Flag SL_FORCE_ACCESS_CHECK ?

Valery_Druba · August 27, 2013, 7:56am

Hello,

Does any body knows what does mean flag SL_FORCE_ACCESS_CHECK ?

My mini filter modifies share access and desired access on preCreate
callback.
On Windows Server 2012 driver gets preCreate callback for path
“\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-Obsolete-250.dat”
with pFltData->Iopb->OperationFlags == 5 (SL_FORCE_ACCESS_CHECK |
SL_OPEN_TARGET_DIRECTORY). If driver continues modify access for this
file, I get BSOD with reason “attempt to free block that is already
free.” If I do not modify access for files with SL_FORCE_ACCESS_CHECK,
all works correct.

I afraid to damage a functionality of the driver. Can anybody explain
destination of the flag?

–
Thanks
Valery

OSR_Community_User · August 29, 2013, 3:07pm

SL_FORCE_ACCESS_CHECK tells the drivers examining a create operation to treat the call as if it were from a user mode component.

Kernel resident file servers use this option to ensure that IRP_MJ_CREATE operations are done using the correct security context (the remote client context being impersonated by the calling thread) and not the security context of the local system.

Tony
OSR