CreateFile - access denied issue in user mode

OSR_Community_User · November 25, 2009, 2:20pm

Hi,

I am currently working on Application/Driver combination for Windows 7. When calling the Application with Admin privileges Access to the device is successfully accomplished. When working in user mode, the Createfile command fails (ACCESS_DENIED error code). I read some threads and MSDN documents regarding this issue but to no avail.

Current status:
Inf file ACL:

HKR,DeviceCharacteristics,0x10001,0x100
HKR,Security,“D:P(A;;GA;;;SY)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)”

CreateFile syntax:
//buffer=?\.\DeviceName
HANDLE hKthp = ::CreateFile( buffer,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ,
NULL, //
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);

The driver currently use DeviceIoControl with read and write permissions.
Is it possible to access the device in such way, without being an Administrator?

Thanks in advance
Guy

Thomas_Divine-2 · November 25, 2009, 2:56pm

I use this successfully. I think it was from Doron’s blog:

“D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)”

This discretionary ACL:

* Deny access to Built-in Guests
* Deny access to Anonymous Logon
* Allow read/write/execute to Authenticated Users
* Allow full control to Administrators

Thomas F. Divine
http://www.rawether.net

From:
Sent: Wednesday, November 25, 2009 2:12 PM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] CreateFile - access denied issue in user mode

> Hi,
>
> I am currently working on Application/Driver combination for Windows 7.
> When calling the Application with Admin privileges Access to the device is
> successfully accomplished. When working in user mode, the Createfile
> command fails (ACCESS_DENIED error code). I read some threads and MSDN
> documents regarding this issue but to no avail.
>
> Current status:
> Inf file ACL:
>
> HKR,DeviceCharacteristics,0x10001,0x100
> HKR,Security,“D:P(A;;GA;;;SY)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)”
>
> CreateFile syntax:
> //buffer=?\.\DeviceName
> HANDLE hKthp = ::CreateFile( buffer,
> GENERIC_READ | GENERIC_WRITE,
> FILE_SHARE_READ,
> NULL, //
> OPEN_EXISTING,
> FILE_ATTRIBUTE_NORMAL,
> NULL);
>
> The driver currently use DeviceIoControl with read and write permissions.
> Is it possible to access the device in such way, without being an
> Administrator?
>
> Thanks in advance
> Guy
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · November 26, 2009, 2:21am

Thanks, I will update the INF file.
What is the best way to actually see the ACL permissions for the installed driver. I am not sure that the ACL line in the INF is properly installed on the target.

Thanks again.
Guy

Krzysztof_Uchronski-1 · November 26, 2009, 4:32am

You can use WinObj (from Sysinternals) to check your device’s DACL.

–
Kris

OSR_Community_User · November 29, 2009, 9:44am

Hi,
few more questions

The driver I am developing is built on NDIS 5.1 API, for USB device.
Is it possible that the INF instruction (added below) is ignored and takes no effect.

HKR,DeviceCharacteristics,0x10001,0x100
HKR,Security,“D:P(A;;GA;;;SY)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)”

Since NdisMRegisterDevice is used I can not add the security line directly so I triesd to add it using “ZwSetSecurityObject”. However trying to do so results in collisions between inherited header files. If someone has done it before, advice are more than welcome.
Driver interfaces supports IRP_MJ_CREATE, IRP_MJ_WRITE. Is it possible for a non elevated user to call these handles.
Thanks.
Guy