NTFSD Folk:
This should be simple but I’m stuck: How can you use DeviceIoControl from
user mode?
I have a FSD that creates a normal \DosDevices\driver for the Control Device
Object during DeviceEntry. I can do DeviceIoControl to/from it just fine
when administrator, but a non-privileged user can’t (“Access denied”). I
get the same thing with filespy. No luck searching documentation or OSR
site. (I’m on XP SP2).
Is there some trick? Is it not possible? Am I just dumb? ;-(
Ken
Try IoCreateDeviceSecure. A useful library function provided in latest
DDKs.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Ken Cross”
To: “Windows File Systems Devs Interest List”
Sent: Thursday, September 09, 2004 9:55 PM
Subject: [ntfsd] DeviceIoControl from user mode?
> NTFSD Folk:
>
> This should be simple but I’m stuck: How can you use DeviceIoControl from
> user mode?
>
> I have a FSD that creates a normal \DosDevices\driver for the Control Device
> Object during DeviceEntry. I can do DeviceIoControl to/from it just fine
> when administrator, but a non-privileged user can’t (“Access denied”). I
> get the same thing with filespy. No luck searching documentation or OSR
> site. (I’m on XP SP2).
>
> Is there some trick? Is it not possible? Am I just dumb? ;-(
>
> Ken
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
That looks like a great starting place – thanks!
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, September 09, 2004 3:40 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] DeviceIoControl from user mode?
Try IoCreateDeviceSecure. A useful library function provided in latest
DDKs.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Ken Cross”
To: “Windows File Systems Devs Interest List”
Sent: Thursday, September 09, 2004 9:55 PM
Subject: [ntfsd] DeviceIoControl from user mode?
> NTFSD Folk:
>
> This should be simple but I’m stuck: How can you use DeviceIoControl from
> user mode?
>
> I have a FSD that creates a normal \DosDevices\driver for the Control
Device
> Object during DeviceEntry. I can do DeviceIoControl to/from it just fine
> when administrator, but a non-privileged user can’t (“Access denied”). I
> get the same thing with filespy. No luck searching documentation or OSR
> site. (I’m on XP SP2).
>
> Is there some trick? Is it not possible? Am I just dumb? ;-(
>
> Ken
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
The I/O Manager will check access for a given IOCTL, depending upon
which rights are encoded within the IOCTL.
Is this a problem you see with a SPECIFIC IOCTL value? If so, can you
tell us the value?
Or is the problem OPENING the control device? If the latter, what kind
of file system? What is the ACL on the file system (use one of the
object manager walkers to look at the security on your control device
object). The I/O Manager applies different ACLs to different devices.
You may need to change that ACL or explicitly indicate the ACL using
IoCreateDeviceSecure as Max suggests.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, September 09, 2004 1:55 PM
To: ntfsd redirect
Subject: [ntfsd] DeviceIoControl from user mode?
NTFSD Folk:
This should be simple but I’m stuck: How can you use DeviceIoControl
from
user mode?
I have a FSD that creates a normal \DosDevices\driver for the Control
Device
Object during DeviceEntry. I can do DeviceIoControl to/from it just
fine
when administrator, but a non-privileged user can’t (“Access denied”).
I
get the same thing with filespy. No luck searching documentation or OSR
site. (I’m on XP SP2).
Is there some trick? Is it not possible? Am I just dumb? ;-(
Ken
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Tony:
Yes, it’s the open (CreateFile) of the CDO that fails. Actually, the
documentation for CreateFile explicitly says that “The caller must have
administrative privileges” if you use the CreateFile function to open a
physical disk drive or a volume. Since the CDO device name is something
like “\DosDevices\SomeDriver”, that applies.
I’m going to look into using IoCreateDeviceSecure, but that’s not available
on Win2K. (Anyone know if it will become available with the fix for Win2K
that includes IoCreateFileSpecifyDeviceObjectHint?) But if CreateFile
doesn’t check the ACL and just fails if it’s a physical device, that may not
help.
I’ll let you know if it works. Thanks for the help.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, September 09, 2004 11:52 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] DeviceIoControl from user mode?
The I/O Manager will check access for a given IOCTL, depending upon
which rights are encoded within the IOCTL.
Is this a problem you see with a SPECIFIC IOCTL value? If so, can you
tell us the value?
Or is the problem OPENING the control device? If the latter, what kind
of file system? What is the ACL on the file system (use one of the
object manager walkers to look at the security on your control device
object). The I/O Manager applies different ACLs to different devices.
You may need to change that ACL or explicitly indicate the ACL using
IoCreateDeviceSecure as Max suggests.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, September 09, 2004 1:55 PM
To: ntfsd redirect
Subject: [ntfsd] DeviceIoControl from user mode?
NTFSD Folk:
This should be simple but I’m stuck: How can you use DeviceIoControl
from
user mode?
I have a FSD that creates a normal \DosDevices\driver for the Control
Device
Object during DeviceEntry. I can do DeviceIoControl to/from it just
fine
when administrator, but a non-privileged user can’t (“Access denied”).
I
get the same thing with filespy. No luck searching documentation or OSR
site. (I’m on XP SP2).
Is there some trick? Is it not possible? Am I just dumb? ;-(
Ken
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Yep, using IoCreateDeviceSecure allows unprivileged users to open the CDO
and do DeviceIoControl operations.
Not sure of a workaround for Win2K, though – maybe setting a DACL
explicitly when it’s created? I’ll look into it…
Thanks,
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Friday, September 10, 2004 6:02 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] DeviceIoControl from user mode?
Tony:
Yes, it’s the open (CreateFile) of the CDO that fails. Actually, the
documentation for CreateFile explicitly says that “The caller must have
administrative privileges” if you use the CreateFile function to open a
physical disk drive or a volume. Since the CDO device name is something
like “\DosDevices\SomeDriver”, that applies.
I’m going to look into using IoCreateDeviceSecure, but that’s not available
on Win2K. (Anyone know if it will become available with the fix for Win2K
that includes IoCreateFileSpecifyDeviceObjectHint?) But if CreateFile
doesn’t check the ACL and just fails if it’s a physical device, that may not
help.
I’ll let you know if it works. Thanks for the help.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, September 09, 2004 11:52 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] DeviceIoControl from user mode?
The I/O Manager will check access for a given IOCTL, depending upon
which rights are encoded within the IOCTL.
Is this a problem you see with a SPECIFIC IOCTL value? If so, can you
tell us the value?
Or is the problem OPENING the control device? If the latter, what kind
of file system? What is the ACL on the file system (use one of the
object manager walkers to look at the security on your control device
object). The I/O Manager applies different ACLs to different devices.
You may need to change that ACL or explicitly indicate the ACL using
IoCreateDeviceSecure as Max suggests.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Thursday, September 09, 2004 1:55 PM
To: ntfsd redirect
Subject: [ntfsd] DeviceIoControl from user mode?
NTFSD Folk:
This should be simple but I’m stuck: How can you use DeviceIoControl
from
user mode?
I have a FSD that creates a normal \DosDevices\driver for the Control
Device
Object during DeviceEntry. I can do DeviceIoControl to/from it just
fine
when administrator, but a non-privileged user can’t (“Access denied”).
I
get the same thing with filespy. No luck searching documentation or OSR
site. (I’m on XP SP2).
Is there some trick? Is it not possible? Am I just dumb? ;-(
Ken
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
> Not sure of a workaround for Win2K, though – maybe setting a DACL
explicitly when it’s created? I’ll look into it…
Exactly.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi,
in my IFSKit the function IoCreateDeviceSecure is implemented in a lib and
works fine in W2K drivers.
Regards,
Detlef
Yep, using IoCreateDeviceSecure allows unprivileged users to open the CDO
and do DeviceIoControl operations.Not sure of a workaround for Win2K, though – maybe setting a DACL
explicitly when it’s created? I’ll look into it…Thanks,
Ken
–
NEU: Bis zu 10 GB Speicher für e-mails & Dateien!
1 GB bereits bei GMX FreeMail http://www.gmx.net/de/go/mail
Really? The documentation is pretty explicit:
This routine is not part of the operating system. Drivers can use the
routine by linking to wdmsec.lib. (The wdmsec.lib library first shipped with
the Windows XP Service Pack 1 (SP1) and Windows Server 2003 editions of the
DDK.)
Have you actually run it in a Win2K system? If so, that’d be great
(although the docs would need updating).
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Detlef Golze
Sent: Friday, September 10, 2004 11:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] DeviceIoControl from user mode?
Hi,
in my IFSKit the function IoCreateDeviceSecure is implemented in a lib and
works fine in W2K drivers.
Regards,
Detlef
Yep, using IoCreateDeviceSecure allows unprivileged users to open the CDO
and do DeviceIoControl operations.Not sure of a workaround for Win2K, though – maybe setting a DACL
explicitly when it’s created? I’ll look into it…Thanks,
Ken
–
NEU: Bis zu 10 GB Speicher f|r e-mails & Dateien!
1 GB bereits bei GMX FreeMail http://www.gmx.net/de/go/mail
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
Yep, you can create W2K drivers with the XP SP1 kit and you can link this
driver against wdmsec.lib which is in the W2K lib directory. I do this all
the day.
Regards,
Detlef
Really? The documentation is pretty explicit:
This routine is not part of the operating system. Drivers can use the
routine by linking to wdmsec.lib. (The wdmsec.lib library first shipped
with
the Windows XP Service Pack 1 (SP1) and Windows Server 2003 editions of
the
DDK.)Have you actually run it in a Win2K system? If so, that’d be great
(although the docs would need updating).Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Detlef Golze
Sent: Friday, September 10, 2004 11:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] DeviceIoControl from user mode?Hi,
in my IFSKit the function IoCreateDeviceSecure is implemented in a lib and
works fine in W2K drivers.Regards,
Detlef> Yep, using IoCreateDeviceSecure allows unprivileged users to open the
CDO
> and do DeviceIoControl operations.
>
> Not sure of a workaround for Win2K, though – maybe setting a DACL
> explicitly when it’s created? I’ll look into it…
>
> Thanks,
> Ken–
NEU: Bis zu 10 GB Speicher f|r e-mails & Dateien!
1 GB bereits bei GMX FreeMail http://www.gmx.net/de/go/mail
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17You are currently subscribed to ntfsd as: xxxxx@gmx.de
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
NEU: Bis zu 10 GB Speicher für e-mails & Dateien!
1 GB bereits bei GMX FreeMail http://www.gmx.net/de/go/mail
Excellent – thanks!
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Detlef Golze
Sent: Friday, September 10, 2004 11:37 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] DeviceIoControl from user mode?
Yep, you can create W2K drivers with the XP SP1 kit and you can link this
driver against wdmsec.lib which is in the W2K lib directory. I do this all
the day.
Regards,
Detlef
Really? The documentation is pretty explicit:
This routine is not part of the operating system. Drivers can use the
routine by linking to wdmsec.lib. (The wdmsec.lib library first shipped
with
the Windows XP Service Pack 1 (SP1) and Windows Server 2003 editions of
the
DDK.)Have you actually run it in a Win2K system? If so, that’d be great
(although the docs would need updating).Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Detlef Golze
Sent: Friday, September 10, 2004 11:26 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] DeviceIoControl from user mode?Hi,
in my IFSKit the function IoCreateDeviceSecure is implemented in a lib and
works fine in W2K drivers.Regards,
Detlef> Yep, using IoCreateDeviceSecure allows unprivileged users to open the
CDO
> and do DeviceIoControl operations.
>
> Not sure of a workaround for Win2K, though – maybe setting a DACL
> explicitly when it’s created? I’ll look into it…
>
> Thanks,
> Ken–
NEU: Bis zu 10 GB Speicher f|r e-mails & Dateien!
1 GB bereits bei GMX FreeMail http://www.gmx.net/de/go/mail
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17You are currently subscribed to ntfsd as: xxxxx@gmx.de
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
NEU: Bis zu 10 GB Speicher f|r e-mails & Dateien!
1 GB bereits bei GMX FreeMail http://www.gmx.net/de/go/mail
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com