Does only with administrator privileges to open a device?

NTDEV
1

Hi, all
I learned to drive for a short while, but I always had a question: does only with administrator privileges to open a divece.
In the driver samples offerd by WDK, they use SetupAPI to get a device name, SetupDiGetDeviceInterfaceDetail
and then use CreateFile to get a device hadle.

This operation requires administrator privileges, but I think this constraint must be too strong. I think there should be another way
through non-administrator privileges can be opened, but google tells me no answer :frowning:

Thanks

xxxxx@sina.com

2

Hi,

It depends on the security descriptor. I think the most common ways to set
this descriptor for your device is via INF file or programatically via
IoCreateDeviceSecure.

More here:
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-access

Julián

El El mié, 20 dic 2017 a las 14:26, xxxxx@sina.com
escribió:

> Hi, all
> I learned to drive for a short while, but I always had a question:
> does only with administrator privileges to open a divece.
> In the driver samples offerd by WDK, they use SetupAPI to get a
> device name, SetupDiGetDeviceInterfaceDetail
> and then use CreateFile to get a device hadle.
>
> This operation requires administrator privileges, but I think this constraint
> must be too strong. I think there should be another way
> through non-administrator privileges can be opened, but google tells me no answer
> :frowning:
>
> Thanks
> ------------------------------
> xxxxx@sina.com
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

3

Hi, Julián
Thank you very much for your help. I’ve read the document you sent carefully, I think the security descriptor should be the correct answer for me.

My original configuration is
HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)” ; Allow generic all access to system and built-in Admin.

and now I change it as follow, to grant read/write/executable permissions to everyone
HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGWGX;;;WD)”

But it’s still not working, CreateFile returns -1 and GetLastError is 5, means “Access denied”.
g_deviceInfo.m_hDevice = CreateFile(g_deviceInfo.m_pDeviceInterfaceDetail->DevicePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED,
NULL);

DWORD reslut = GetLastError();

Is there any other place need to modify?

xxxxx@sina.com

From: xxxxx@gmail.com
Date: 2017-12-20 21:42
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Does only with administrator privileges to open a device?
Hi,

It depends on the security descriptor. I think the most common ways to set this descriptor for your device is via INF file or programatically via IoCreateDeviceSecure.

More here: https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-access

Julián

El El mié, 20 dic 2017 a las 14:26, xxxxx@sina.com escribió:
Hi, all
I learned to drive for a short while, but I always had a question: does only with administrator privileges to open a divece.
In the driver samples offerd by WDK, they use SetupAPI to get a device name, SetupDiGetDeviceInterfaceDetail
and then use CreateFile to get a device hadle.

This operation requires administrator privileges, but I think this constraint must be too strong. I think there should be another way
through non-administrator privileges can be opened, but google tells me no answer :frowning:

Thanks

xxxxx@sina.com


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:
— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:>

4

Are you sure the new inf was applied? Is the security descriptor listed as a device property in device manager on the device’s property page?

Bent from my phone

From: xxxxx@lists.osr.com on behalf of xxxxx@sina.com
Sent: Thursday, December 21, 2017 12:00:38 AM
To: Windows System Software Devs Interest List
Subject: Re: Re: [ntdev] Does only with administrator privileges to open a device?

Hi, Juli?n
Thank you very much for your help. I’ve read the document you sent carefully, I think the security descriptor should be the correct answer for me.

My original configuration is
HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)” ; Allow generic all access to system and built-in Admin.

and now I change it as follow, to grant read/write/executable permissions to everyone
HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGWGX;;;WD)”

But it’s still not working, CreateFile returns -1 and GetLastError is 5, means “Access denied”.
g_deviceInfo.m_hDevice = CreateFile(g_deviceInfo.m_pDeviceInterfaceDetail->DevicePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED,
NULL);

DWORD reslut = GetLastError();

Is there any other place need to modify?

xxxxx@sina.com

From: xxxxx@gmail.commailto:xxxxx
Date: 2017-12-20 21:42
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re: [ntdev] Does only with administrator privileges to open a device?
Hi,

It depends on the security descriptor. I think the most common ways to set this descriptor for your device is via INF file or programatically via IoCreateDeviceSecure.

More here: https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-accesshttps:

Juli?n

El El mi?, 20 dic 2017 a las 14:26, xxxxx@sina.commailto:xxxxx > escribi?:
Hi, all
I learned to drive for a short while, but I always had a question: does only with administrator privileges to open a divece.
In the driver samples offerd by WDK, they use SetupAPI to get a device name, SetupDiGetDeviceInterfaceDetail
and then use CreateFile to get a device hadle.

This operation requires administrator privileges, but I think this constraint must be too strong. I think there should be another way
through non-administrator privileges can be opened, but google tells me no answer :frowning:

Thanks

xxxxx@sina.commailto:xxxxx


NTDEV is sponsored by OSR

Visit the list online at: http:>

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:>

To unsubscribe, visit the List Server section of OSR Online at http:>
— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></https:></mailto:xxxxx></mailto:xxxxx>

5

xxxxx@sina.com wrote:

    Thank you very much for your help. I’ve read the document you sent
carefully,  I think the security descriptor should be the correct
answer for me.
    
    My original configuration is  
    HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)”  ;
Allow generic all access to system and built-in Admin. 
    
    and now I change it as follow,  to grant
read/write/executable permissions to everyone
    HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)(*A;;GRGWGX;;;WD*)”

Checking the registry is good advice.  Unless your device is
reinstalled, so that the existing INF is replaced, your changes would
not be made.

Are you quite sure you driver does not set its own security descriptor? 
This can also be done in the driver code.

What kind of device is this?  As an example, mouse and keyboard devices
are set to allow only one open at a time, and because the operating
system has them open, other applications cannot.  That also returns
ERROR_ACCESS_DENIED.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

6

Thank you for your advice, the problem is solved, it’s really the inf file does not take effect.

Probably because I installed the driver for too many times for debugging. I cleared all history versions on the system and reinstall the latest version, it’s working correctlly.

Thank you.

xxxxx@sina.com

From: xxxxx@probo.com
Date: 2017-12-22 02:42
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Does only with administrator privileges to open a device?

xxxxx@sina.com wrote:

Thank you very much for your help. I’ve read the document you sent
carefully, I think the security descriptor should be the correct
answer for me.

My original configuration is
HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)” ;
Allow generic all access to system and built-in Admin.

and now I change it as follow, to grant
read/write/executable permissions to everyone
HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)(*A;;GRGWGX;;;WD*)”

Checking the registry is good advice. Unless your device is
reinstalled, so that the existing INF is replaced, your changes would
not be made.

Are you quite sure you driver does not set its own security descriptor?
This can also be done in the driver code.

What kind of device is this? As an example, mouse and keyboard devices
are set to allow only one open at a time, and because the operating
system has them open, other applications cannot. That also returns
ERROR_ACCESS_DENIED.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>