To say the least this is an interesting problem OP is trying to solve :-).
Might not be a perfect solution, but could very well be GOOD ENOUGH.
Seriously, I could understand the folks that are all for robust, well
defined|formed solutions to any and all problem, and that is the way it
should be, but could we have a good enough solution ?. I think so.
First the very fact is nothing is totally secured, but most of the daily
business are w/honest effort are pretty darn secure. So …
-
Even if an admin privilage is taken away, is it possible to secure ?.
That depends on what we are trying to secure, and how hard we going to make
it for average user. Drop a laptop from 20th story and it is not secure, all
gone. But the information would be lost too, by the same paradigm, it could
be made really difficult for someone even to get the admin rights and
reformat the drive, reinstall the os etc.,etc. But yes, if a kid has the
ability to tear apart a disk, probably it could be reformatted, then another
level could be that if I (the disk )get hacked, can disk make itself
self-destructed, the answer could be yes :). Sounds like James Bond, is not
it ? SO FOR AVERAGE PGteen folks, it could be good enough, if they can not
reformat the disk.
-
Can we guard some of the folder/register etc.etc to make things really
hard for deletion by an admin ? Yes it could be done. At least it would be a
fairly hard problem to solve for a fairly smart teen.
-
Then there are other measures to make it hard enough, so that it is not
interesting for most teen(s).
Finally back to original question, rather than reasoning out the
otherway(rationality), could the OP make it unloadable on demand, and make
it not unloadable when need be ?. I think Dan and Max might have knocked the
detail, and might be worth a try :-), and I dont know what side effect could
it have in terms of system stability …
The trend for security,privacy, PGteens and others going to challenge us
again and again, and most of us already know that Microsoft’s trusted
computing intiative is an example…
Enough babling 
And I would not try to defend my thoughts :-).
-pro
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Ray Trent
Sent: Wednesday, July 07, 2004 1:06 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] DriverUnload question
Well, that should stop them for about 10 seconds.
Seriously, if the kid is knowledgeable and admin-privileged, there are
lots of easier and more obvious ways to remove a driver (like, say,
removing the services key and rebooting, or disabling the service in the
admin tools and rebooting, or… etc. ). “net stop” is so antiquated
these days that I doubt a majority of savvy computer users even know it
exists.
You’d be a lot better off detecting that the kids have admin privs
during installation and alerting the parents to that obviously
bone-headed configuration (and offering to fix it, of course, since the
parents probably can’t :-).
Assuming the kids lack the hacking skills needed for privilege
elevation, that should stop them for as long as it takes to reformat the
hard drive and reinstall Windows, so maybe a couple of hours.
Ceri Coburn wrote:
Hi,
I’m not looking for an impossible solution; just want to make it harder
for knowledgeable kids to remove the driver.
Michal,
You mentioned NULLifying the unload handler, this is great except how
would you then set the driver unload again during the running cycle of
the driver so that the driver can the be properly unloaded?
Thanks
Ceri
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: 03 July 2004 17:08
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] DriverUnload question
If the smart kid will have admin rights - then there is no ways of
protection. You can protect some files by things like PGPDisk, but not
the
system or IE’s settings.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
“Tzvetan Mikov” wrote in message
> news:…
>
>>Even if it could work, couldn’t a smart kid just reboot in safe mode
>
> and
> delete
>
>>the driver, or edit the registry ? May be you should make it a boot
>
> driver ?
>
>>-tzvetan
>>
>>“Ceri Coburn” wrote in message
>
> news:xxxxx@ntdev…
>
>>So there is no way to get this to work then?
>>
>>-----Original Message-----
>>From: xxxxx@lists.osr.com
>>[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
>>Sent: 02 July 2004 16:14
>>To: Windows System Software Devs Interest List
>>Subject: RE: [ntdev] DriverUnload question
>>
>>IIRC, if this in an NT4 style driver, unload is called while there are
>>still device objects that the driver created and it is up to the
>
> driver
>
>>to delete them before returning from unload. Bumping a ref count
>
> won’t
>
>>help here if that is the case.
>>
>>d
>>
>>-----Original Message-----
>>From: xxxxx@lists.osr.com
>>[mailto:xxxxx@lists.osr.com] On Behalf Of Ceri Coburn
>>Sent: Friday, July 02, 2004 7:55 AM
>>To: Windows System Software Devs Interest List
>>Subject: RE: [ntdev] DriverUnload question
>>
>>Hi,
>>
>>Ah I see. OK. Thanks very much for your help.
>>
>>Ceri
>>
>>-----Original Message-----
>>From: xxxxx@lists.osr.com
>>[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
>>Sent: 02 July 2004 15:53
>>To: Windows System Software Devs Interest List
>>Subject: Re:[ntdev] DriverUnload question
>>
>>No, call ObReferenceObject/ObDereferenceObject with a pointer to your
>>device
>>object. This will effective disable the unload routine, since the
>>system
>>will see the device in use.
>>
>>
>>–
>>Don Burn (MVP, Windows DDK)
>>Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>
>>
>>“Ceri Coburn” wrote in message
>>news:xxxxx@ntdev…
>>Hi,
>>
>>So essentially I would call IoGetAttachedDeviceReference to increment
>>the reference count by one and then when I want to allow removal of
>
> the
>
>>device I would then call ObDereferenceObject to decrement the
>
> reference
>
>>count and allowing the removal of the driver.
>>
>>Is this what you meant?
>>
>>Thanks,
>>Ceri
>>
>>-----Original Message-----
>>From: xxxxx@lists.osr.com
>>[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
>>Sent: 02 July 2004 15:35
>>To: Windows System Software Devs Interest List
>>Subject: Re:[ntdev] DriverUnload question
>>
>>Ok, to disable calling of unload, have you driver up the reference
>
> count
>
>>to
>>the device you create. This will effectively lock out calling unload,
>>since
>>the system knows the device is in use.
>>
>>
>>–
>>Don Burn (MVP, Windows DDK)
>>Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>
>>
>>
>>“Ceri Coburn” wrote in message
>>news:xxxxx@ntdev…
>>The trouble is that we are developing software for parents to protect
>>their kids, and as we all know kids these days are very adept when it
>>comes to computers and most parents would not realise that their own
>>children have administrative privileges. The driver is not a WDM
>
> driver
>
>>so I cannot respond to QUERY_REMOVE so I was just wondering if it is
>
> at
>
>>all possible.
>>
>>If there are instability problems related to this then we would
>>obviously have to consider them.
>>
>>Thanks
>>Ceri
>>
>>-----Original Message-----
>>From: xxxxx@lists.osr.com
>>[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
>>Sent: 02 July 2004 15:21
>>To: Windows System Software Devs Interest List
>>Subject: Re:[ntdev] DriverUnload question
>>
>>This is a bad idea. You should be able to unload a driver at anytime,
>>the
>>system provides enough security that only someone with the correct
>>permissions can unload a driver. If this is a WDM driver there is
>>typically not a lot to do in unload anyway. Note if it is an unload
>>routine, you can fail query remove so that you do not get unloaded
>>(unless a
>>surprise remove) occurs.
>>
>>–
>>Don Burn (MVP, Windows DDK)
>>Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>
>>“Ceri Coburn” wrote in message
>>news:xxxxx@ntdev…
>>Hi,
>>
>>Is there a way I can set the DriverUnload routine dynamically so that
>>the driver it’s self can decide whether it is able to be unloaded or
>>not?
>>
>>So essentially I will not set the Unload routine in DriverEntry to
>>prevent the driver removal using net stop but then later in the driver
>>somewhere I can then update the DRIVER_OBJECT somehow to then allow
>
> then
>
>>net stop to work.
>>
>>Many thanks
>>Ceri
>>
>>
>>
>>This email has been scanned by the MessageLabs Email Security System.
>>For more information please visit http://www.messagelabs.com/email
>>
>>
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as: xxxxx@first4internet.co.uk
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>This email has been scanned by the MessageLabs Email Security System.
>>For more information please visit http://www.messagelabs.com/email
>>
>>
>>
>>
>>
>>This email has been scanned by the MessageLabs Email Security System.
>>For more information please visit http://www.messagelabs.com/email
>>
>>
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as: xxxxx@first4internet.co.uk
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>This email has been scanned by the MessageLabs Email Security System.
>>For more information please visit http://www.messagelabs.com/email
>>
>>
>>
>>
>>
>>This email has been scanned by the MessageLabs Email Security System.
>>For more information please visit http://www.messagelabs.com/email
>>
>>
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as: xxxxx@first4internet.co.uk
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>This email has been scanned by the MessageLabs Email Security System.
>>For more information please visit http://www.messagelabs.com/email
>>
>>
>>
>>
>>
>>This email has been scanned by the MessageLabs Email Security System.
>>For more information please visit http://www.messagelabs.com/email
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as: xxxxx@first4internet.co.uk
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>This email has been scanned by the MessageLabs Email Security System.
>>For more information please visit http://www.messagelabs.com/email
>>
>>
>>
>>
>>
>>This email has been scanned by the MessageLabs Email Security System.
>>For more information please visit http://www.messagelabs.com/email
>>
>>
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>
> http://www.osronline.com/article.cfm?id=256
>
>>You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@first4internet.co.uk
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
>
>
>
>
>
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
>
>
–
…/ray..
Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
I’m sure I pondered reference solution and there was at least one more disadvantage against unload handler change. Unfortunately, it is six or more years and I can’t remember…