Hi all.
I have been digging about and found that if I want to hide a device from being displayed in the device manager the only way to do this is to modify the IRP-> IoStatus.Information field of a IRP_MN_QUERY_PNP_DEVICE_STATE call to set the PNP_DEVICE_DONT_DISPLAY_IN_UI bit. Now this is all well and good but I also read that you can display all devices in the device manager by selecting the “show hidden devices” option from the view menu. Is there any way of stopping individual instances of a particular class of device from being show in all cases.
The reason for this is I am developing a security based product which uses numerous COM ports. Each port will be assigned a different security level (extracted from a config file at startup). When a user logs onto the machine they are assigned a particular “role” which has a max clearance level and as such I wish to hide the presence of the COM ports that have a higher clerance than that of the role.
I currently have a serialPortFilterDriver that intercepts any read/writes to the COM ports and if the current role dosn’t have the correct clearance the action is blocked.
Any suggestions would be much apprectiated .
Steve.
I think you are equating visibility in device manager with the ability for a user to use the device. They are not correlated. Instead of adding a filter, why not just add a security descriptor to the stack that explicitly defines access control. No need for a filter, the io manager will enforce the create/read/write semantics you describe below.
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@baesystems.com
Sent: Thursday, March 27, 2008 4:45 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Hiding a device from the device manager.
Hi all.
I have been digging about and found that if I want to hide a device from being displayed in the device manager the only way to do this is to modify the IRP-> IoStatus.Information field of a IRP_MN_QUERY_PNP_DEVICE_STATE call to set the PNP_DEVICE_DONT_DISPLAY_IN_UI bit. Now this is all well and good but I also read that you can display all devices in the device manager by selecting the “show hidden devices” option from the view menu. Is there any way of stopping individual instances of a particular class of device from being show in all cases.
The reason for this is I am developing a security based product which uses numerous COM ports. Each port will be assigned a different security level (extracted from a config file at startup). When a user logs onto the machine they are assigned a particular “role” which has a max clearance level and as such I wish to hide the presence of the COM ports that have a higher clerance than that of the role.
I currently have a serialPortFilterDriver that intercepts any read/writes to the COM ports and if the current role dosn’t have the correct clearance the action is blocked.
Any suggestions would be much apprectiated .
Steve.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
wrote in message news:xxxxx@ntdev…
> Hi all.
>
> I have been digging about and found that if I want to hide a device from
> being displayed in the device manager the only way to do this is to modify
> the IRP-> IoStatus.Information field of a IRP_MN_QUERY_PNP_DEVICE_STATE
> call to set the PNP_DEVICE_DONT_DISPLAY_IN_UI bit. Now this is all well
> and good but I also read that you can display all devices in the device
> manager by selecting the “show hidden devices” option from the view menu.
> Is there any way of stopping individual instances of a particular class of
> device from being show in all cases.
>
> The reason for this is I am developing a security based product which uses
> numerous COM ports. Each port will be assigned a different security level
> (extracted from a config file at startup). When a user logs onto the
> machine they are assigned a particular “role” which has a max clearance
> level and as such I wish to hide the presence of the COM ports that have a
> higher clerance than that of the role.
>
> I currently have a serialPortFilterDriver that intercepts any read/writes
> to the COM ports and if the current role dosn’t have the correct clearance
> the action is blocked.
>
> Any suggestions would be much apprectiated .
>
> Steve.
Maybe you can call DefineDosDevice to remove visibility of some ports from
usermode, together with your fliter driver.
Regards,
–PA
Hmmm, security through obscurity is not real security. If the user is an admin, I can always redefine the name back and then open up the port. What is needed is an ACL on the stack itself, so regardless of what the accessible name is, proper access control is applied
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
Sent: Thursday, March 27, 2008 12:55 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Hiding a device from the device manager.
wrote in message news:xxxxx@ntdev…
> Hi all.
>
> I have been digging about and found that if I want to hide a device from
> being displayed in the device manager the only way to do this is to modify
> the IRP-> IoStatus.Information field of a IRP_MN_QUERY_PNP_DEVICE_STATE
> call to set the PNP_DEVICE_DONT_DISPLAY_IN_UI bit. Now this is all well
> and good but I also read that you can display all devices in the device
> manager by selecting the “show hidden devices” option from the view menu.
> Is there any way of stopping individual instances of a particular class of
> device from being show in all cases.
>
> The reason for this is I am developing a security based product which uses
> numerous COM ports. Each port will be assigned a different security level
> (extracted from a config file at startup). When a user logs onto the
> machine they are assigned a particular “role” which has a max clearance
> level and as such I wish to hide the presence of the COM ports that have a
> higher clerance than that of the role.
>
> I currently have a serialPortFilterDriver that intercepts any read/writes
> to the COM ports and if the current role dosn’t have the correct clearance
> the action is blocked.
>
> Any suggestions would be much apprectiated .
>
> Steve.
Maybe you can call DefineDosDevice to remove visibility of some ports from
usermode, together with your fliter driver.
Regards,
–PA
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> Maybe you can call DefineDosDevice to remove visibility of some ports from
usermode, together with your fliter driver.
This doesn’t help to stop the person from accessing the Top Secret COM Port
via its device interface GUID or native name (I can just as easily open
\Device\Serial0 with NtCreateFile).
Doron gave the right answer, just set the ACL appropriately.
-scott
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Pavel A.” wrote in message news:xxxxx@ntdev…
> wrote in message news:xxxxx@ntdev…
>> Hi all.
>>
>> I have been digging about and found that if I want to hide a device from
>> being displayed in the device manager the only way to do this is to
>> modify the IRP-> IoStatus.Information field of a
>> IRP_MN_QUERY_PNP_DEVICE_STATE call to set the
>> PNP_DEVICE_DONT_DISPLAY_IN_UI bit. Now this is all well and good but I
>> also read that you can display all devices in the device manager by
>> selecting the “show hidden devices” option from the view menu. Is there
>> any way of stopping individual instances of a particular class of device
>> from being show in all cases.
>>
>> The reason for this is I am developing a security based product which
>> uses numerous COM ports. Each port will be assigned a different security
>> level (extracted from a config file at startup). When a user logs onto
>> the machine they are assigned a particular “role” which has a max
>> clearance level and as such I wish to hide the presence of the COM ports
>> that have a higher clerance than that of the role.
>>
>> I currently have a serialPortFilterDriver that intercepts any read/writes
>> to the COM ports and if the current role dosn’t have the correct
>> clearance the action is blocked.
>>
>> Any suggestions would be much apprectiated .
>>
>> Steve.
>
> Maybe you can call DefineDosDevice to remove visibility of some ports from
> usermode, together with your fliter driver.
>
> Regards,
> --PA
>
>
>