Driver loaded/connected; DeviceIoControl x86 ok but x64 fails with access denied.

I’m new to driver development and have just created a barebones driver that does nothing but return a few ‘yes I’m here’ bytes on an IOCTL command; still unsigned as it’s early development. I’m using Windows 7 for testing as all info suggests it’s less nuts about unsigned drivers. I’m loading the driver after logon via service api. The x86 build works fine; it loads, all calls succeed, and it returns the expected ‘hi there’ bytes in the output buffer. The x64 build, CreateService and StartService report success, as does the CreateFile call to connect to my driver. However, DeviceIoControl fails with GetLastError=ERROR_ACCESS_DENIED and Windows pops up the no unsigned driver box, despite the fact I’ve booted with the ‘Disable driver signature enforcement’ option; this is very odd since an ‘sc query’ shows it as ‘Running’ and if my program has permission to load and start the driver, how can this be denied? This is not a status code my driver code returns under any known circumstances; I have several others for various other error check fails, but not that one, and it performs no security checks-- like I said, dead simple (also, my handler for IRP_MJ_DEVICE_CONTROL only returns statuses I set; it never returns a status set by an external call). These things make me believe the error lies outside of my driver.

Curious about whether I could obtain permission, I started my driver load/test program with another program I made that starts a process as a SYSTEM account impersonating TrustedInstaller. Access denied. I tried one more time with my program using the token from lsass.exe instead as that seems to have even higher permissions (the process can enable the SeCreateTokenPrivilege where the TI one cannot). Access was denied even to this.

Is there something else I need to be doing to have permission to communicate with a seemingly loaded unsigned driver in Win7 x64? Every resource I’ve found has indicated ‘Disable driver signature enforcement’ should have been sufficient; I’ve also set the ‘Code signing for device drivers’ policy in gpedit to ‘Ignore’, though I believe that’s n/a for Win7. The VM is running Win7 Enterprise SP1 x64 (and the x86 is Win7 Ultimate).

Things that also have not worked (they report success when set and the second shows the watermark on reboot, but the same access denied):
bcdedit ddisable integrity checks
bcdedit testsigning on

The link is opened with hDev = CreateFile(L"\\\\.\\TESTDRV1"), GENERIC_READ Or FILE_SHARE_WRITE, FILE_SHARE_READ Or FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)

Problem resolved. Issue: The GetLastError() code after DeviceIoControl receives a failed IRP_MJ_DEVICE_CONTROL with STATUS_INVALID_PARAMETER is for unknown reasons reported as ERROR_ACCESS_DENIED, which sent me chasing my tail looking for a problem in entirely the wrong place.

1 Like

Weird…That should get translated as ERROR_INVALID_PARAMETER:

C:\Program Files (x86)\Windows Kits\10\Tools\x64>winerror -s 0xC000000D
    87 ERROR_INVALID_PARAMETER <--> c000000d STATUS_INVALID_PARAMETER