My understanding is that one can use the Service Control Manager APIs to
install a driver as a non-admin user.
Is there anything an admin could do to prevent such a thing? For
example, could the admin set some registry key or install some sort of
program that blocks this?
Also, I hear future Windows versions will have some kind of “kiosk” mode
that prevents all drivers (perhaps applications???) from being
installed. Is this true? Anybody know of any documentation on this?
Any and all information would be greatly appreciated!
Jonny L.
The service control manager requires admininstative priviledges to create a
service, and this model is only used for legacy drivers. PNP driver
intstalls also require administrator, so this should not be a concern.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“Jonny Larson” wrote in message news:xxxxx@ntdev…
> My understanding is that one can use the Service Control Manager APIs to
> install a driver as a non-admin user.
>
> Is there anything an admin could do to prevent such a thing? For
> example, could the admin set some registry key or install some sort of
> program that blocks this?
>
> Also, I hear future Windows versions will have some kind of “kiosk” mode
> that prevents all drivers (perhaps applications???) from being
> installed. Is this true? Anybody know of any documentation on this?
>
> Any and all information would be greatly appreciated!
>
> Jonny L.
>
>
>
>
Hi Jonny,
On Wed, 2004-08-04 at 12:55, Jonny Larson wrote:
My understanding is that one can use the Service Control Manager APIs to
install a driver as a non-admin user.
You have to be administrator, or you have to have administrative
privileges assigned to you by an administrator. A normal user account
cannot install drivers. The PSDK docs for OpenSCManager have more info
on this.
Also, I hear future Windows versions will have some kind of “kiosk” mode
that prevents all drivers (perhaps applications???) from being
installed. Is this true? Anybody know of any documentation on this?
Existing versions of Windows do this now, in the sense that a
non-privileged user cannot install drivers. If you run NTFS and twiddle
disk permissions, and maybe run a different shell (not explorer.exe,
unless there is a config option for this), you can prevent nearly
anything.
What type of driver are you worried about?
-sd
IIRC only users with Load/Unload Device Drivers privilege can do this. This
is how PnP understands the notion of “admin” for flexibility (not tied to
particular account).
By default, this privilege is owned by admins only.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Jonny Larson”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, August 04, 2004 9:55 PM
Subject: [ntdev] Driver install and security
> My understanding is that one can use the Service Control Manager APIs to
> install a driver as a non-admin user.
>
> Is there anything an admin could do to prevent such a thing? For
> example, could the admin set some registry key or install some sort of
> program that blocks this?
>
> Also, I hear future Windows versions will have some kind of “kiosk” mode
> that prevents all drivers (perhaps applications???) from being
> installed. Is this true? Anybody know of any documentation on this?
>
> Any and all information would be greatly appreciated!
>
> Jonny L.
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com