Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Restrict access to minifilter driver and it's IRP_MJ_DEVICE_CONTROL

sergeysergey Member Posts: 3

I have a minifilter. I want to restrict access to driver's IOCL (1) at least so non elevated users cannot call DeviceIoControl. The best will be (2) to restrict calls to IOCL to my user mode process only (it runs elevated), as IOCL exposes very powerful functionality.

From user mode I open driver like this:

HANDLE hDrv = CreateFileW( L"\\\\.\\DriverName", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);

Then call IOCL like this:

DeviceIoControl(hDrv, MAKE_DANGEROUS_THING_IOCL, nullptr, 0, readBuffer, sizeof(readBuffer), &dwBytesRead, NULL)

In driver I have:

extern "C" NTSTATUS DriverEntry(__in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath)
    IoCreateSymbolicLink(&DEVICE_SYM_LINK, &DEVICE_NAME);
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Function_IRP_DEVICE_CONTROL;

I tried to put in the .inf file the following ACL that I expect should prevent opening driver from interactive users:


But I had no luck, CreateFileW and DeviceIoControl successfully execute from the non elevated user.

What am I doing wrong? How can I restrict IOCL functionality to admins or to my process only?


  • sergeysergey Member Posts: 3

    I found a problem with my approach. This


    is to restrict access to registry only. So I changed INF file to this, so security settings will affect driver:

    AddService          = %ServiceName%,,MiniFilter.Service

    But even with no rights to the interactive users, I still can CreateFileW and DeviceIoControl successfully from the non elevated user.

    Looks like this rights affect driver as an object of manipulation from the service manager, not as a Driver Object as I expected.

    Any idea how to protect IOCL from calling by non elevated users?

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,376

    You want IoCreateDeviceSecure.


  • sergeysergey Member Posts: 3

    I found that this works as I want too (can CreateFileW( L"\\\\.\\DriverName", ...) for admins, cannot for non-admins):

    status = IoCreateDevice(DriverObject, 0, &DEVICE_NAME, FILE_DEVICE_DISK_FILE_SYSTEM, FILE_DEVICE_SECURE_OPEN, FALSE, &gMyDevice);


    Is it ok to use FILE_DEVICE_DISK_FILE_SYSTEM with a minifilter?

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,376

    Why not use IoCreateDeviceSecure and not have to rely on some implementation detail?


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE