I have a user mode service from where I need to load my minifilter driver on demand. I call FilterLoad api and it fails with error ACCESS DENIED. I am unable to figure out what privileges/rights does the user (under which the service is running) needs. The service is running under a user that is NOT an administrator on the local machine and has couple of privileges including the “Load and unload device drivers” set using Security Policy editor. Does FilterLoad require the user to have any additional privileges/rights?
Could you run with ProcMon and see if anything fails (I expect something in the registry) when your process tries to load a filter ?
Thanks,
Alex.
Alex,
Looked at procmon and there is no error that is seen in procmon even related to registry. Btw, the Windows version that I am using is Windows 2012 Beta.
Murtaza
Murtaza,
Is your driver only test signed? I’ve found that on WS 2012 I can only load my on demand driver once if it’s test signed, then I need to reboot before it’ll load again.
Keith
Hi Keith,
I am running with a debugger attached, so signing checks will not happen. And my driver is not signed(its an internal test version). The access denied error makes me believe that there is something more that the FilterLoad API needs.
Since the user I run under is NOT an administrator, I can’t run the command fltmc load/unload under that user. Is it that FilterLoad has to do anything with that? Internally, fltmc would also be calling FilterLoad, right?
~Murtaza
You could try to load the filter using different approaches. You could use “net start” from the command line or you could use the Service Control Manager APIs to start the filter. This assumes that you have the driver installed but not started, which is also what FilterLoad expects.
FilterLoad doesn’t do much besides talking to the FltMgr to tell it to call ZwLoadDriver for the filter. Perhaps it’s that only the communication bit (opening a communication channel to FltMgr) that you can’t do because of permissions (i don’t recall exactly what permissions FltMgr’s control device requires). In this case the method I suggested (using the service control manager) should work fine.
Thanks,
Alex.
Hi Alex,
SCM APIs also fail with the same error code. That is what we were using initially and then moved to FilterLoad which also fails 
The OpenService call with the filtername fails with ACCESS DENIED. The privilege I ask for is SERVICE_START. Btw, if I modify the Security descriptor of the Service Control Object for the filter by adding the service user’s sid to its ACE, SCM APIs work. But that is something we do not want to venture into. From the documentation of the FilterLoad function, I hoped that it would work without giving explicit permissions to the service user.
Does anyone know what does the “Load and unload device drivers” privilege under User Rights Assignment mean? What additional privileges does my service user need to be able to call FilterLoad successfully? Anyone from Microsoft listening?