I am trying to implement device control capability to control read/write access to devices for specific users.
My requirement is to either make a specific device (identified based on some hardware id) read-only or to make all devices of a particular class read-only. We want to control all devices including those which are seen as disk drives (hot pluggable like USB flash card + hot pluggable with removable media like CD/DVD, floppy drive) in the Windows and the ones which do not show up as disk drives (Windows portable devices, blackberry, mobile phones etc).
To control enable/disable of devices, I am exploring devcon utility available in wdk but it lacks the ability to control read/write access to devices and it also lacks ability to enable/disable devices for specific users.
I tried implementing upper class filter driver for various classes (based on toaster sample in wdk) and tried setting FILE_READ_ONLY_DEVICE characteristic while creating filter device object but it’s of no use. The USB device still can be written to. I also tried rejecting write requests for PDO but no luck.
Any insights into this would be highly appreciated.