I’m trying to call FilterLoad from the main routine of a service that’s running as a non-privileged user. I found the thread explaining that the SeLoadDriverPrivilege must be GRANTED to the user and that it must also be ENABLED in the context of the service process before the FilterLoad call will be allowed. After granting the privilege to the user through SecPol.msc and using the code posted in the thread to adjust the process token’s privileges accordingly (Thanks Gene), the call to FilterLoad still returns access denied. Running fltmc while logged in interactively as the user returns the same error so I suspect there’s some other privilege that must be granted and subsequently enabled before this will work. Here’s a dump of the privileges granted to the user from the service log file:
04/25 10:39:56.671 PRIVILEGE NAME DISPLAY NAME
04/25 10:39:56.671 -------------- ------------
04/25 10:39:56.687 SeLoadDriverPrivilege Load and unload device drivers
04/25 10:39:56.703 SeChangeNotifyPrivilege Bypass traverse checking
04/25 10:39:56.703 SeShutdownPrivilege Shut down the system
04/25 10:39:56.703 SeUndockPrivilege Remove computer from docking station
04/25 10:39:56.703 SeImpersonatePrivilege Impersonate a client after authentication
04/25 10:39:56.703 SeCreateGlobalPrivilege Create global objects
The thread I refer to above: http://www.osronline.com/showThread.cfm?link=79753
Any ideas what I am missing here in order to load the filter?
Regards,
Greg
I assume that the same filter loads when logged in with admin credentials.
No solution here just some suggestions …
Does your DriverEntry routine get called? It could be that you are returning an error from DriverEntry under some circumstances.
Build and install the minispy example, and see if it load with those user credentials
Good Luck,
Derek
----- Original Message ----
From: “xxxxx@gnance.com”
To: Windows File Systems Devs Interest List
Sent: Wednesday, April 25, 2007 11:43:30 AM
Subject: [ntfsd] FilterLoad returns Access Denied (0x80070005) from service
I’m trying to call FilterLoad from the main routine of a service that’s running as a non-privileged user. I found the thread explaining that the SeLoadDriverPrivilege must be GRANTED to the user and that it must also be ENABLED in the context of the service process before the FilterLoad call will be allowed. After granting the privilege to the user through SecPol.msc and using the code posted in the thread to adjust the process token’s privileges accordingly (Thanks Gene), the call to FilterLoad still returns access denied. Running fltmc while logged in interactively as the user returns the same error so I suspect there’s some other privilege that must be granted and subsequently enabled before this will work. Here’s a dump of the privileges granted to the user from the service log file:
04/25 10:39:56.671 PRIVILEGE NAME DISPLAY NAME
04/25 10:39:56.671 -------------- ------------
04/25 10:39:56.687 SeLoadDriverPrivilege Load and unload device drivers
04/25 10:39:56.703 SeChangeNotifyPrivilege Bypass traverse checking
04/25 10:39:56.703 SeShutdownPrivilege Shut down the system
04/25 10:39:56.703 SeUndockPrivilege Remove computer from docking station
04/25 10:39:56.703 SeImpersonatePrivilege Impersonate a client after authentication
04/25 10:39:56.703 SeCreateGlobalPrivilege Create global objects
The thread I refer to above: http://www.osronline.com/showThread.cfm?link=79753
Any ideas what I am missing here in order to load the filter?
Regards,
Greg
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
If the FilterLoad call requires access to the Service Control Manager,
this call only works if the account in question is in the Administrators
group (last I checked, the ACL on the SCM interface had a hard-coded
requirement that the caller had to be in the administrators group.)
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com http:</http:>
> If the FilterLoad call requires access to the Service Control Manager, this
call only works if the account in question is in the Administrators group
Is there a way to verify whether or not FilterLoad requires access to
the SCM? If what you’re saying is true it makes a good case for
changing our project requirements and not allowing the service to be
run as a non-administrative user, but I hate to do this if it’s not
absolutely necessary.
(last I checked, the ACL on the SCM interface had a hard-coded requirement
that the caller had to be in the administrators group.)
It appears that you’re right assuming it requires access to
CreateService or LockServiceDatabase:
“Only processes with Administrator privileges are able to open handles
to the SCM that can be used by the CreateService and
LockServiceDatabase functions”
(http://msdn2.microsoft.com/en-us/library/ms685981.aspx)
I don’t know enough about the architecture of the Filter Manager to
know whether this is the case or not.
I was considering going through the User Privileges from the Local
Security Policy and assigning/enabling them one at a time to the user
the service is running as until I found a combination that would allow
the FilterLoad call to succeed. It sounds like you’re saying this
isn’t enough and that there may actually be a requirement that the
user be in the Administrators group in spite of the privileges
assigned to it?