Prevent CDROM devices

JakeAbo · November 22, 2021, 10:44am

Hi OSR Experts,

I’m trying to write a driver to prevent CDROM devices (when plugged in) on the OS.
I have started research implement POC of it by writing “Filter driver(?for bus or nobus?)” which implementing “IRP_MJ_PNP” and “IRP_MN_START_DEVICE” and set ACCESS_DENIED for preventing.

I have a few questions:

Am I on the right way?
Should my filter driver be for bus or nonbus?
Any other suggestions

Thanks,
Jake

Mark_Roddy · November 22, 2021, 3:01pm

How about using this gpo “all removable storage classes deny all access” -
much simpler.
Mark Roddy

JakeAbo · November 22, 2021, 3:23pm

@Mark_Roddy said:
How about using this gpo “all removable storage classes deny all access” -
much simpler.
Mark Roddy

Hi Mark_Roddy,

Thanks for your response.
In the future I would like to give the option for exclusions according to device name/id, so I’m still looking for PNP filter driver solution.

Peter_Viscarola_OSR · November 22, 2021, 4:17pm

If you really, truly, mean just CDROM type devices, I would probably start by trying an upper filter of CDROM.SYS

And I’d write it using KMDF, not WDM as you are implying.

I’d experiment about which, specific, operations (read? write? specific IOCTLs?) that I block or allow so that I get the exact behavior I seek.

Peter

craig_howard · November 22, 2021, 11:49pm

Another option is a filesystem filter driver … there are good examples of these on MSDN like this [ https://docs.microsoft.com/en-us/samples/microsoft/windows-driver-samples/cdfs-file-system-driver/ ], and you can specify the exact type of behaviour you want to block, when you want to block it, for what media, etc. …