controlling read/write to specific devices

Amit_Shinde · December 21, 2009, 9:58am

I am trying to implement device control capability to control read/write access to devices for specific users.

My requirement is to either make a specific device (identified based on some hardware id) read-only or to make all devices of a particular class read-only. We want to control all devices including those which are seen as disk drives (hot pluggable like USB flash card + hot pluggable with removable media like CD/DVD, floppy drive) in the Windows and the ones which do not show up as disk drives (Windows portable devices, blackberry, mobile phones etc).

To control enable/disable of devices, I am exploring devcon utility available in wdk but it lacks the ability to control read/write access to devices and it also lacks ability to enable/disable devices for specific users.

I tried implementing upper class filter driver for various classes (based on toaster sample in wdk) and tried setting FILE_READ_ONLY_DEVICE characteristic while creating filter device object but it’s of no use. The USB device still can be written to. I also tried rejecting write requests for PDO but no luck.

Any insights into this would be highly appreciated.

OSR_Community_User · December 21, 2009, 10:20am

Pretty much any time the ‘specific users’ are involved, the best answer is to use the existing security mechanisms to set up ACL’s. Even in the case of call devices for a class, if all you’re looking to control is read write access, this is still the way to go.

It’s what security and ACL’s are for.

Good luck,

mm

Amit_Shinde · December 21, 2009, 11:34pm

Thank you for responding MM. I would like to know first how to make devices read-only. To make the device read-only for specific users is not that high priority for me now.

I am restating the problem again. My requirement is to either make a specific device (identified based on some hardware id) read-only or to make all devices of a particular class read-only.

I tried implementing upper class filter driver for various classes (based on
toaster sample in wdk) and tried setting FILE_READ_ONLY_DEVICE characteristic
while creating filter device object but it’s of no use. The USB device still can
be written to. I also tried rejecting write requests for PDO but no luck.

Any insights into this would be highly appreciated.