The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I'm trying to debug a strange issue where a 3rd party piece of software fails to connect to a named pipe when our software is installed (our software can create security tokens). The software gets STATUS_ACCESS_DENIED when trying to attach to the pipe. The token we've provided is an admin token which looks almost identical to a normal admin token with the addition of one deny ACE. The DACLs on the named pipe appear to show that administrators can connect to it (and I have done so with our token and a test program despite the real software failing in NtCreateFile).
I initially thought that this STATUS_ACCESS_DENIED must be coming from SeAccessCheck or one of its new undocumented brothers like SeAccessCheckWithHint. However, I've investigated all the access checks which occur on the thread and found they all return TRUE despite NtCreateFile returning that status.
I'm now puzzled because I don't know any other functions that use STATUS_ACCESS_DENIED so I can't work out where it's coming from. I wondered if it was possible to simply trace every function call and break if any function returns that NTSTATUS. Is that possible in WinDBG?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Writing WDF Drivers||12 September 2022||Live, Online|
|Internals & Software Drivers||23 October 2022||Live, Online|
|Kernel Debugging||14 November 2022||Live, Online|
|Developing Minifilters||5 December 2022||Live, Online|