Does anyone know if there is any way I can detect if a process on the system has attempted to access a device that is disabled ? I would imagine that if there is anywhere i might get this sort of information it would be from the I/O manager. Ideally, i would like some way of being informed when this happens.
thanks for any help/pointers,
Adrian
Attach a filter to the disabled device and monitor the create calls.
Also - turn on Local Security Policy/Audit/Object Access, this also works.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
<adrian.smith> wrote in message news:xxxxx@ntdev…
> Does anyone know if there is any way I can detect if a process on the system has attempted to access a device that is disabled ? I would imagine that if there is anywhere i might get this sort of information it would be from the I/O manager. Ideally, i would like some way of being informed when this happens.
>
> thanks for any help/pointers,
>
> Adrian
></adrian.smith>
… when you say attach a filter are you talking about writing a filter driver ??? If so then isn’t this a massive task since i’ll need one for every type of device i’m ever likely to come across or can I write a very small one that is generic enough to work across all devices ???
Actually, the situation is that some software i’m working with may disable any number of devices on a system and when anyone ever attempts to access any of the disabled devices i need to be told about it.
thanks for help so far, i’ll look into Local Security Policy/Audit/Object Access
… by the way, i’m talking about doing this on standalone XP/Vista/WIn7 machines not operating in a domain environment
adrian
Unless I am completely missing the point, a ‘filter’ (that is a PnP device
filter) will not even be started if the device is ‘disabled’. What sort of
filter are you advising to use in this case?
Regards,
Dave Cattley
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Friday, February 05, 2010 9:12 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Access to disabled devices
Attach a filter to the disabled device and monitor the create calls.
Also - turn on Local Security Policy/Audit/Object Access, this also
works.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
<adrian.smith> wrote in message news:xxxxx@ntdev…
> Does anyone know if there is any way I can detect if a process on the
system has attempted to access a device that is disabled ? I would imagine
that if there is anywhere i might get this sort of information it would be
from the I/O manager. Ideally, i would like some way of being informed when
this happens.
>
> thanks for any help/pointers,
>
> Adrian
>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</adrian.smith>
adrian.smith@hp.com wrote:
Does anyone know if there is any way I can detect if a process on the system has attempted to access a device that is disabled ? I would imagine that if there is anywhere i might get this sort of information it would be from the I/O manager. Ideally, i would like some way of being informed when this happens.
How would a process do that? A disabled device does not going to appear
in the enumeration lists, so there’s no way to TRY to get a handle to
the device.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
adrian.smith@hp.com wrote:
… by the way, i’m talking about doing this on standalone XP/Vista/WIn7 machines not operating in a domain environment
Why? What’s the point? If it’s not a domain environment, then it’s MY
computer. I can do what I want. Why would I want to prevent myself
from accessing devices?
In case you haven’t been here for a while, I an on a long, fruitless,
and largely pointless crusade against the many people around the world
whose primary job in life is to create products that PREVENT the normal
operation of my computer.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Tim … please stop cluttering up this topic with your pointness crusade. In case you hadn’t noticed, even machines not in domains can be used by multiple people, not all of them administrators. If you can’t be helpful and just want to rant then please do it somewhere else.
Tim has a very valid point. He should not go away ;). Machines can be used by multiple people, but in that case you can use built in principles and use std security mechanisms to control access.
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of adrian.smith@hp.com
Sent: Friday, February 05, 2010 10:11 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Access to disabled devices
Tim … please stop cluttering up this topic with your pointness crusade. In case you hadn’t noticed, even machines not in domains can be used by multiple people, not all of them administrators. If you can’t be helpful and just want to rant then please do it somewhere else.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Pretty much.
Dude, you’ve got to be realistic here.
… when you say attach a filter are you talking about writing a filter driver
??? If so then isn’t this a massive task since i’ll need one for every type of
device i’m ever likely to come across or can I write a very small one that is
generic enough to work across all devices ???
Actually, the situation is that some software i’m working with may disable any
number of devices on a system and when anyone ever attempts to access any of the
disabled devices i need to be told about it.
You’re asking for help to implement something ‘generic’ to control access to ‘any’ device, and you’ve expressed that you aren’t looking to do a lot of work. That’s basically a protocol for implementing instability/misery, and as Doron already said, heroics aren’t required here.
mm
mm
… guess people can get quite religous about this sort of thing 
… as this is a forum where people ask technical questions relating to windows driver level and kernel mode code I thought it might be a good place to ask. As I understood it, this forum is for finding out how certain technical problems can be solved, not necessarily why it’s being done in the first place. As a lowly programmer within my company i’ve been asked to come up with something - i don’t have the influence or power to change delve into such questions as ‘why is this required’.
I assume from the recent rather unhelpful response that what I want to do probably isn’t possible
easily — why someone just didn’t say that I don’t know.
Part of giving help is asking why and then suggesting that you reshape your requirements to match reality/the path of greater stability. This happens all the time at work as well, the lowly devs take the advice that they are given and either ignore it try to feed that back into their design/architecture. It is akin to teaching someone how to fish instead of handing them a filet of sole
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of adrian.smith@hp.com
Sent: Friday, February 05, 2010 10:50 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Access to disabled devices
… guess people can get quite religous about this sort of thing
… as this is a forum where people ask technical questions relating to windows driver level and kernel mode code I thought it might be a good place to ask. As I understood it, this forum is for finding out how certain technical problems can be solved, not necessarily why it’s being done in the first place. As a lowly programmer within my company i’ve been asked to come up with something - i don’t have the influence or power to change delve into such questions as ‘why is this required’.
I assume from the recent rather unhelpful response that what I want to do probably isn’t possible easily — why someone just didn’t say that I don’t know.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
adrian.smith@hp.com wrote:
… guess people can get quite religous about this sort of thing
… as this is a forum where people ask technical questions relating to windows driver level and kernel mode code I thought it might be a good place to ask. As I understood it, this forum is for finding out how certain technical problems can be solved, not necessarily why it’s being done in the first place.
Well, I can tell you how that situation comes about. MANY people come
to this forum asking detailed questions about how to do some particular
low-level operation, when in fact the overall task they are trying to
perform would be better handled in a completely different way. Over the
years, we’ve discovered that it’s better to explore the “overall task”
thing before digging into the technical answers, in an attempt to avoid
diving down unproductive ratholes. It can seem annoying, but it’s a
strategy that usually ends up with better results for everyone.
It’s like having someone ask “I need help in designing the fuel rod size
for a fusion reactor”, when what they REALLY want to build is a power
supply for their iPod.
As a lowly programmer within my company i’ve been asked to come up with something - i don’t have the influence or power to change delve into such questions as ‘why is this required’.
That’s a lame excuse. An engineer always has a moral obligation to
explore the motivations behind his assignments, and an ethical
obligation to object when asked to implement something that does not
make sense. You are not an automaton.
I assume from the recent rather unhelpful response that what I want to do probably isn’t possible
easily — why someone just didn’t say that I don’t know.
Because we don’t have the complete specs for your problem. We were
trying to explore what the real task was before issuing a blanket
answer. Given the additional information you have provided, yes – what
you want to do probably isn’t possible easily.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
>> As a lowly programmer within my company i’ve been asked to come up with something
> - i don’t have the influence or power to change delve into such questions as ‘why is this required’.
That’s a lame excuse. An engineer always has a moral obligation to explore the motivations behind >his assignments, and an ethical obligation to object when asked to implement something that does not >make sense. You are not an automaton.
I concur; if your employer said “I want you to write a file system filter driver that will monitor for credit card numbers, collect them and later transfer them to a user app” would your response also be “I don’t have the influence or power, so I gotta do that …”? How about if the employer said to write a network filter driver that would monitor for the words “Falun Gong” and garble the packets, what then?
/Soapbox on/
As citizens in the “Windows” world who are expected to be at the vanguard of “making things happen” we have an ethical obligation to push back against requests that, among other things, seek to deny a user the abilities that the owner of the OS (and that would be Microsoft, BTW) has granted to that user. We may not agree with the design decisions that MS has made, but it is our obligation as the “vanguard” to respect and support those abilities … and if management doesn’t get that then politely show them how that might be accomplished while working within the MS universe (security DACL’s, etc.) or refuse the assignment …
/Soapbox off/
Cheers!
Your Soapbox rant is certainly valid in general. However, there are
exceptions that are sometimes mistaken for malware or dubious intent that
are reasonable and required in some cases.
For example, if a hotel puts a PC in the lobby for “public” use they would
certainly lock it down with all MS-provided tools that they could. (Yes,
it’s a bad idea, but…) However, MS may have not really considered this
thin vertical market requirement. So, some peculiar and generally obnoxious
usage-limiting features may be needed.
In this case the licensee of the OS (the hotel) wants to limit the features
provided by the owner of the OS (Microsoft). I think this scenario and
similar ones exist that are totally legitimate and ethical.
OTOH, as “good citizens in the Windows world” how can we really determine
whether or not to give advice in these questionable gray areas?
Thomas F. Divine
http://www.pcausa.com
From:
Sent: Friday, February 05, 2010 2:33 PM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] Access to disabled devices
>>> As a lowly programmer within my company i’ve been asked to come up with
>>> something
>>> - i don’t have the influence or power to change delve into such
>>> questions as ‘why is this required’.
>
>> That’s a lame excuse. An engineer always has a moral obligation to
>> explore the motivations behind >his assignments, and an ethical
>> obligation to object when asked to implement something that does not
>> >make sense. You are not an automaton.
>
> I concur; if your employer said “I want you to write a file system filter
> driver that will monitor for credit card numbers, collect them and later
> transfer them to a user app” would your response also be “I don’t have the
> influence or power, so I gotta do that …”? How about if the employer
> said to write a network filter driver that would monitor for the words
> “Falun Gong” and garble the packets, what then?
>
> /Soapbox on/
>
> As citizens in the “Windows” world who are expected to be at the vanguard
> of “making things happen” we have an ethical obligation to push back
> against requests that, among other things, seek to deny a user the
> abilities that the owner of the OS (and that would be Microsoft, BTW) has
> granted to that user. We may not agree with the design decisions that MS
> has made, but it is our obligation as the “vanguard” to respect and
> support those abilities … and if management doesn’t get that then
> politely show them how that might be accomplished while working within the
> MS universe (security DACL’s, etc.) or refuse the assignment …
>
> /Soapbox off/
>
> Cheers!
>
>system and when anyone ever attempts to access any of the disabled devices
Define “disabled”.
This is the first thing you must do.
If the device is disabled by PnP, then you cannot solve this task. The apps will just see no such device, period.
If “disabled” means - disabled by the ACL - then audit policy helps.
If “disabled” means “disabled by your add-on” - then implement auditing in the add-on, not only access control.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>filter driver that would monitor for the words “Falun Gong” and garble the packets, what then?
In the history of China movements similar to Falun Gong created civil wars with death toll up to 1/3 of the population - like the “yellow band” civil war and so on.
Also try replacing “Falun Gong” to “Khmere Rouge” or “Sendero Luminozo”, or “Al-Qaeda”. A simple sed-style (s/first/second/g) replacement, but changes the connotations a lot.
Such political questions have no 100% simple answers.
happen" we have an ethical obligation
Let’s declare the ACLs in Windows un-ethic? 
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Be a good citizen with a sack full of daallaaars and then we know power of freedom. Unfortunately, lots and lots of places where questioning what is the end result or end game is not taken lightly.
IMO, those who are real hackers, they don’t come around here for creating malware - Sherlock homes !
-pro
Also try replacing “Falun Gong” to “Khmere Rouge” or “Sendero Luminozo”
Wait… you’re equating “Falun Gong” (a quasi-religious/spiritual group) with The Khmer Rouge (universally acknowledged purveyors of genocide)?
And you’d equate EITHER of these with Sendero Luminoso (a highly controversial – and mostly disliked – Maoist political movement that often engaged in brutal practices, but nothing even remotely close to Khmer-style genocide)?
So, yeah… a “sed-style replace” gets you different connotations… but you’ve chosen some seriously non-analagous substitutions, so I’m not sure I understand your point at all.
Peter
OSR
I’ll add recomended reading to Tim’s explanation:
www.osronline.com/downloads/pp_asking.pdf
As for the original question… if the devices are disabled at PnP level
(in the DM), you can’t do much. The standard way how an app tries to
access such a device is enumeration of available devices and opening
them. But disabled device is not available (driver isn’t even loaded) so
it won’t be enumerated and nobody will try to access it. Theoretically,
you could check for an attempt to enumerate specific device interface
but it can be very easily circumvented. An app can just enumerate
everything and make filtering internally.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Friday, February 05, 2010 8:05 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Access to disabled devicesadrian.smith@hp.com wrote:
> … guess people can get quite religous about this sort of
thing
>
> … as this is a forum where people ask technical
questions relating to windows driver level and kernel mode
code I thought it might be a good place to ask. As I
understood it, this forum is for finding out how certain
technical problems can be solved, not necessarily why it’s
being done in the first place.Well, I can tell you how that situation comes about. MANY people come
to this forum asking detailed questions about how to do some
particular
low-level operation, when in fact the overall task they are trying to
perform would be better handled in a completely different
way. Over the
years, we’ve discovered that it’s better to explore the “overall task”
thing before digging into the technical answers, in an
attempt to avoid
diving down unproductive ratholes. It can seem annoying, but it’s a
strategy that usually ends up with better results for everyone.It’s like having someone ask “I need help in designing the
fuel rod size
for a fusion reactor”, when what they REALLY want to build is a power
supply for their iPod.> As a lowly programmer within my company i’ve been asked to
come up with something - i don’t have the influence or power
to change delve into such questions as ‘why is this required’.
>That’s a lame excuse. An engineer always has a moral obligation to
explore the motivations behind his assignments, and an ethical
obligation to object when asked to implement something that does not
make sense. You are not an automaton.> I assume from the recent rather unhelpful response that
what I want to do probably isn’t possible
> easily — why someone just didn’t say that I don’t know.
>Because we don’t have the complete specs for your problem. We were
trying to explore what the real task was before issuing a blanket
answer. Given the additional information you have provided,
yes – what
you want to do probably isn’t possible easily.–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer