Driver loading under non-admin accounts

NTDEV
1

Hi *,

could somebody please explain under which circumstances can a device driver be loaded under non-administrative account in Windows 2000/XP?

For example, KB article Q219435 ( http://support.microsoft.com/?kbid=219435 ) states that “Non-administrative level users require no additional permissions to
install or uninstall device drivers if the device is supported hardware with a Plug and Play device ID to driver match.”

But what exactly is “supported hardware”? And does the account still need the “Load/Unload drivers” privilege granted then?

Basically, what I’d need is a comprehensive list of conditions that need to be met for a driver to be able to load under arbitrary account (no
matter who’s logged on) - if this is possible at all.

Thanks

2

Drivers for the fully formed PnP devnodes are loaded automatically by the OS itself.
If the devnode is not fully formed, then PnP tries to find the proper INF/binary by the service and install it. If this succeeds - then no admin is required. The INF/binaries are preinstalled to the OS by SetupCopyOEMInf.
If the installation wants to show UI (this includes the unsigned driver warning) - then it is delayed till admin logs on.

So, admin is required if a) there is no preinstalled INF/drivers in the OS (and you must be an admin to preinstall them) OR b) if the driver is not digitally signed.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Petr Kurtin
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Thursday, July 07, 2005 3:51 PM
Subject: [ntdev] Driver loading under non-admin accounts

Hi *,

could somebody please explain under which circumstances can a device driver be loaded under non-administrative account in Windows 2000/XP?

For example, KB article Q219435 ( http://support.microsoft.com/?kbid=219435 ) states that “Non-administrative level users require no additional permissions to
install or uninstall device drivers if the device is supported hardware with a Plug and Play device ID to driver match.”

But what exactly is “supported hardware”? And does the account still need the “Load/Unload drivers” privilege granted then?

Basically, what I’d need is a comprehensive list of conditions that need to be met for a driver to be able to load under arbitrary account (no
matter who’s logged on) - if this is possible at all.

Thanks

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Thanks for your answer.
Forgive my ignorance, but what exactly is a fully formed PnP devnode?

Also, did I understand you correctly that for “not filly formed” devnodes,
it is impossible to load the driver unless it has been previously installed
on the target system (by an Administrator)?

Or, let me ask differently: is it somehow possible to create a
hardware/driver
combo that would let us, upon attaching the device to an arbitrary machine
(without admin rights), load the driver for it?

Namely, I’m talking about a USB device here.

Thanks.

“Maxim S. Shatskih” wrote in message news:xxxxx@ntdev…
Drivers for the fully formed PnP devnodes are loaded automatically by the OS itself.
If the devnode is not fully formed, then PnP tries to find the proper INF/binary by the service and install it. If this succeeds - then no admin is required. The INF/binaries are preinstalled to the OS by SetupCopyOEMInf.
If the installation wants to show UI (this includes the unsigned driver warning) - then it is delayed till admin logs on.

So, admin is required if a) there is no preinstalled INF/drivers in the OS (and you must be an admin to preinstall them) OR b) if the driver is not digitally signed.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Petr Kurtin
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Thursday, July 07, 2005 3:51 PM
Subject: [ntdev] Driver loading under non-admin accounts

Hi *,

could somebody please explain under which circumstances can a device driver be loaded under non-administrative account in Windows 2000/XP?

For example, KB article Q219435 ( http://support.microsoft.com/?kbid=219435 ) states that “Non-administrative level users require no additional permissions to
install or uninstall device drivers if the device is supported hardware with a Plug and Play device ID to driver match.”

But what exactly is “supported hardware”? And does the account still need the “Load/Unload drivers” privilege granted then?

Basically, what I’d need is a comprehensive list of conditions that need to be met for a driver to be able to load under arbitrary account (no
matter who’s logged on) - if this is possible at all.

Thanks


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

Legacy drivers are loaded based upon information in the registry. If
you wish to write a record into the registry *and* update the Service
Control Manager (SCM) simultaneously, this must be done by an account in
the “Administrators” group. If you merely wish to install and start the
driver, you may do this with any account that has write permission into
the Services key of the registry and LoadDriver privilege - in this
case, write the entries in the registry and call ZwLoadDriver. Plug and
Play drivers wouldn’t have these issues because the configuration (and
SCM interactions) are managed by the PnP components.

While the SCM hard codes the explicit name of the Administrators group
in its interface ACL (a security bug as far as I’m concerned, but I
believe this is rectified in Longhorn), this is not a general OS
principle. Indeed, one of the first things one does when hardening a
system is to take all standard accounts and remove any rights and
privileges assigned to them. Then, if someone successfully compromises
these accounts the worst that happens is they end up with a fairly
useless account.

People are used to saying “this must be done in the Administrator
account” because the default configuration allows the Administrator
account to perform those tasks. But this ignores the fact that systems
can be configured rather differently - and for controlled (and/or
hostile) environments.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http:/www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
Sent: Saturday, July 09, 2005 5:10 PM
To: ntdev redirect
Subject: Re:[ntdev] Driver loading under non-admin accounts

Thanks for your answer.
Forgive my ignorance, but what exactly is a fully formed PnP devnode?

Also, did I understand you correctly that for “not filly formed”
devnodes,
it is impossible to load the driver unless it has been previously
installed
on the target system (by an Administrator)?

Or, let me ask differently: is it somehow possible to create a
hardware/driver
combo that would let us, upon attaching the device to an arbitrary
machine
(without admin rights), load the driver for it?

Namely, I’m talking about a USB device here.

Thanks.

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…

Drivers for the fully formed PnP devnodes are loaded
automatically by the OS itself.

If the devnode is not fully formed, then PnP tries to find
the proper INF/binary by the service and install it. If this succeeds -
then no admin is required. The INF/binaries are preinstalled to the OS
by SetupCopyOEMInf.

If the installation wants to show UI (this includes the
unsigned driver warning) - then it is delayed till admin logs on.

So, admin is required if a) there is no preinstalled
INF/drivers in the OS (and you must be an admin to preinstall them) OR
b) if the driver is not digitally signed.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----

From: Petr Kurtin mailto:xxxxx

Newsgroups: ntdev

To: Windows System Software Devs Interest List
mailto:xxxxx

Sent: Thursday, July 07, 2005 3:51 PM

Subject: [ntdev] Driver loading under non-admin accounts

Hi *,

could somebody please explain under which circumstances
can a device driver be loaded under non-administrative account in
Windows 2000/XP?

For example, KB article Q219435 (
http://support.microsoft.com/?kbid=219435
http: ) states that
“Non-administrative level users require no additional permissions to
install or uninstall device drivers if the device is
supported hardware with a Plug and Play device ID to driver match.”

But what exactly is “supported hardware”? And does the
account still need the “Load/Unload drivers” privilege granted then?

Basically, what I’d need is a comprehensive list of
conditions that need to be met for a driver to be able to load under
arbitrary account (no
matter who’s logged on) - if this is possible at all.

Thanks


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown
lmsubst tag argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:></mailto:xxxxx></mailto:xxxxx>

5

In this context, “fully formed” means - the driver reference is resolved and is written to the registry.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Petr Kurtin
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Sunday, July 10, 2005 1:09 AM
Subject: Re:[ntdev] Driver loading under non-admin accounts

Thanks for your answer.
Forgive my ignorance, but what exactly is a fully formed PnP devnode?

Also, did I understand you correctly that for “not filly formed” devnodes,
it is impossible to load the driver unless it has been previously installed
on the target system (by an Administrator)?

Or, let me ask differently: is it somehow possible to create a
hardware/driver
combo that would let us, upon attaching the device to an arbitrary machine
(without admin rights), load the driver for it?

Namely, I’m talking about a USB device here.

Thanks.

“Maxim S. Shatskih” wrote in message news:xxxxx@ntdev…
Drivers for the fully formed PnP devnodes are loaded automatically by the OS itself.
If the devnode is not fully formed, then PnP tries to find the proper INF/binary by the service and install it. If this succeeds - then no admin is required. The INF/binaries are preinstalled to the OS by SetupCopyOEMInf.
If the installation wants to show UI (this includes the unsigned driver warning) - then it is delayed till admin logs on.

So, admin is required if a) there is no preinstalled INF/drivers in the OS (and you must be an admin to preinstall them) OR b) if the driver is not digitally signed.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Petr Kurtin
Newsgroups: ntdev
To: Windows System Software Devs Interest List
Sent: Thursday, July 07, 2005 3:51 PM
Subject: [ntdev] Driver loading under non-admin accounts

Hi *,

could somebody please explain under which circumstances can a device driver be loaded under non-administrative account in Windows 2000/XP?

For example, KB article Q219435 ( http://support.microsoft.com/?kbid=219435 ) states that “Non-administrative level users require no additional permissions to
install or uninstall device drivers if the device is supported hardware with a Plug and Play device ID to driver match.”

But what exactly is “supported hardware”? And does the account still need the “Load/Unload drivers” privilege granted then?

Basically, what I’d need is a comprehensive list of conditions that need to be met for a driver to be able to load under arbitrary account (no
matter who’s logged on) - if this is possible at all.

Thanks


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com