Hi,
I’m trying to set the owner of a file currently belonging to TrustedInstaller, but since it’s a \Device* path, I need to do so with the handle rather than the file name (seeing as SetNamedSecurityInfo does not accept \Device\ names).
I can, of course, set myself as the owner from the File Properties dialog.
However, I cannot seem to get a handle to the file with WRITE_OWNER access. My application is running as an administrator and has successfully cleared UAC on Windows 7. It does a million different privileged things, and I’ve tried getting the SE_TAKE_OWNERSHIP_NAME and SeRestorePrivilege before hand, but to no avail.
It’s the basic ZwOpenFile call (excuse the GetProcAddress wrapper in the code sample, please):
//First things first: take ownership of destination
{
if(!NT_SUCCESS(zwResult = ddk.OpenFilePtr(&hDest, WRITE_OWNER, &objectAttributes, &statusBlock, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_NON_DIRECTORY_FILE)))
{
CloseHandle(hSource);
_tprintf_s(_T(“Failed to get handle to file %s. Error code: 0x%x.\n\n”), wdest.Buffer, zwResult);
return -1;
}
TakeOwnership(hDest);
}
It’s always failing with 0xC0000022 (NT_STATUS_ACCESS_DENIED).
Is it not possible to open a handle with WRITE_OWNER permissions prior to changing the owner w/ TrustedInstaller files on Windows 7?
>privileged things, and I’ve tried getting the SE_TAKE_OWNERSHIP_NAME
This works very fine in Win7/R2/2008/Vista if called from user mode.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Why do you want to take ownership of the file?
d
sent from a phpne with no keynoard
-----Original Message-----
From: xxxxx@NeoSmart.net
Sent: May 22, 2010 11:55 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Get WRITE_OWNER Access to TrustedInstaller File
Hi,
I’m trying to set the owner of a file currently belonging to TrustedInstaller, but since it’s a \Device* path, I need to do so with the handle rather than the file name (seeing as SetNamedSecurityInfo does not accept \Device\ names).
I can, of course, set myself as the owner from the File Properties dialog.
However, I cannot seem to get a handle to the file with WRITE_OWNER access. My application is running as an administrator and has successfully cleared UAC on Windows 7. It does a million different privileged things, and I’ve tried getting the SE_TAKE_OWNERSHIP_NAME and SeRestorePrivilege before hand, but to no avail.
It’s the basic ZwOpenFile call (excuse the GetProcAddress wrapper in the code sample, please):
//First things first: take ownership of destination
{
if(!NT_SUCCESS(zwResult = ddk.OpenFilePtr(&hDest, WRITE_OWNER, &objectAttributes, &statusBlock, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_NON_DIRECTORY_FILE)))
{
CloseHandle(hSource);
_tprintf_s(_T(“Failed to get handle to file %s. Error code: 0x%x.\n\n”), wdest.Buffer, zwResult);
return -1;
}
TakeOwnership(hDest);
}
It’s always failing with 0xC0000022 (NT_STATUS_ACCESS_DENIED).
Is it not possible to open a handle with WRITE_OWNER permissions prior to changing the owner w/ TrustedInstaller files on Windows 7?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hi Maxim,
What are you referring to when you say “This?”
I’m in user mode, calling the kernel functions directly. I’m not getting far enough to even call SetSecurityInfo because I can’t even retrieve a handle with WRITE_OWNER permissions to the \Device\something file in question.
>Why do you want to take ownership of the file?
Hi Doron,
I’m the author of EasyBCD [1] and I’m finding that the in-built Windows utilities for recreating Windows 7 boot files don’t work. I need to manually delete and re-create bootmgr on the boot drive, and it is protected by the (rather silly, IMHO) TrustedInstaller.
(btw, I don’t get the point of TI ownership if any app can just run takeown and any admin user can just modify the file properties from the Shell.)
Interesting.
If you don’t mind my asking, what problems are you encountering that are causing you to have to recreate ‘bootmgr?’ Mostly, I’m just curious, but I also am wondering because being able to do this reliably MIGHT allow one to install a chk build of the boot components on any otherwise FRE installation, as one used to be able to do easily with NTLDR. I mean, I would assume that simply replacing both loaders with their respective CHK build would work, but I’ve never tried, and I’m wondering what you’ve seen.
As far as TI goes, I too have my doubts about it’s utility at times, but I’ll say this for it - it’s beats windows file protection, at least, though that’s not really saying much, I guess.
mm
You can install CHK builds of bootmgr on Windows (at least, I did it back with the LH/Vista betas, IIRC). They’re an entirely separate and fairly dependency-free part of the boot process.
Windows setup can sometimes stupidly forget to update bootmgr if you’re installing Windows 7 after Windows Vista, and the Windows Vista bootmgr has problems booting 7 that include out-right failure as well as incorrect behavior.
I guess Microsoft has some hard-coded limitations for the TrustedInstaller that make this fail…
I worked around it with a very ugly method: I’m defining a DosDevice for the \Device* path and then using SetNamedSecurityInfo instead.
Thanks all.
Mahmoud Al-Qudsi
Director,
NeoSmart Technologies