile() to get a handle to the driver. One thought
    > was to add an access allowed ACE to the file (symbolic link) of the
    driver,
    > but this approach (as outlined in KB #Q102012) won't work as
    > SetFileSecurity() fails in the same manner when not logged on as an admin.
    > My questions is then, if my assumption about the access rights specified
    in
    > the Security key is correct, can the access rights contained in this key
    be
    > specified during driver installation, if the installer is an
    administrator?
    > Or is there any way around this error (programatically) by a user-mode app
    > when the logged on user isn't an administrator?
    >
    > Thanks in advance,
    >
    > Ed
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
    > ---
    > You are currently subscribed to ntdev as: [email protected]
    > To unsubscribe send a blank email to $subst('Email.Unsub')
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online