Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Disable USB-C ports

s0ckzzs0ckzz Member Posts: 10
edited November 2020 in NTDEV

Guys,

Is it possible to disable individual USB-C ports on a Windows system using a filter driver, selective suspend or something similar? The filter driver could be used to intercept PNP calls and "hide" information to the system somehow?

«1

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,823

    The most reliable way to disable USB-C ports is to fill them with silicone sealant.

    There are group policies to block certain kinds of USB devices. That's usually what you want. Note that there's no reliable way for a driver to know where ports are physically located.

    I don't think you understand what selective suspend is for.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • s0ckzzs0ckzz Member Posts: 10

    Got it, so selective suspend is not a good way.

    Regarding the USB ports, what you're trying to say is "there's no generic way to do that". So, the viable way would be to have lower level access, like, some ACPI methods exposed for me to do that or something like that?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    You're throwing around a lot of terminology, but it doesn't seem like you have a good idea of how the principles related to that terminology work in Windows. "Selective suspend"? "ACPI methods"? Let me guess... you're primarily a hardware person?? It's OK if you are. Some of my best friends are hardware people... ;-)

    Look: The bottom line here is that you're going to need to tell us more about what you want to do.

    It is entirely possible to write a filter driver that will block the attachment of USB devices. What Mr. Roberts was saying, and quite correctly too, is that it's exceedingly difficult to know a-priori the internal topology for a given physical USB port on your computer. That is, you can pretty easily POINT to the port you want to block, but knowing WHICH port that is internally (from your driver) isn't simple... or likely even possible.

    Now, if you're making an embedded system, where the configuration of every machine is predictably the same... then, well, maybe there's a way.

    Or if you just don't want ANY devices to be connected via USB, there are certainly ways to accomplish that.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • s0ckzzs0ckzz Member Posts: 10

    Haha I'm a software guy but I'm really new into Driver Development so I don't know the concepts very well and I'm learning what I can.
    Thanks a lot for the patience, guys.

    Anyways, let me try to clarify. I have an specific Windows Workstation (the hardware is fixed, for the moment, so I think it's easier to try to map the "logical port" to the physical port) that I want to be able to disable specific USB-C ports (for example, an application that an Administrator can check which ports are enabled or not, by user, etc.). Here's what I thought:

    • The best scenario (if possible): the user plugs any device - it won't even power on. So I thought I could use the selective suspend somehow to reduce the power to a device. But I don't know if it's a good way because selective suspend must be supported, right? By the controller? By the device? By both?;
    • The acceptable scenario: Use a filter driver to block the attachment of USB devices - the hardware is fixed, so I think I can guess the physical port, right? The device will power on but it will not be shown in Device Manager.

    I'm ok with the "acceptable scenario". Do you guys think it's feasible? What would I need? A Lower-Level Filter Driver? Is there any sample that could me help to achieve this feature?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    That's MUCH more clear. Thanks.

    Well... Hmmmm... I haven't tried it, but at least theoretically if you could identify which port, on which hub, you wanted to power off, you should be able to power it off using Clear Hub Feature with the "feature selector" being PORT_POWER. See page 437 of the USB 3.2 spec. Just in case you're not aware (no offense, but I have no way of knowing what you know about the basics of USB)... every USB port is managed by a hub, even the ones that come right off the USB controller. The USB Host Controller always has (one or more) integral hubs associated with it. It's the USB HUB driver (and not the USB Host Controller Driver) the enumerates newly arrived USB devices.

    So... that could be a way forward for you.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,823

    Peter gave a good answer, much better than my snarky one. I happen to have a particular aversion to driver projects whose primary aim is to PREVENT the normal operation of my Windows system, as yours is, so my sarcasm boils to the surface.

    The problem with selective suspend is that it is managed by the hub driver, based on the current state of the system and its child devices. There's no way for you to interfere in its decision process. If you tried to force a port into selective suspend, the hub driver would stubbornly put things back.

    However, the PORT_POWER thing is a possibility. You can shut down individual ports that way. I'm not sure it would survive sleep/resume, but that's an issue you could work on. Most hubs can be addressed from user mode; I'm not sure you'd even need a driver. Look, for example, at the USBView sample app. It communicates directly with the hubs to get the information it needs.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • s0ckzzs0ckzz Member Posts: 10

    @Peter_Viscarola_(OSR) said:
    That's MUCH more clear. Thanks.

    Well... Hmmmm... I haven't tried it, but at least theoretically if you could identify which port, on which hub, you wanted to power off, you should be able to power it off using Clear Hub Feature with the "feature selector" being PORT_POWER. See page 437 of the USB 3.2 spec. Just in case you're not aware (no offense, but I have no way of knowing what you know about the basics of USB)... every USB port is managed by a hub, even the ones that come right off the USB controller. The USB Host Controller always has (one or more) integral hubs associated with it. It's the USB HUB driver (and not the USB Host Controller Driver) the enumerates newly arrived USB devices.

    So... that could be a way forward for you.

    Peter

    Hmmm nice, I wasn't aware. Thanks a lot for the informations. I'll study the feature you talked on the spec. Thanks a lot for all the information.

  • s0ckzzs0ckzz Member Posts: 10
    edited November 2020

    @Tim_Roberts said:
    Peter gave a good answer, much better than my snarky one. I happen to have a particular aversion to driver projects whose primary aim is to PREVENT the normal operation of my Windows system, as yours is, so my sarcasm boils to the surface.

    The problem with selective suspend is that it is managed by the hub driver, based on the current state of the system and its child devices. There's no way for you to interfere in its decision process. If you tried to force a port into selective suspend, the hub driver would stubbornly put things back.

    However, the PORT_POWER thing is a possibility. You can shut down individual ports that way. I'm not sure it would survive sleep/resume, but that's an issue you could work on. Most hubs can be addressed from user mode; I'm not sure you'd even need a driver. Look, for example, at the USBView sample app. It communicates directly with the hubs to get the information it needs.

    No problem about the snarky answer haha :-) I laughed out loud, actually.

    Regarding the hubs addressable from user mode, that's great news. I'll look into that also. Thank you!

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    I happen to have a particular aversion to driver projects whose primary aim is to PREVENT the normal operation of my Windows system

    Ordinarily, me too. But, you know, not every system running Windows is an "ordinary" Windows system. Consider systems that are used to host machine tools and control processes. These systems are "Windows PCs" in name only. They're (usually) air-gapped, and one of the few potential vectors for infections are the USB drives. They can't silicone the ports, because they need to be able to use specifically authorized USB drives to move "stuff" around... like design files, or machine setting updates. Plus, these systems often have keyboards and mice and button pads and joysticks that are USB connected.

    We've spent the last several years working with a major industrial security vendor to build and refine a complex security system for USB devices in such settings. It fills a real need.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Pavel_APavel_A Member Posts: 2,758

    The best scenario (if possible): the user plugs any device - it won't even power on

    Disabling USP ports or specific devices/classes is a quite common need (as Peter noted), so you can google around and find a ready solution for this. Get it right now, no development & testing time, no bluescreens.
    The type C, however, is a less familiar point. Is there a requirement specific for type C? Like, disable high-power charging from the port (without any i/o at all)?
    -- pa

  • s0ckzzs0ckzz Member Posts: 10

    @Pavel_A said:

    The best scenario (if possible): the user plugs any device - it won't even power on

    Disabling USP ports or specific devices/classes is a quite common need (as Peter noted), so you can google around and find a ready solution for this. Get it right now, no development & testing time, no bluescreens.
    The type C, however, is a less familiar point. Is there a requirement specific for type C? Like, disable high-power charging from the port (without any i/o at all)?
    -- pa

    Yeah, it's a requirement of my client... Anyway, for USB ports do you have any link for the examples? Maybe it can be similar for USB Type-C...

  • Pavel_APavel_A Member Posts: 2,758
    edited November 2020

    There are examples of hub access from usermode, based IIRC on some Intel's example from WinXP times.
    Some classes of devices can be disabled by Windows group policy - no coding needed at all.
    For useful start in USB hub filtering, see here: https://github.com/freedesktop/spice-usbdk
    Sorry I cannot share code from commercial projects. In the linuxy opensourcey world, when they make anything, they put it on GitHub and write a dozen blogs and tweets. Not so in Windows.
    Again, consider a ready product. Reinventing a wheel is not cool. If the UI needs customization, maybe they can do that.
    Unless, there's some special new type C quirk - as type C connector is more than USB.

    -- pa

  • MBond2MBond2 Member Posts: 277

    I think I must have missed something, but is this all devices on a particular port, or particular devices (inclusively or exclusively) on any port?

    the viability of any solution on any os depends to a great extent on these answers i think

  • s0ckzzs0ckzz Member Posts: 10

    @Pavel_A said:
    There are examples of hub access from usermode, based IIRC on some Intel's example from WinXP times.
    Some classes of devices can be disabled by Windows group policy - no coding needed at all.
    For useful start in USB hub filtering, see here: https://github.com/freedesktop/spice-usbdk
    Sorry I cannot share code from commercial projects. In the linuxy opensourcey world, when they make anything, they put it on GitHub and write a dozen blogs and tweets. Not so in Windows.
    Again, consider a ready product. Reinventing a wheel is not cool. If the UI needs customization, maybe they can do that.
    Unless, there's some special new type C quirk - as type C connector is more than USB.

    -- pa

    Thank you, that link will help a lot! What ready product would you recommend?

  • s0ckzzs0ckzz Member Posts: 10

    @MBond2 said:
    I think I must have missed something, but is this all devices on a particular port, or particular devices (inclusively or exclusively) on any port?

    the viability of any solution on any os depends to a great extent on these answers i think

    The requirement is to disable an specific physical port so, any device will be attached.

  • ThatsBerkanThatsBerkan Member Posts: 44
    edited November 2020

    I believe the easiest way (althought extremely not recommended), would be to hook the PnP major dispatch of the USB Hub Driver and return an invalid NTSTATUS whenever it is an arrival of a (No idea how you're going to detect this) USB-C device.

    This will most likely display a warning icon in the Device Manager for the USB Hub Driver.

    Post edited by ThatsBerkan on
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    would be to hook the PnP major dispatch of the USB Hub Driver

    That is not a good idea, or anything remotely like a supported approach.

    We have filter drivers in Windows for a reason.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Pavel_APavel_A Member Posts: 2,758

    What ready product would you recommend?

    Most of so called "endpoint security" products have some kind of USB control.
    I haven't used this stuff recently (concur with Mr. Roberts on products that exist to tamper with normal operation of my Windows system)
    If you find the freedesktop link interesting, the maintainers of this thing are on this forum. They may be able to help you.
    -- pa

  • adriano_lemosadriano_lemos Member Posts: 2

    @Peter_Viscarola_(OSR) said:

    would be to hook the PnP major dispatch of the USB Hub Driver

    That is not a good idea, or anything remotely like a supported approach.

    We have filter drivers in Windows for a reason.

    Peter

    Hi, please forgive my ignorance, but I have the same problem which I intend to approach by developing a USB Bus Filter Driver (UpperFilter) to change the DEVICE_RELATIONS list after the Bus responded to the PNP_MN_QUERY_DEVICE_RELATIONS, whenever a new device is plugged in an arbitrary USB port. The intention is to "soft disable" that port by preventing any new device connecting to it from being enumerated.

    Is it possible to write this as a KMDF USB Hub Filter Driver (maybe modifying one of the sample drivers from Microsoft's Github)?

    Thanks in advance and, again, forgive me if I misunderstood some basic concept for I'm new to this kind of endeavor.

    Adriano Lemos.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,396
    via Email
    Yes it is possible to write a bus filter driver for usb. It is a lot of
    work. KMDF does not support bus filter drivers, but with a bit of effort
    you can use kmdf to do most of the work and then escape out of kmdf to do
    the rest using WDM.

    Mark Roddy
  • adriano_lemosadriano_lemos Member Posts: 2

    Thanks @Mark_Roddy. Much appreciated the information.
    Can you (or any member) point me to some repository or post with sample code showing how I could accomplish this task? That could save me an awful lot of time.

    Thanks again,
    Adriano Lemos.

  • rusakov2rusakov2 Member Posts: 15

    @Peter_Viscarola_(OSR) said:

    I happen to have a particular aversion to driver projects whose primary aim is to PREVENT the normal operation of my Windows system

    Ordinarily, me too. But, you know, not every system running Windows is an "ordinary" Windows system. Consider systems that are used to host machine tools and control

    We've spent the last several years working with a major industrial security vendor to build and refine a complex security system for USB devices in such settings. It fills a real need.

    I am very much with you, and from a different industry.
    We had a similar issue in the past where customer required "only these select special USB devices" to be allowed, and not anything else. In any USB port in system, in any order.

    A lot of work was done to accomplish it, and one lesson was the growing frustration of management with Windows 10 architecture.

    I wonder is the situation with this task any better on Linux or in Mac ?

    Thanks,
    Sergey

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    one lesson was the growing frustration of management with Windows 10 architecture

    That seems like... a very unusual "lesson" -- We've done some significant work with USB device security, and while I agree that solving it non-trivially is a difficult and complex problem, I'm not sure I'd lay the blame at the feet of "Windows 10 architecture."

    Mostly, the issues that we've encountered are because USB -- and the vastness of its device classes -- is a PITA. When is a flash drive not "just" a flash drive? When its a USB UAS flash drive.

    Not to mention the positive CRAP that vendors release as far as USB devices. Just look at how difficult it is to find a USB flash drive that's actually been tested and has passed USB logo requirements.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • rusakov2rusakov2 Member Posts: 15
    edited February 10

    @Peter_Viscarola_(OSR) said:

    one lesson was the growing frustration of management with Windows 10 architecture

    That seems like... a very unusual "lesson" -- We've done some significant work with USB device security, and while I agree that solving it non-trivially is a difficult and complex problem, I'm not sure I'd lay the blame at the feet of "Windows 10 architecture."

    I certainly agree with you on that Peter.
    And that is why when someone higher up tells me that they were told should we design our instrument based on WindRiver OS or Linux than such task would be simple I don't know if that is true or just something told them by Linux camp.
    That's why I asked if anyone can comment on how complex the same would be in other OS.

    Sergey

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,313

    It all depends on what you need to do, and what else is required for your instrument.

    If the job is “we only will allow this list of VIDs and PIDs to connect via USB”... well, that’s pretty easy on any OS. If things get more complex, then they get complex quickly on any OS.

    But really, isn’t what USB devices are allowed the “side show”? Isn’t the real question “How do we write the embedded app(s) on the instrument”? That (and timing needs, of course) is what usually causes folks to choose one OS over the other.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • rusakov2rusakov2 Member Posts: 15

    @Peter_Viscarola_(OSR) said:
    But really, isn’t what USB devices are allowed the “side show”? Isn’t the real question “How do we write the embedded app(s) on the instrument”?

    It is not the question in my case if user will see some USB device which we don't want them to see. It is about to meet security requirements in USB area - some from customer and some external (FDA here and its counterpart in EU), and within budget.
    E.g.
    If the security in USB can be met with OS 1 a lot easier than with OS 2 then they prefer OS 1. But if OS 1 does not natively support FIPS then it is a no go. And so on like that.

  • MBond2MBond2 Member Posts: 277

    But the point is that the security requirement is the issue and not the OS. Simple security requirements can be met simply. Complex security requirements are complex. The devices and the USB protocol are the same under any OS.

    There are probably some kinds of things that are easier to do under one OS versus another. But it's probably not fundamental to your problem.

    Taking a SWAG, I would say that you have bad requirements. And what you need to do is recapitulate them in technically sound terms instead - easier said than done I know. A requirement change that I advocated for in 2009 was just recently approved. And that was a simple missing negation in a financial regulation calculation. And they didn't even have to get the law amended - just a better interpretation of this obscure case. Of course it helped that now is the only time in the last 20+ years that the case applies and they were facing financial loss because of the wrong arithmetic ;)

  • Pavel_APavel_A Member Posts: 2,758
    edited February 14

    Again, filtering and hijacking USB devices is not a rocket science. VMWare does it, VirtualBox does it. The latter is opensource.
    @rusakov2 Please see links in my previous comment in this thread.
    The genuine problem is that forging USB devices is easier these days than writing a Windows filter driver ;)
    So go ask your "security" expert what if device allowed by user's policy is a fake.
    Just as example, knowing that USB smartcard reader with certain PID&VID is allowed I can make a multifunction device with these PID&VID and pack in it a camera and what not.
    -- pa

  • anton_bassovanton_bassov Member MODERATED Posts: 5,223

    We had a similar issue in the past where customer required "only these select special USB devices" to be allowed,
    and not anything else. In any USB port in system, in any order.

    ......

    And that is why when someone higher up tells me that they were told should we design our instrument based on
    WindRiver OS or Linux than such task would be simple I don't know if that is true or just something told them by Linux camp.

    Well, your problems are VERY specific to the Windows world. They don't really make any sense in context of a system that allows you to build the kernel in any configuration that you wish, and to include only those components that you would like your custom kernel to support, in your custom build. As you may have guessed, your "dilemma" is simply a non-issue on such a system. The only question is the one of the software ecosystem that your clients want to be supported by your system/instrument, and there is a good chance that the target ecosystem is Windows-oriented

    Anton Bassov

  • anton_bassovanton_bassov Member MODERATED Posts: 5,223

    I happen to have a particular aversion to driver projects whose primary aim is to PREVENT the normal operation of my Windows system

    Well, no one really forces you to install them on your system,right? Although this position is more than likely to be supported by virtually everyone in respect of their home systems, they may have rather different attitudes in respect of their corporate ones. After all, you would not really want your highly-sensitive data (for example, the source code of a proprietary project that you have spent quite a few man-years on), to be stolen and sold to the competitors by some rogue employee,would you. This is where all above mention driver projects come in handy.....

    Anton Bassov

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE